Terms - Key Management Service - Alibaba Cloud Documentation Center

This topic introduces the terms that are used in Key Management Service (KMS).


Term	Description
Key Service	Key Service provides cryptographic features such as secure key storage, lifecycle management of keys, data encryption, data decryption, and digital signature (signing and verification). For more information about Key Service, see Overview.
hardware security module (HSM)	An HSM is a hardware device that performs cryptographic operations and securely generates and stores keys. HSMs are commonly used in building IT systems. You can integrate KMS with Data Encryption Service of Alibaba Cloud to use the HSM clusters that are deployed in Data Encryption Service. This improves the security of keys that are managed in KMS, helps meet higher compliance requirements, and helps meet the testing and certification requirements of regulators.
customer master key (CMK)	A CMK is a key that is created and managed by yourself in KMS. Each CMK consists of a key ID, basic metadata, and key material.
service key	A service key is created and managed by an Alibaba Cloud service for you in KMS. By default, a service key is used for server-side encryption in Alibaba Cloud services.
default key management	Default key management is a key management implementation that is provided by KMS. A default key can be used only for server-side encryption in Alibaba Cloud services that are integrated with KMS. A default key can be one of the following types of keys: Service key: a key that is created and managed by an Alibaba Cloud service for you and is used for server-side encryption. CMK: a key that is created and managed by yourself in KMS. You can create only one CMK in each region. You can import key material or use key material that is generated by KMS to create a CMK. A default key in KMS supports only the AES-256 symmetric cryptographic algorithm.
software key management	Software key management is a key management implementation that is provided by KMS. A software-protected key can be created and managed only by yourself. A software-protected key can be used for server-side encryption in Alibaba Cloud services that are integrated with KMS and for cryptographic solutions of your self-managed applications. You can use only key material that is generated by KMS to create a software-protected key. A software-protected key in KMS supports various key specifications, including symmetric and asymmetric cryptographic algorithms.
hardware key management	Hardware key management is a key management implementation that is provided by KMS. A hardware-protected key can be created and managed only by yourself. A hardware-protected key can be used for server-side encryption in Alibaba Cloud services that are integrated with KMS and for cryptographic solutions of your self-managed applications. You can use key material that is generated by an HSM instance or import key material to create a hardware-protected key. Make sure that the HSM instance belongs to the HSM cluster that is associated with your KMS instance. A hardware-protected key in KMS supports various key specifications, including symmetric and asymmetric cryptographic algorithms. Note You can integrate KMS with Data Encryption Service of Alibaba Cloud to use the HSM clusters that are deployed in Data Encryption Service. This way, you can manage hardware-protected keys and perform cryptographic operations. Before you can use a hardware-protected key, you must purchase HSM instances and configure HSM clusters in Data Encryption Service and associate the HSM clusters with your KMS instances in KMS.
key material	Key material is an important resource when you perform cryptographic operations. If you want to perform cryptographic operations by using key material in a secure manner, we recommend that you keep your key material confidential. Key material can be the key material for private keys of asymmetric keys or the key material for symmetric keys. When you create a default key of the CMK type, you can use key material that is automatically generated by KMS or import key material. If a key is created by using key material that is automatically generated by KMS, the Origin attribute of the key is Aliyun_KMS. If a key is created by using imported key material, the Origin attribute of the key is EXTERNAL. When you create a software-protected key, you can use only key material that is automatically generated by KMS. If a key is created by using key material that is automatically generated by KMS, the Origin attribute of the key is Aliyun_KMS. When you create a hardware-protected key, you can use the key material that is generated by an HSM instance or import key material. If a key is created by using key material that is generated by an HSM instance, the Origin attribute of the key is Aliyun_KMS. If a key is created by using imported key material, the Origin attribute of the key is EXTERNAL.
secrets	Secrets are sensitive information that is used to authenticate applications. Secrets include usernames and passwords that are used to access databases, SSH keys, sensitive addresses, and AccessKey pairs.
Secrets Manager	Secrets Manager allows you to manage your secrets throughout their lifecycle and allows applications to use secrets in a secure and efficient manner. This helps prevent sensitive data leaks that are caused by hardcoded secrets. For more information about Secrets Manager, see Overview.
application access point (AAP)	An AAP is an access control solution in KMS. KMS uses AAPs to authenticate identities and behavior of applications when the applications request resources in KMS.