This topic introduces the terms that are used in Key Management Service (KMS).
|Key Service fully manages and protects your keys. Key Service supports data encryption
and digital signature in simple mode based on cloud-native API operations.
For more information about Key Service, see Overview.
|customer master key (CMK)
|A CMK is used to encrypt data keys and generate enveloped data keys (EDKs). A CMK can also be used to encrypt a small volume of data. You can call the CreateKey operation to create a CMK.
|Key material is required when you perform cryptographic operations. To make sure that
you can perform cryptographic operations based on key material, we recommend that
you keep the key material confidential. Key material can be encrypted by using private
keys of asymmetric cryptographic algorithms or by using symmetric cryptographic algorithms.
CMKs are basic resources of KMS. A CMK is composed of a key ID, basic metadata, and key material. By default, key material is generated by KMS when you create a CMK. In this case, the value of the Origin parameter is Aliyun_KMS. You can also set the Origin parameter to EXTERNAL when you create a CMK. In this case, KMS does not generate key material, and you must import external key material for the CMK.
For more information about key material, see Import key material.
|To encrypt business data, you can call the GenerateDataKey or GenerateDataKeyWithoutPlaintext operation to generate a symmetric key and use a specified CMK to encrypt the symmetric
key. An EDK is generated. The EDK is secure even if it is stored and transferred over
unsecured communication channels. If you want to use the symmetric key, you need to
only call the Decrypt operation to decrypt the EDK.
For more information about envelope encryption, see Use envelope encryption to encrypt and decrypt local data.
|A data key is a plaintext key that is used to encrypt data.
You can call the GenerateDataKey operation to generate a data key, use a specified CMK to encrypt the data key, and then obtain the plaintext and ciphertext of the data key.
|enveloped data key or encrypted data key
|An EDK is a ciphertext data key that is generated by using envelope encryption.
If you do not require the plaintext of a data key, you can call the GenerateDataKeyWithoutPlaintext operation to obtain only the ciphertext of the data key.
|hardware security module (HSM)
|An HSM is a hardware device that performs cryptographic operations and securely generates
and stores keys. KMS provides the Managed HSM feature. This feature meets both the
testing and validation requirements of regulatory agencies. The feature ensures high
security for your keys that are managed in KMS.
For more information about HSMs, see Overview.
|An encryption context refers to the encapsulation of authenticated encryption with
associated data (AEAD) in KMS. For more information about AEAD, see An Interface and Algorithms for Authenticated Encryption. KMS uses the imported encryption context as the additional authenticated data (AAD)
to support cryptographic operations in which symmetric encryption algorithms are used.
The encryption context helps improve the integrity and authenticity of data that you
want to encrypt.
For more information about encryption contexts, see EncryptionContext.
|Secrets Manager allows you to manage your secrets throughout their lifecycle and allows
applications to use secrets in a secure and efficient manner. This prevents sensitive
data leaks that are caused by hardcoded secrets.
For more information about Secrets Manager, see Overview.
|application access point
|An application access point (AAP) is a method that is originally used by KMS to authenticate
the identity of the user that accesses KMS resources.
For more information, see Manage AAPs.
|Certificates Manager provides highly available and secure capabilities to manage keys
and certificates. Certificates Manager also allows you to obtain certificates to generate
and verify signatures.
For more information about Certificates Manager, see Overview.
|Dedicated KMS is a key management service that you can fully manage. For example,
you can specify the virtual private cloud (VPC) in which Dedicated KMS is deployed
and configure the cryptographic resource pool that is used by Dedicated KMS. You can
also define role-based access control (RBAC) policies to allow access from applications.
For more information about Dedicated KMS, see Overview.
|Secrets are sensitive information that is used to authenticate applications. Secrets include usernames and passwords that are used to access databases, SSH keys, sensitive addresses, and AccessKey pairs.