The following tables list API operations available for use in Key Management Service (KMS).
Key service operations
- CMK management
Customer master key (CMK) management operations are used to create and modify CMKs and manage their lifecycles.
Operation Description CreateKey Creates a CMK. You can use key material created in KMS or import external key material to the CMK. Importing external key material is known as Bring Your Own Key (BYOK). This operation is the first step of BYOK. GetParametersForImport Queries key material to be imported. This operation is the second step of BYOK. ImportKeyMaterial Imports key material to a CMK. This operation is the final step of BYOK. EnableKey Changes the status of a CMK to Enabled. DisableKey Changes the status of a CMK to Disabled. SetDeletionProtection Enables or disables deletion protection for a CMK. ScheduleKeyDeletion Schedules the deletion of a CMK. After you call this operation, the CMK enters the Pending Deletion state. The CMK is automatically deleted after the specified waiting period elapses. CancelKeyDeletion Cancels the scheduled deletion of a CMK. You can cancel the scheduled deletion of a CMK before the specified waiting period elapses. After the scheduled deletion is canceled, the CMK enters the Enabled state again. DeleteKeyMaterial Deletes key material of a CMK. You can directly delete key material that is imported from an external source. After key material of a CMK is deleted, the CMK enters the Pending Import state. DescribeKey Queries the information about a CMK. ListKeys Queries all CMKs of the current Alibaba Cloud account in the current region. UpdateKeyDescription Updates the description of a CMK. - Key version management
Operations for key version management are used to rotate CMKs.
Operation Description DescribeKeyVersion Queries the information about a key version. ListKeyVersions Queries all key versions of a CMK. UpdateRotationPolicy Updates the rotation policy of a symmetric CMK. If automatic rotation is enabled, KMS automatically generates a key version on a regular basis. CreateKeyVersion Creates a key version for a CMK. This operation is available only for asymmetric CMKs. - Cryptographic operations
You can perform cryptographic operations on data, such as data encryption and decryption. The operations in the following table are used to perform cryptographic operations.
Operation Description Encrypt Encrypts data by using a specific CMK. This operation is used to encrypt data of no more than 6 KB online. GenerateDataKey Generates a random number and encrypts the random number with a specific CMK. The ciphertext and plaintext of the random number are returned. The random number can be used as a data key to encrypt or decrypt a large amount of local data. GenerateDataKeyWithoutPlaintext Generates a random number and encrypts the random number with a specific CMK. Only the ciphertext of the random number is returned. The random number can be used as a data key to encrypt or decrypt a large amount of local data. ExportDataKey Encrypts a data key by using a specific public key and exports the data key. GenerateAndExportDataKey Generates a random data key, encrypts the data key by using a specific CMK and public key, and returns the ciphertext generated by using the CMK and that generated by using the public key. Decrypt Decrypts the ciphertext that is generated by calling the Encrypt or GenerateDataKey operation. You do not need to specify a CMK for decryption. ReEncrypt Re-encrypts ciphertext. When you call this operation, KMS first decrypts the specified ciphertext and then uses a different CMK to encrypt the generated plaintext or data key. Ciphertext is returned. AsymmetricSign Uses the private key of an asymmetric CMK to generate a digital signature. AsymmetricVerify Uses the public key of an asymmetric CMK to verify a digital signature that is generated by using the private key. AsymmetricDecrypt Uses the private key of an asymmetric CMK to decrypt the data that is encrypted by using the public key. AsymmetricEncrypt Uses the public key of an asymmetric CMK to encrypt data. GetPublicKey Queries the public key of an asymmetric CMK. You can use the public key to encrypt data or verify digital signatures offline. - Alias management
An alias is an independent object in KMS. An alias must be bound to a unique CMK. You can set the KeyId parameter in specific operations to an alias to specify a CMK.
Operation Description CreateAlias Creates an alias and binds it to a CMK. UpdateAlias Binds an existing alias to a different CMK ID. DeleteAlias Deletes an alias. ListAliases Queries all aliases of the current Alibaba Cloud account in the current region. ListAliasesByKeyId Queries all aliases that are bound to a specific CMK.
Secrets Manager operations
Secrets Manager operations are used to manage, protect, distribute, and rotate secrets.
| Operation | Description |
|---|---|
| CreateSecret | Creates a secret and stores the secret value in the initial version. |
| ListSecrets | Queries all secrets of the current Alibaba Cloud account in the current region. |
| DeleteSecret | Deletes a secret. |
| DescribeSecret | Queries the metadata of a secret. |
| GetSecretValue | Queries a secret value. |
| PutSecretValue | Stores the secret value of a new version into a secret. |
| UpdateSecret | Updates the metadata of a secret. |
| UpdateSecretVersionStage | Updates the stage label that marks a secret version. |
| RestoreSecret | Restores a deleted secret. |
| ListSecretVersionIds | Queries all versions of a secret. |
| GetRandomPassword | Queries a random password string. |
Certificate operations
Certificate operations are used to create, delete, update, and query certificates. Certificate operations are also used to verify the signatures on certificates.
| Operation | Description |
|---|---|
| CreateCertificate | Creates a certificate. |
| UploadCertificate | Imports a certificate and a certificate chain issued by a certificate authority (CA) into Certificates Manager. |
| GetCertificate | Queries a certificate that is managed by Certificates Manager. |
| DescribeCertificate | Queries the information about a certificate. |
| UpdateCertificateStatus | Updates the status of a certificate. |
| DeleteCertificate | Deletes a certificate and the private key and certificate chain of the certificate. |
| CertificatePrivateKeySign | Generates a digital signature by using a specific certificate. |
| CertificatePublicKeyVerify | Verifies a digital signature by using a specific certificate. |
| CertificatePublicKeyEncrypt | Encrypts data by using a specific certificate. |
| CertificatePrivateKeyDecrypt | Decrypts data by using a specific certificate. |
Tag management operations
CMKs support tags. You can add multiple tags to a CMK. A tag is defined by a pair of TagKey and TagValue.
| Operation | Description |
|---|---|
| TagResource | Adds tags to or modifies existing tags of a CMK or secret. |
| UntagResource | Removes a tag from a CMK or secret. |
| ListResourceTags | Queries all tags of a CMK or secret. |
Other operations
| Operation | Description |
|---|---|
| DescribeRegions | Queries available regions for the current Alibaba Cloud account. |
| OpenKmsService | Activates KMS for the current Alibaba Cloud account. |
| DescribeAccountKmsStatus | Queries the status of KMS for the current Alibaba Cloud account. |