This topic describes the Alibaba Cloud services that can be integrated with Key Management Service (KMS).
If you purchased an Alibaba Cloud service that can be integrated with KMS and your business requirements can be met by using default keys, you do not need to purchase a KMS instance. A default key can be of the following types: service key and customer master key (CMK).
Workload data encryption
Elastic Compute Service (ECS)
By default, the disk encryption feature of ECS uses service keys to encrypt data. This feature can also use user-managed keys to encrypt data. To encrypt data stored on each disk, you must use a CMK and a data key that are specific to the disk and use the envelope encryption mechanism.
The disk encryption feature encrypts the data that is transmitted from an ECS instance to a disk and decrypts the data that is read from the disk. Data is encrypted or decrypted on the host on which the ECS instance resides. During encryption and decryption, the performance of the disk is not affected.
After an encrypted disk is created and attached to an ECS instance, the system encrypts the following data:
Container Service for Kubernetes (ACK)
ACK supports server-side encryption (SSE) based on KMS for the following types of workload data:
Web App Service
Web App Service can be integrated with KMS to encrypt sensitive configuration data, such as access credentials of ApsaraDB RDS.
Application Configuration Management
Application Configuration Management can be integrated with KMS to encrypt application configurations. This ensures the security of sensitive configurations, such as data sources, tokens, usernames, and passwords, and reduces the risk of configuration leaks. Application Configuration Management can use KMS in one of the following ways:
Persistent storage encryption
Object Storage Service (OSS)
OSS uses the SSE feature to encrypt uploaded data.
OSS can use an encryption system that is dedicated to OSS to implement the SSE feature. This encryption method is referred to as SSE-OSS. The keys used in this encryption system are not managed by OSS. Therefore, you cannot use ActionTrail to audit the use of these keys.
OSS can also use KMS to implement the SSE feature. This encryption method is referred to as SSE-KMS. This method allows OSS to use service keys or user-managed keys to encrypt data. You can configure a default CMK for each bucket or specify a CMK when you upload an object.
Apsara File Storage NAS (NAS)
By default, NAS uses a service key to encrypt data. To encrypt data stored on each volume, you must use a CMK and a data key that are specific to the volume and use the envelope encryption mechanism.
By default, Tablestore uses service keys to encrypt your data. Tablestore can also use user-managed keys to encrypt your data. To encrypt data stored on each table, you must use a CMK and a data key that are specific to the table and use the envelope encryption mechanism.
Cloud Storage Gateway (CSG)
CSG supports the following encryption methods:
ApsaraDB RDS supports the following encryption methods:
ApsaraDB for MongoDB
The TDE feature is provided. This feature works in the same manner across database services.
ApsaraDB for OceanBase
ApsaraDB for Redis
Log data encryption
When you create a single-account or multi-account trail, you can enable encryption for events that are delivered to OSS in the ActionTrail console.
Log Service can be integrated with KMS to encrypt data for secure storage. Static data protection is provided.
Big data and AI
MaxCompute can use service keys or user-managed keys to encrypt your data.
Machine Learning Platform for AI (PAI)
You can configure SSE for the cloud services that are used in the architecture of PAI and different data flow stages, such as computing engines, ACK, and data storage services. This protects data security and privacy.
Alibaba Cloud CDN (CDN)
When an OSS bucket is used as the origin server, you can use OSS-based SSE to protect distributed content.
ApsaraVideo Media Processing (MPS)
MPS supports two encryption methods: Alibaba Cloud proprietary cryptography and HTTP Live Streaming (HLS) encryption. You can integrate MPS with KMS to protect video content regardless of the encryption method used.
ApsaraVideo VOD (VOD)
VOD supports two encryption methods: Alibaba Cloud proprietary cryptography and HLS encryption. You can integrate VOD with KMS to protect video content regardless of the encryption method used.