This page lists Alibaba Cloud services that integrate with Key Management Service (KMS) and the encryption methods each service supports.
Important
If a service you use supports KMS integration and default keys meet your needs, you do not need to purchase a KMS instance. Default keys include service keys and customer master keys (CMKs).
Workload data encryption
| Service | Encryption method | Service key | User-managed key | Description | References |
|---|---|---|---|---|---|
| Elastic Compute Service (ECS) | Disk encryption (envelope) | Yes | Yes | Encrypts data at rest on disks, data in transit between disks and ECS instances, and all snapshots created from encrypted disks. Encryption and decryption happen on the host with no disk performance impact. Data in the operating system is not encrypted. | Encryption overview |
| Container Service for Kubernetes (ACK) | SSE | Yes | Yes | Encrypts Kubernetes Secrets stored in etcd and volumes (disks, OSS buckets, NAS file systems) using KMS-based server-side encryption. | Use KMS to encrypt Kubernetes Secrets |
Persistent storage encryption
| Service | Encryption method | Service key | User-managed key | Description | References |
|---|---|---|---|---|---|
| Object Storage Service (OSS) | SSE-KMS, SSE-OSS | Yes | Yes | Encrypts objects on upload and decrypts on download. SSE-KMS uses service keys or user-managed keys. You can set a service key per bucket or specify a key per object. SSE-OSS uses a dedicated OSS encryption system; these keys cannot be audited through ActionTrail. | Server-side encryption, SDK references |
| File Storage NAS | Server-side encryption (envelope) | Yes | Yes | Encrypts data at rest using envelope encryption with a key and data key specific to each volume. Supports NAS-managed keys and custom keys (CMK/BYOK). | Server-side encryption |
| Tablestore | Envelope encryption | Yes | Yes | Encrypts data at rest using envelope encryption with a key and data key specific to each table. Uses a service key by default. | Tablestore |
| Cloud Storage Gateway (CSG) | Server-side encryption, Gateway-side encryption | No | Yes | Encrypts data using server-side encryption with a user-created CMK, or gateway-side encryption. BYOK is supported. | Create a share |
| Microservices Engine (MSE) | KMS encryption | Yes | N/A | Encrypts configuration data in Microservices Registry, including data sources, tokens, usernames, and passwords. Configuration data is stored in plaintext by default. | Configuration encryption |
Database encryption
| Service | Encryption method | Service key | User-managed key | Description | References |
|---|---|---|---|---|---|
| ApsaraDB RDS | Disk encryption, TDE | Yes | Yes | Disk encryption: free, block storage-based encryption for cloud disk instances. Keys are stored in KMS and read only on instance start or migration. TDE (MySQL and SQL Server): encrypts data before writing to disk, SSD, PCIe card, or OSS. All data files and backups are stored in ciphertext. | RDS for MySQL disk encryption, RDS for MySQL TDE, RDS for SQL Server disk encryption, RDS for SQL Server TDE, RDS for PostgreSQL disk encryption |
| ApsaraDB for MongoDB | TDE | Yes | Yes | Encrypts data using transparent data encryption, similar to ApsaraDB RDS. | Configure TDE for an instance |
| PolarDB | TDE | Yes | Yes | Supports TDE for PolarDB for MySQL, PolarDB for Oracle, and PolarDB for PostgreSQL. | PolarDB for MySQL TDE, PolarDB for Oracle TDE, PolarDB for PostgreSQL TDE |
| ApsaraDB for OceanBase | TDE | Yes | Yes | Supports transparent data encryption. | TDE |
| Tair (Redis OSS-Compatible) | TDE | Yes | Yes | Supports transparent data encryption. | Enable TDE |
| AnalyticDB | Disk encryption | No | Yes | Block storage-based encryption for the entire data disk. Backups remain encrypted if exposed. Requires a manually created CMK. Supported for AnalyticDB for MySQL and AnalyticDB for PostgreSQL. | AnalyticDB for MySQL, AnalyticDB for PostgreSQL |
| ApsaraDB for ClickHouse | Disk encryption | No | Yes | Block storage-based disk encryption. Backups remain encrypted if exposed. Requires a manually created CMK. | Disk encryption |
Log data encryption
| Service | Encryption method | Service key | User-managed key | Description | References |
|---|---|---|---|---|---|
| ActionTrail | SSE (OSS-based) | Yes | Yes | Encrypts trail events delivered to OSS. Available for single-account and multi-account trails. | Create a single-account trail, Create a multi-account trail |
| Simple Log Service (SLS) | KMS encryption | Yes | Yes | Encrypts log data at rest for static data protection. Supports both service keys and BYOK with user-managed CMKs. | Data encryption |
Big data and AI
| Service | Encryption method | Service key | User-managed key | Description | References |
|---|---|---|---|---|---|
| MaxCompute | KMS encryption | Yes | Yes | Encrypts stored data using service keys or user-managed keys. | Data encryption |
| Platform for AI (PAI) | SSE | N/A | N/A | Configure SSE for cloud services in the PAI architecture, including computing engines, ACK, and data storage services. | Platform for AI |
| E-MapReduce | Disk encryption | No | Yes | Encrypts data disks to protect both data in transit and data at rest. Requires a pre-created CMK. | Enable data disk encryption |
Other scenarios
| Service | Encryption method | Service key | User-managed key | Description | References |
|---|---|---|---|---|---|
| Alibaba Cloud CDN | SSE (OSS-based) | Yes | N/A | When an OSS bucket serves as the origin, OSS-based SSE protects distributed content. | Grant CDN access to private OSS buckets |
| ApsaraVideo Media Processing (MPS) | Alibaba Cloud proprietary cryptography, HLS encryption | N/A | N/A | Supports two encryption methods for video content protection: Alibaba Cloud proprietary cryptography and HTTP Live Streaming (HLS) encryption. | ApsaraVideo Media Processing |
| ApsaraVideo VOD | Alibaba Cloud proprietary cryptography, HLS encryption | N/A | N/A | Supports two encryption methods for video content protection: Alibaba Cloud proprietary cryptography and HLS encryption. | Alibaba Cloud proprietary cryptography, HLS encryption |
| Hologres | KMS encryption (BYOK) | No | Yes | Encrypts data at rest using a BYOK model with user-created CMKs for regulatory and compliance requirements. | Encrypt data in Hologres |
| ApsaraVideo Live | Alibaba Cloud proprietary cryptography | N/A | N/A | Encrypts video data to prevent unauthorized download and redistribution. Used in online education, finance, corporate training, and streaming. | Alibaba Cloud proprietary cryptography |
| Elastic Desktop Service (EDS) Enterprise | Disk encryption | No | Yes | Encrypts system disks and data disks during cloud computer creation. Requires a manually created CMK. | Create cloud computers |