All Products
Search

This Product

    :Instance selection

    Document Center

    :Instance selection

    Last Updated:Apr 02, 2026

    Key Management Service (KMS) provides three tiers of key protection: free default keys, paid software key management instances, and paid hardware key management instances. For most workloads, default keys are sufficient. They require no setup and cover server-side encryption across Alibaba Cloud services at no cost. Paid instances add capabilities such as application-level encryption, secrets management, and regulatory compliance -- but they also introduce additional management overhead and cost.

    Use this guide to determine which tier matches your requirements.

    Decide which tier you need

    Answer the following questions to identify the right instance type. If you answer "No" to every question, default keys meet your needs.

    Decision criteriaDefault keys (free)Software instanceHardware instance
    Do you need to encrypt data in your own applications?--YesYes
    Do you need to manage secrets (create, rotate, retrieve)?--YesYes
    Do you need FIPS 140-2 Level 3 validated hardware security modules (HSMs)?----Yes
    Do you need dedicated gateway throughput up to 8,000 queries per second (QPS)?----Yes
    Do you need key backup management?--Yes--

    Recommendations by workload

    • Alibaba Cloud service encryption only -- Use default keys. They are free and require no setup.

    • Application-level encryption or secrets management -- Use a software key management instance. It supports asymmetric keys, Bring Your Own Key (BYOK), secret lifecycle management, and multi-account sharing.

    • Regulatory compliance or high throughput -- Use a hardware key management instance for Federal Information Processing Standard (FIPS) 140-2 Level 3 validation and dedicated gateway QPS up to 8,000. Hardware instances require purchasing two HSMs.

    Default keys

    Default keys encrypt data at rest across Alibaba Cloud services at no cost. They come in two forms:

    TypeScopeBYOKScheduled deletionKey rotation
    Service keyOne per Alibaba Cloud service, per region, per accountNoNoYes (requires a value-added plan)
    Customer master key (CMK)One per region, per accountYesYesYes (requires a value-added plan)

    Both types use the Aliyun_AES_256 key specification and support data encryption and decryption through a shared gateway at 1,000 QPS. Upgrade is not supported.

    Note

    Default keys do not support application-level encryption, secrets management, or multi-account sharing. If your workload needs any of these capabilities, use a paid instance.

    Software key management instances

    Software instances are designed for teams that need to encrypt data in custom applications or manage secrets programmatically.

    Capabilities:

    • Symmetric keys (Aliyun_AES_256) and asymmetric keys (RSA_2048, RSA_3072, EC_P256, EC_P256K)

    • BYOK -- import your own key material for symmetric and asymmetric keys

    • Secret lifecycle management -- create, rotate, retrieve, and delete secrets (up to 100,000)

    • Key rotation for symmetric keys (asymmetric keys not supported)

    • Multi-account resource sharing

    • Key backup management

    • Up to 100,000 keys

    Performance:

    Gateway typeQPS (symmetric encryption/decryption)Upgradable
    Shared1,000No
    Dedicated1,000, 2,000, or 4,000Yes

    Billing: Subscription or pay-as-you-go. See Billing overview.

    Hardware key management instances

    Hardware instances store keys inside FIPS 140-2 Level 3 validated HSMs. Choose this tier when regulations require hardware-backed key protection or when your applications demand high-throughput cryptographic operations.

    Capabilities:

    • All software instance capabilities except key backup management and key rotation

    • FIPS 140-2 Level 3 compliance

    • Broader key specifications -- symmetric: Aliyun_AES_256, Aliyun_AES_192, Aliyun_AES_128; asymmetric: RSA_2048, RSA_3072, RSA_4096, EC_P256, EC_P256K

    • Dedicated gateway QPS up to 8,000

    Performance:

    Gateway typeQPS (symmetric encryption/decryption)Upgradable
    Shared1,000No
    Dedicated2,000, 4,000, 6,000, or 8,000Yes

    Billing: Subscription or pay-as-you-go. Requires purchasing two HSMs. See HSM billing.

    Important

    Hardware instances do not support key rotation or key backup management. If either capability is required, use a software instance and confirm that FIPS 140-2 Level 3 compliance is not mandatory for your workload.

    Feature comparison

    The following tables provide a complete comparison across all four key types. Use them to verify that your chosen tier supports every feature your workload requires.

    Supported: Yes. Not supported: --.

    Billing

    ItemService keyCMKSoftware instanceHardware instance
    Billing methodFreeFreeSubscription or pay-as-you-goSubscription or pay-as-you-go (requires two HSMs)

    Scenarios

    ItemService keyCMKSoftware instanceHardware instance
    Server-side encryption in Alibaba Cloud servicesYesYesYesYes
    Data encryption in self-managed applications----YesYes
    Secret lifecycle management----YesYes
    FIPS 140-2 Level 3 compliance------Yes

    Quotas and performance

    ItemService keyCMKSoftware instanceHardware instance
    Symmetric encryption/decryption QPS1,000 (upgrade not supported)1,000 (upgrade not supported)Shared: 1,000 (upgrade not supported). Dedicated: 1,000, 2,000, or 4,000 (upgradable).Shared: 1,000 (upgrade not supported). Dedicated: 2,000, 4,000, 6,000, or 8,000 (upgradable).
    Keys1 per Alibaba Cloud service per region per account1 per region per account1,000--100,0001,000--100,000
    Secrets----0--100,0000--100,000
    Network endpointsPublic and virtual private cloud (VPC)Public and VPCPublic and VPCPublic and VPC

    Management

    FeatureService keyCMKSoftware instanceHardware instance
    Multi-account resource sharing----YesYes
    Backup management----Yes--
    Security audit (ActionTrail)YesYesYesYes

    Key management

    FeatureService keyCMKSoftware instanceHardware instance
    Key specificationsAliyun_AES_256Aliyun_AES_256Symmetric: Aliyun_AES_256. Asymmetric: RSA_2048, RSA_3072, EC_P256, EC_P256K.Symmetric: Aliyun_AES_256, Aliyun_AES_192, Aliyun_AES_128. Asymmetric: RSA_2048, RSA_3072, RSA_4096, EC_P256, EC_P256K.
    BYOK (import external key material)--YesYesYes
    Key rotationYes (requires a value-added plan)Yes (requires a value-added plan)Yes (symmetric keys only)--
    Scheduled key deletion--YesYesYes
    Key deletion protection--YesYesYes
    Key aliasYesYesYesYes
    Key tagYesYesYesYes

    Cryptographic operations

    FeatureService keyCMKSoftware instanceHardware instance
    Data encryption and decryptionYesYesYesYes
    Signature generation and verification----YesYes

    Secret management

    FeatureService keyCMKSoftware instanceHardware instance
    Secret creation----YesYes
    Secret deletion----YesYes
    Secret rotation----YesYes
    Secret tag----YesYes
    Secret value retrieval----YesYes

    References

    ResourceLink
    Billing overviewBilling overview
    HSM billingHSM billing
    ScenariosScenarios
    Performance quotasPerformance quotas
    Regions and endpointsRegions and endpoints
    Key management overviewKey management overview
    Import key material (symmetric)Import key material into a symmetric key
    Import key material (asymmetric)Import key material into an asymmetric key
    Key rotationConfigure key rotation
    Scheduled key deletionSchedule a key deletion task
    Key deletion protectionEnable key deletion protection
    Key aliasesManage key aliases
    Tag managementTag management
    Multi-account sharingShare a KMS instance across multiple Alibaba Cloud accounts
    BackupsBackups
    Security auditUse ActionTrail to query KMS events
    SDK referenceAlibaba Cloud SDK
    Secret managementSecret management
    Secret clientSecret client
    Secret JDBC clientSecret JDBC client
    RAM secret plug-inRAM secret plug-in