Key Management Service
Alibaba Cloud Key Management Service (KMS) is a secure and easy-to-use service to create, control, and manage encryption keys used to secure your data.
KMS enables you to protect the confidentiality, integrity, and availability of keys while also saving on costs. You can integrate KMS with other Alibaba Cloud services such as ApsaraDB for RDS and Object Storage Service, to encrypt critical information including certificates and keys stored with these services. You can use these keys securely and conveniently, and focus on developing encryption/decryption function scenarios.
Major problems to resolve using KMS:
Role | Problem | How to resolve the problem using KMS |
Application/Website developer | My program needs to use a key for encryption or a certificate for signature, and I hope the key is managed in a secure and independent manner. I hope I can safely access the key no matter where my application is deployed. I would never allow deploying the plaintext key randomly, which is too risky. | Through the envelop encryption technology, users can store the Customer Master Key (CMK) in KMS and deploy only the encrypted data key, and users can call KMS to decrypt the data key only when they need to use it. |
Service developer | I do not want to be responsible for the security of users’ keys and data. I hope users can manage their keys by themselves and I can use specified keys to encrypt their data with their authorization. In this way, I can devote all energy to developing service functions. | Based on the envelop encryption technology and the open APIs of KMS, service developers can use specified CMKs to encrypt and decrypt data keys, easily satisfying the requirement of not storing the plaintext directly in a storage device; therefore, service developers do not need to worry about how to manage users’ keys. |
Chief Security Officer (CSO) | I hope the key management of my company can meet compliance requirements. I need to ensure that keys are reasonably authorized and any use of keys must be audited. | KMS can be associated with RAM for unified authorization management. |
Benefits
Fully Managed
Enables easy encryption/decryption of data keys by allowing storage of Customer Master Key (CMK) in KMS
Manages availability, security, and maintenance of underlying infrastructure
Secure
Transfers data over Transport Layer Security (TLS) to ensure complete security of your data
Easy Management of User Keys
Envelope Encryption Technology
Uses specified CMKs for easy encryption/decryption of data
Eliminates need to store plain text directly in storage device
Easy-to-Use
Enables easy encryption/decryption of data keys by allowing storage of Customer Master Key (CMK) in KMS
Manages availability, security, and maintenance of underlying infrastructure
Multi-region Support
Supports five regions worldwide; usage limits are relatively independent for each user in different regions
Cost-effective
Saves cost compared to procuring expensive hardware equipment to secure physical environment
Pay only for resources needed as per your business requirements
Product Details
Alibaba Cloud Key Management Service (KMS) is a fully managed service to create, delete and manage encrypted keys to protect your data. For common key management scenarios, you can use APIs or Alibaba Cloud management console to produce and manage Customer Master Keys (CMKs).
For common encryption/decryption scenarios, you can use the API to locally encrypt/decrypt small volumes of data or envelope encryption technology for relatively larger volumes of data.
Also, you can define usage policies for data encryption. You can integrate it with various Alibaba Cloud storage services to ensure the security of the stored data.
KMS enables you to easily encrypt data use SDKs or APIs to perform encryption/decryption of data keys.
Features
Key management-related functions
Allows you to create, view, enable, and disable CMKs to encrypt/decrypt data keys
Enables you to view the whole master key list for all services integrated with KMS
Security
Enables HTTPS protocol to protect data while using SDKs to access keys
Supports HMAC-SHA1 signature scheme
Maintains confidentiality, integrity, and availability of keys used to protect data
Multiple Location Support
Location | Location Id | Public Network Address | Private Network Address |
China East 1 (Hangzhou) | cn-hangzhou | kms.cn-hangzhou.aliyuncs.com | kms-vpc.cn-hangzhou.aliyuncs.com |
Singapore | ap-southeast-1 | kms.ap-southeast-1.aliyuncs.com | kms-vpc.ap-southeast-1.aliyuncs.com |
China East 2 (Shanghai) | cn-shanghai | kms.cn-shanghai.aliyuncs.com | kms-vpc.cn-shanghai.aliyuncs.com |
China North 2 (Beijing) | cn-beijing | kms.cn-beijing.aliyuncs.com | kms-vpc.cn-beijing.aliyuncs.com |
China South 1 (Shenzhen) | cn-shenzhen | kms.cn-shenzhen.aliyuncs.com | kms-vpc.cn-shenzhen.aliyuncs.com |
Japan | ap-northeast-1 | kms.ap-northeast-1.aliyuncs.com | kms-vpc.ap-northeast-1.aliyuncs.com |
Frankfurt | eu-central-1 | kms.eu-central-1.aliyuncs.com | kms-vpc.eu-central-1.aliyuncs.com |
Dubai | me-east-1 | kms.me-east-1.aliyuncs.com | kms-vpc.me-east-1.aliyuncs.com |
Sydney | ap-southeast-2 | kms.ap-southeast-2.aliyuncs.com | kms-vpc.ap-southeast-2.aliyuncs.com |
Hong Kong | cn-hongkong | kms.cn-hongkong.aliyuncs.com | kms-vpc.cn-hongkong.aliyuncs.com |
China North 3 (Zhangjiakou) | cn-zhangjiakou | kms.cn-zhangjiakou.aliyuncs.com | kms-vpc.cn-zhangjilou.aliyuncs.com |
China North 1 (Qingdao) | cn-qingdao | kms.cn-qingdao.aliyuncs.com | kms-vpc.cn-qingdao.aliyuncs.com |
Kuala Lumpur | ap-southeast-3 | kms.ap-southeast-3.aliyuncs.com | kms-vpc.ap-southeast-3.aliyuncs.com |
China North 5(huhehaote) | cn-huhehaote | kms.cn-huhehaote.aliyuncs.com | kms-vpc.cn-huhehaote.aliyuncs.com |
Easy Integration
Easily integrates with other Alibaba Cloud products such as ApsaraDB for RDS to protect the data stored using these services
Encrypts your static files stored in Object Storage Service ensuring security
Envelope Encryption Technology
Allows you to store, transfer and use encrypted data by encapsulating its data keys (DKs) in an envelope and stores CMKs in KMS
Allows users to call KMS to decrypt data key only when needed
Scalability and Durability
Automatically scales to meet encryption needs as per your business requirement
Stores multiple copies of encrypted versions of your master keys ensuring high durability and availability
Potential to deploy in multiple availability zones within a region to ensure high availability of encryption keys
Scenarios
Listed below are a few common KMS scenarios:
1. Encryption/decryption of small amount of data directly using KMS
You can directly call the KMS APIs and use the specified Customer Master Key (CMK) to encrypt and decrypt data. This scenario applies to encryption and decryption of a small amount of data (less than 4KB). Data is transmitted to the KMS server through secure channels, encrypted or decrypted at the server, and returned through secure channels.
To protect HTTPS certificate on the server:

Steps:
Create a Customer Master Key (CMK)
Call encrypt interface of KMS to encrypt plaintext certificate to a ciphertext certificate
Deploy ciphertext certificate on the server
Call decrypt interface of KMS to decrypt ciphertext certificate to plaintext certificate when the server starts and needs to use certificate
2. Perform local encryption/decryption for massive amount of data using Envelope Encryption
Envelope encryption is a mechanism similar to the digital envelope technology. It allows you to store, transfer, and use encrypted data by encapsulating its data keys (DKs) in an envelope, instead of encrypting/decrypting data directly with Customer Master Keys (CMKs). This is appropriate when a large volume of data needs to be encrypted or decrypted.
You can directly call the KMS API, use the specified CMK to generate and decrypt the data key, and use the data key for local data encryption and decryption. You do not need to transmit the massive amount of data through the network, which results in cost savings.
This eliminates all kinds of security risks, including eavesdropping and phishing.
To encrypt a local file:

Encryption steps:
Create a CMK
Call GenerateDataKey interface of KMS to generate data keys; obtain a plaintext data key and a ciphertext data key
Use plaintext data key to encrypt the file and generate ciphertext file
Save ciphertext data key and ciphertext file to persistent storage device or service
To decrypt a local file:

Decryption steps:
Read ciphertext data key and ciphertext file from persistent storage device or service
Call decrypt interface of KMS to decrypt ciphertext data key and obtain plaintext data key
Use plaintext data key to decrypt the file
Getting Started
For better management of your keys get access to KMS APIs, SDKs.
Using KMS through the Management Console
The Alibaba Cloud Management Console provides a simple web based user interface, which is used to create, describe, enable and disable your keys.
KMS API Reference
You can call KMS APIs for encryption and decryption of the data keys. Please read the API introduction.
For a step-by-step guide on how to use the Alibaba Cloud KMS management console or APIs, refer to Quick Start Guide.
KMS SDK Reference
You can easily manage CMKs by using Alibaba Cloud Key Management Service SDKs available in four languages (Java, Python, PHP, and C#).
View Java SDK sample codes.
Resources
Alibaba Cloud Key Management Service (KMS) is an easy-to-use, secure and efficient way to manage encryption keys used to secure data. The following are links to documentation, SDKs, and other resources that can help you understand how KMS works.
Related Services
FAQs
1. What is a Customer Master Key (CMK)?
CMK is the master key created by a user in the Alibaba Cloud Key Management Service (KMS) to encrypt data keys and generate envelopes. It can also be directly used to encrypt a small amount of data.
2. What is envelope encryption technology?
Envelope encryption is an encryption mechanism similar to the digital envelope technology. It allows you to store, transfer and use encrypted data by encapsulating its data keys (DKs) in an envelope, instead of encrypting/decrypting data directly with CMKs.
3. In what regions can KMS be accessed?
The following is the list of regions where KMS is available with their corresponding location ID and public/private network addresses:
Location | Location Id | Public Network Address | Private Network Address |
China East 1 (Hangzhou) | cn-hangzhou | kms.cn-hangzhou.aliyuncs.com | kms-vpc.cn-hangzhou.aliyuncs.com |
Singapore | ap-southeast-1 | kms.ap-southeast-1.aliyuncs.com | kms-vpc.ap-southeast-1.aliyuncs.com |
China East 2 (Shanghai) | cn-shanghai | kms.cn-shanghai.aliyuncs.com | kms-vpc.cn-shanghai.aliyuncs.com |
China North 2 (Beijing) | cn-beijing | kms.cn-beijing.aliyuncs.com | kms-vpc.cn-beijing.aliyuncs.com |
China South 1 (Shenzhen) | cn-shenzhen | kms.cn-shenzhen.aliyuncs.com | kms-vpc.cn-shenzhen.aliyuncs.com |
Japan | ap-northeast-1 | kms.ap-northeast-1.aliyuncs.com | kms-vpc.ap-northeast-1.aliyuncs.com |
Frankfurt | eu-central-1 | kms.eu-central-1.aliyuncs.com | kms-vpc.eu-central-1.aliyuncs.com |
Dubai | me-east-1 | kms.me-east-1.aliyuncs.com | kms-vpc.me-east-1.aliyuncs.com |
Sydney | ap-southeast-2 | kms.ap-southeast-2.aliyuncs.com | kms-vpc.ap-southeast-2.aliyuncs.com |
Hong Kong | cn-hongkong | kms.cn-hongkong.aliyuncs.com | kms-vpc.cn-hongkong.aliyuncs.com |
China North 3 (Zhangjiakou) | cn-zhangjiakou | kms.cn-zhangjiakou.aliyuncs.com | kms-vpc.cn-zhangjilou.aliyuncs.com |
China North 1 (Qingdao) | cn-qingdao | kms.cn-qingdao.aliyuncs.com | kms-vpc.cn-qingdao.aliyuncs.com |
Kuala Lumpur | ap-southeast-3 | kms.ap-southeast-3.aliyuncs.com | kms-vpc.ap-southeast-3.aliyuncs.com |
China North 5(huhehaote) | cn-huhehaote | kms.cn-huhehaote.aliyuncs.com | kms-vpc.cn-huhehaote.aliyuncs.com |
4. Can the KMS endpoint not be accessed?
To ensure data security, KMS only supports HTTPS protocol when you use SDKs to access it.
5. Why does the error "Forbidden.KeyNotFound" occur during decryption?
The error typically occurs when you try to decrypt data in an incorrect region. KMS is completely independent in each of the regions. You need to ensure that you decrypt data in the same region where the data was encrypted.
6. How can I manage user keys using KMS?
Based on the envelope encryption technology and open APIs of KMS, you can use specified CMKs to encrypt and decrypt data keys. Then you don’t have to store the plain text directly in a storage device. This way, you can easily concentrate on development work without worrying about managing users’ keys.
7. How many CMKs can be created by one user in each region?
Each user can create up to 200 CMKs in each region. In case you need to create more than 200 CMKs, you can submit a request to Alibaba Cloud through its ticket system.
8. What is encryption context?
Encryption context is a JSON string in the String-String format that may be used in KMS APIs including Encrypt, GenerateDataKey, and Decrypt to protect data integrity.