Key Management Service (KMS): Manage Encryption Keys

{"moduleinfo":{"iframeResizerUrl":"//g.alicdn.com/aliyun/www-product-ecs-price/0.0.18/iframeResizer.js","rightBtn":{"partnerAddress":"https://common-buy-intl4service.aliyun.com/?commodityCode=kms_intl_vdf#/open","output4Partner":true,"text":"Get it Free","url":"//common-buy-intl.aliyun.com/?commodityCode=kms_intl#/open"},"highlightAutoNav":false,"nav_count":[{"count_phone":2,"count":2}]},"nav":[{"txt":"Overview","highlight":"true","newWindow":"false","hideMobile":"false","anchor":[{"tce_rule_count":"1","name":"alicloud-v3-overview"},{"tce_rule_count":"1","name":"alicloud-v3-product-buy-now"},{"tce_rule_count":"1","name":"alicloud-v3-product-feature"},{"tce_rule_count":"1","name":"wb-zc-jwmod-scenarios-scene"},{"tce_rule_count":"1","name":"alicloud-v3-product-timeline"},{"tce_rule_count":"1","name":"alicloud-v3-product-summary"},{"tce_rule_count":"1","name":"alicloud-v3-get-start-for-free"}],"style":"hash","output4Partner":"false","newAddress":"/"},{"txt":"Documentation","highlight":"false","partnerAddress":"/help/product/28933.htm","newWindow":"true","hideMobile":"false","anchor":[{"tce_rule_count":"1"}],"style":"link","output4Partner":"true","newAddress":"https://www.alibabacloud.com/help/product/28933.htm"}],"countinfo":{"nav":{"length_pc":0,"length":0}},"$tmsId":"tce/1685848"}

Overview
Overview
Overview
Documentation
Documentation

Get it Free

Alibaba Cloud Key Management Service (KMS) is a fully managed service to create, delete and manage encrypted keys to protect your data. For common key management scenarios, you can use APIs or Alibaba Cloud management console to produce and manage Customer Master Keys (CMKs).

KMS enables you to protect the confidentiality, integrity, and availability of keys while also saving on costs. You can integrate KMS with other Alibaba Cloud services such as ApsaraDB for RDS and Object Storage Service, to encrypt critical information including certificates and keys stored with these services. You can use these keys securely and conveniently, and focus on developing encryption/decryption function scenarios.

For common encryption/decryption scenarios, you can use the API to locally encrypt/decrypt small volumes of data or envelope encryption technology for relatively larger volumes of data. Also, you can define usage policies for data encryption. You can integrate it with various Alibaba Cloud storage services to ensure the security of the stored data.

{"moduleinfo":{"othercol_count":[{"count_phone":3,"count":3}],"tips_count":[{"count_phone":0,"count":0}],"firstcol_count":[{"count_phone":0,"count":0}],"autoResize":true,"tit":"Major Problems to Resolve Using KMS"},"firstcol":[],"othercol":[{"isactive":"false","title":"Role","list":[{"tce_rule_count":"1","text":"Application/Website developer"},{"tce_rule_count":"1","text":"Service developer"},{"tce_rule_count":"1","text":"Chief Security Officer (CSO)"}]},{"isactive":"false","title":"Problem","list":[{"tce_rule_count":"1","text":"My program needs to use a key for encryption or a certificate for signature, and I hope the key is managed in a secure and independent manner. I hope I can safely access the key no matter where my application is deployed. I would never allow deploying the plaintext key randomly, which is too risky."},{"tce_rule_count":"1","text":"I do not want to be responsible for the security of users’ keys and data. I hope users can manage their keys by themselves and I can use specified keys to encrypt their data with their authorization. In this way, I can devote all energy to developing service functions."},{"tce_rule_count":"1","text":"I hope the key management of my company can meet compliance requirements. I need to ensure that keys are reasonably authorized and any use of keys must be audited."}]},{"isactive":"false","title":"How to resolve the problem","list":[{"tce_rule_count":"1","text":"Through the envelop encryption technology, users can store the Customer Master Key (CMK) in KMS and deploy only the encrypted data key, and users can call KMS to decrypt the data key only when they need to use it."},{"tce_rule_count":"1","text":"Based on the envelop encryption technology and the open APIs of KMS, service developers can use specified CMKs to encrypt and decrypt data keys, easily satisfying the requirement of not storing the plaintext directly in a storage device; therefore, service developers do not need to worry about how to manage users’ keys."},{"tce_rule_count":"1","text":"KMS can be associated with RAM for unified authorization management."}]}],"tips":[],"countinfo":{"othercol":{"length_pc":0,"length":0},"firstcol":{},"tips":{}},"$tmsId":"tce/1685847"}

Major Problems to Resolve Using KMS

Role
Application/Website developer
Service developer
Chief Security Officer (CSO)

Problem
My program needs to use a key for encryption or a certificate for signature, and I hope the key is managed in a secure and independent manner. I hope I can safely access the key no matter where my application is deployed. I would never allow deploying the plaintext key randomly, which is too risky.
I do not want to be responsible for the security of users’ keys and data. I hope users can manage their keys by themselves and I can use specified keys to encrypt their data with their authorization. In this way, I can devote all energy to developing service functions.
I hope the key management of my company can meet compliance requirements. I need to ensure that keys are reasonably authorized and any use of keys must be audited.

How to resolve the problem
Through the envelop encryption technology, users can store the Customer Master Key (CMK) in KMS and deploy only the encrypted data key, and users can call KMS to decrypt the data key only when they need to use it.
Based on the envelop encryption technology and the open APIs of KMS, service developers can use specified CMKs to encrypt and decrypt data keys, easily satisfying the requirement of not storing the plaintext directly in a storage device; therefore, service developers do not need to worry about how to manage users’ keys.
KMS can be associated with RAM for unified authorization management.

{"moduleinfo":{"benefits":"Benefits","outputBuyBtn4Partner":true,"os_count":[{"count_phone":0,"count":0}],"products_count":[{"count_phone":0,"count":0}],"benefits_count":[{"count_phone":4,"count":4}],"news_count":[{"count_phone":0,"count":0}],"floor":"floor1","outputNews4Partner":"false","regions_count":[{"count_phone":0,"count":0}]},"regions":[],"os":[],"products":[],"benefits":[{"icon":"https://img.alicdn.com/tfs/TB11mCwXuT2gK0jSZFvXXXnFXXa-108-108.png","title":"Fully Managed","content":"Enables easy encryption/decryption of data keys by allowing storage of Customer Master KeyManages availability, security, and maintenance of underlying infrastructure"},{"icon":"https://img.alicdn.com/tfs/TB1RmCwXuT2gK0jSZFvXXXnFXXa-108-108.png","title":"Secure","content":"Transfers data over Transport Layer Security (TLS) to ensure complete security of your data"},{"icon":"https://img.alicdn.com/tfs/TB1sZixXEY1gK0jSZFCXXcwqXXa-108-108.png","title":"Easy Management of User Keys","content":"Uses specified CMKs for easy encryption/decryption of dataEliminates need to store plain text directly in storage device"},{"icon":"https://img.alicdn.com/tfs/TB1p_ixXrr1gK0jSZR0XXbP8XXa-108-108.png","title":"Multi-region Support","content":"Supports five regions worldwide; usage limits are relatively independent for each user in different regions"}],"news":[],"countinfo":{"benefits":{"length_pc":0,"length":0},"news":{},"regions":{},"os":{},"products":{}},"$tmsId":"tce/1685854"}

Benefits

: Fully Managed
Enables easy encryption/decryption of data keys by allowing storage of Customer Master Key
Manages availability, security, and maintenance of underlying infrastructure

: Secure
Transfers data over Transport Layer Security (TLS) to ensure complete security of your data

: Easy Management of User Keys
Uses specified CMKs for easy encryption/decryption of data
Eliminates need to store plain text directly in storage device

: Multi-region Support
Supports five regions worldwide; usage limits are relatively independent for each user in different regions

{"moduleinfo":{"title":"Features","li_count":[{"count_phone":9,"count":9}]},"li":[{"spm":"a","img":"https://img.alicdn.com/tfs/TB133GxXxD1gK0jSZFKXXcJrVXa-108-108.png","more":[{"p":"Allows you to create, view, enable, and disable CMKs to encrypt/decrypt data keys.","tce_rule_count":"1","title":""},{"p":"Enables you to view the whole master key list for all services integrated with KMS.","tce_rule_count":"1","title":""}],"h1":"Key Management-related Functions","imgAction":"https://img.alicdn.com/tfs/TB1xieFXpY7gK0jSZKzXXaikpXa-108-108.png"},{"spm":"a","img":"https://img.alicdn.com/tfs/TB1aHaxXEz1gK0jSZLeXXb9kVXa-108-108.png","more":[{"p":"Enables HTTPS protocol to protect data while using SDKs to access keys.","tce_rule_count":"1","title":""},{"p":"Supports HMAC-SHA1 signature scheme.","tce_rule_count":"1","title":""},{"p":"Maintains confidentiality, integrity, and availability of keys used to protect data.","tce_rule_count":"1","title":""}],"h1":"Security","imgAction":"https://img.alicdn.com/tfs/TB1FbCIXAY2gK0jSZFgXXc5OFXa-108-108.png"},{"spm":"a","img":"https://img.alicdn.com/tfs/TB1b.uxXrj1gK0jSZFOXXc7GpXa-108-108.png","more":[{"p":"Please refer to <a href=\"https://www.alibabacloud.com/help/doc-detail/69006.htm\" class=\"show-for-intl\">Request structure</a><a href=\"https://partners-intl.aliyun.com/help/doc-detail/69006.htm\" class=\"show-for-reseller\">Request structure</a> for a complete list of available regions and endpoints.","tce_rule_count":"1","title":""}],"h1":"Multiple Regional Support","imgAction":"https://img.alicdn.com/tfs/TB1_v5IXuL2gK0jSZFmXXc7iXXa-108-108.png"},{"spm":"a","img":"https://img.alicdn.com/tfs/TB1zCGxXrH1gK0jSZFwXXc7aXXa-108-108.png","more":[{"p":"Easily integrates with other Alibaba Cloud products such as ApsaraDB for RDS to protect the data stored using these services.","tce_rule_count":"1","title":""},{"p":"Encrypts your static files stored in Object Storage Service ensuring security.","tce_rule_count":"1","title":""}],"h1":"Easy Integration","imgAction":"https://img.alicdn.com/tfs/TB1BieFXpY7gK0jSZKzXXaikpXa-108-108.png"},{"spm":"a","img":"https://img.alicdn.com/tfs/TB1WGqxXEY1gK0jSZFMXXaWcVXa-108-108.png","more":[{"p":"Allows you to store, transfer and use encrypted data by encapsulating its data keys (DKs) in an envelope and stores CMKs in KMS.","tce_rule_count":"1","title":""},{"p":"Allows users to call KMS to decrypt data key only when needed.","tce_rule_count":"1","title":""}],"h1":"Envelope Encryption Technology","imgAction":"https://img.alicdn.com/tfs/TB1W8GIXED1gK0jSZFGXXbd3FXa-108-108.png"},{"spm":"a","img":"https://img.alicdn.com/tfs/TB1TauxXEY1gK0jSZFMXXaWcVXa-108-108.png","more":[{"p":"Automatically scales to meet encryption needs as per your business requirement.","tce_rule_count":"1","title":""},{"p":"Stores multiple copies of encrypted versions of your master keys ensuring high durability and availability.","tce_rule_count":"1","title":""},{"p":"Potential to deploy in multiple availability zones within a region to ensure high availability of encryption keys.","tce_rule_count":"1","title":""}],"h1":"Scalability and Durability","imgAction":"https://img.alicdn.com/tfs/TB1f8yIXEz1gK0jSZLeXXb9kVXa-108-108.png"},{"spm":"a","img":"https://img.alicdn.com/tfs/TB1jdmyXAL0gK0jSZFxXXXWHVXa-108-108.png","more":[{"p":"Saves cost compared to procuring expensive hardware equipment to secure physical environment.","tce_rule_count":"1","title":""},{"p":"Pay only for resources needed as per your business requirements.","tce_rule_count":"1","title":""}],"h1":"Cost-effective","imgAction":"https://img.alicdn.com/tfs/TB1ukyIXET1gK0jSZFhXXaAtVXa-108-108.png"},{"spm":"a","img":"https://img.alicdn.com/tfs/TB1GEmtXpT7gK0jSZFpXXaTkpXa-108-108.png","more":[{"p":"Supports RESTful API and third-party integration.","tce_rule_count":"1","title":""},{"p":"Integrates with RAM and supports unified authorization management.","tce_rule_count":"1","title":""},{"p":"Supports easy-to-use API and standard HTTPS protocols.","tce_rule_count":"1","title":""}],"h1":"Easy-to-Use","imgAction":"https://img.alicdn.com/tfs/TB1DfKIXuH2gK0jSZJnXXaT1FXa-108-108.png"},{"spm":"a","img":"https://img.alicdn.com/tfs/TB1U8qwXuH2gK0jSZFEXXcqMpXa-108-108.png","more":[{"p":"Provides protection based on hardware security modules (HSMs). Allows you to commission compliant hardware security modules to achieve better protection. A hardware security module is a physical computing device that generates and manages digital keys and performs crypto processing. Such devices manage your digital keys with stronger protection. In this way, you can protect your private computing tasks and data assets and meet the requirements of security compliance.","tce_rule_count":"1","title":""}],"h1":"Hardware Security Modules","imgAction":"https://img.alicdn.com/tfs/TB1AmWJXAL0gK0jSZFtXXXQCXXa-108-108.png"}],"countinfo":{"li":{"length_pc":0,"length":0}},"$tmsId":"tce/1685855"}

Features

Key Management-related Functions

Allows you to create, view, enable, and disable CMKs to encrypt/decrypt data keys.

Enables you to view the whole master key list for all services integrated with KMS.
Security

Enables HTTPS protocol to protect data while using SDKs to access keys.

Supports HMAC-SHA1 signature scheme.

Maintains confidentiality, integrity, and availability of keys used to protect data.
Multiple Regional Support

Please refer to Request structure Request structure for a complete list of available regions and endpoints.
Easy Integration

Easily integrates with other Alibaba Cloud products such as ApsaraDB for RDS to protect the data stored using these services.

Encrypts your static files stored in Object Storage Service ensuring security.
Envelope Encryption Technology

Allows you to store, transfer and use encrypted data by encapsulating its data keys (DKs) in an envelope and stores CMKs in KMS.

Allows users to call KMS to decrypt data key only when needed.
Scalability and Durability

Automatically scales to meet encryption needs as per your business requirement.

Stores multiple copies of encrypted versions of your master keys ensuring high durability and availability.

Potential to deploy in multiple availability zones within a region to ensure high availability of encryption keys.
Cost-effective

Saves cost compared to procuring expensive hardware equipment to secure physical environment.

Pay only for resources needed as per your business requirements.
Easy-to-Use

Supports RESTful API and third-party integration.

Integrates with RAM and supports unified authorization management.

Supports easy-to-use API and standard HTTPS protocols.
Hardware Security Modules

Provides protection based on hardware security modules (HSMs). Allows you to commission compliant hardware security modules to achieve better protection. A hardware security module is a physical computing device that generates and manages digital keys and performs crypto processing. Such devices manage your digital keys with stronger protection. In this way, you can protect your private computing tasks and data assets and meet the requirements of security compliance.

How it works

Encryption/decryption of small amount of data directly using KMS
Perform local encryption for massive amount of data using Envelope Encryption
Perform local decryption for massive amount of data using Envelope Encryption

Encryption/decryption of small amount of data directly using KMS

You can directly call the KMS APIs and use the specified Customer Master Key (CMK) to encrypt and decrypt data. This scenario applies to encryption and decryption of a small amount of data (less than 4KB). Data is transmitted to the KMS server through secure channels, encrypted or decrypted at the server, and returned through secure channels.

Steps

To protect HTTPS certificate on the server:
1. Create a Customer Master Key (CMK)
2. Call encrypt interface of KMS to encrypt plaintext certificate to a ciphertext certificate
3. Deploy ciphertext certificate on the server
4. Call decrypt interface of KMS to decrypt ciphertext certificate to plaintext certificate when the server starts and needs to use certificate

Perform local encryption for massive amount of data using Envelope Encryption

Envelope encryption is a mechanism similar to the digital envelope technology. It allows you to store, transfer, and use encrypted data by encapsulating its data keys (DKs) in an envelope, instead of encrypting data directly with Customer Master Keys (CMKs). This is appropriate when a large volume of data needs to be encrypted.

You can directly call the KMS API, use the specified CMK to generate and decrypt the data key, and use the data key for local data encryption. You do not need to transmit the massive amount of data through the network, which results in cost savings.

This eliminates all kinds of security risks, including eavesdropping and phishing.

Encryption steps

To encrypt a local file:
1. Create a CMK
2. Call GenerateDataKey interface of KMS to generate data keys; obtain a plaintext data key and a ciphertext data key
3. Use plaintext data key to encrypt the file and generate ciphertext file
4. Save ciphertext data key and ciphertext file to persistent storage device or service

Perform local decryption for massive amount of data using Envelope Encryption

Envelope encryption is a mechanism similar to the digital envelope technology. It allows you to store, transfer, and use encrypted data by encapsulating its data keys (DKs) in an envelope, instead of decrypting data directly with Customer Master Keys (CMKs). This is appropriate when a large volume of data needs to be decrypted.

You can directly call the KMS API, use the specified CMK to generate and decrypt the data key, and use the data key for local data decryption. You do not need to transmit the massive amount of data through the network, which results in cost savings.

This eliminates all kinds of security risks, including eavesdropping and phishing.

Decryption steps

To decrypt a local file:
1. Read ciphertext data key and ciphertext file from persistent storage device or service
2. Call decrypt interface of KMS to decrypt ciphertext data key and obtain plaintext data key
3. Use plaintext data key to decrypt the file

FAQs

1. What is a Customer Master Key (CMK)?

CMK is the master key created by a user in the Alibaba Cloud Key Management Service (KMS) to encrypt data keys and generate envelopes. It can also be directly used to encrypt a small amount of data.

2. What is envelope encryption technology?

Envelope encryption is an encryption mechanism similar to the digital envelope technology. It allows you to store, transfer and use encrypted data by encapsulating its data keys (DKs) in an envelope, instead of encrypting/decrypting data directly with CMKs.

3. In what regions can KMS be accessed?

The following is the list of regions where KMS is available with their corresponding location ID and public/private network addresses:

Location	Location Id	Public Network Address	Private Network Address
China East 1 (Hangzhou)	cn-hangzhou	kms.cn-hangzhou.aliyuncs.com	kms-vpc.cn-hangzhou.aliyuncs.com
Singapore	ap-southeast-1	kms.ap-southeast-1.aliyuncs.com	kms-vpc.ap-southeast-1.aliyuncs.com
China East 2 (Shanghai)	cn-shanghai	kms.cn-shanghai.aliyuncs.com	kms-vpc.cn-shanghai.aliyuncs.com
China North 2 (Beijing)	cn-beijing	kms.cn-beijing.aliyuncs.com	kms-vpc.cn-beijing.aliyuncs.com
China South 1 (Shenzhen)	cn-shenzhen	kms.cn-shenzhen.aliyuncs.com	kms-vpc.cn-shenzhen.aliyuncs.com
Japan	ap-northeast-1	kms.ap-northeast-1.aliyuncs.com	kms-vpc.ap-northeast-1.aliyuncs.com
Frankfurt	eu-central-1	kms.eu-central-1.aliyuncs.com	kms-vpc.eu-central-1.aliyuncs.com
Dubai	me-east-1	kms.me-east-1.aliyuncs.com	kms-vpc.me-east-1.aliyuncs.com
Sydney	ap-southeast-2	kms.ap-southeast-2.aliyuncs.com	kms-vpc.ap-southeast-2.aliyuncs.com
China(Hong Kong)	cn-hongkong	kms.cn-hongkong.aliyuncs.com	kms-vpc.cn-hongkong.aliyuncs.com
China North 3 (Zhangjiakou)	cn-zhangjiakou	kms.cn-zhangjiakou.aliyuncs.com	kms-vpc.cn-zhangjilou.aliyuncs.com
China North 1 (Qingdao)	cn-qingdao	kms.cn-qingdao.aliyuncs.com	kms-vpc.cn-qingdao.aliyuncs.com
Kuala Lumpur	ap-southeast-3	kms.ap-southeast-3.aliyuncs.com	kms-vpc.ap-southeast-3.aliyuncs.com
China North 5(Hohhot)	cn-huhehaote	kms.cn-huhehaote.aliyuncs.com	kms-vpc.cn-huhehaote.aliyuncs.com

4. Can the KMS endpoint not be accessed?

To ensure data security, KMS only supports HTTPS protocol when you use SDKs to access it.

5. Why does the error "Forbidden.KeyNotFound" occur during decryption?

The error typically occurs when you try to decrypt data in an incorrect region. KMS is completely independent in each of the regions. You need to ensure that you decrypt data in the same region where the data was encrypted.

6. How can I manage user keys using KMS?

Based on the envelope encryption technology and open APIs of KMS, you can use specified CMKs to encrypt and decrypt data keys. Then you don’t have to store the plain text directly in a storage device. This way, you can easily concentrate on development work without worrying about managing users’ keys.

7. How many CMKs can be created by one user in each region?

Each user can create up to 200 CMKs in each region. In case you need to create more than 200 CMKs, you can submit a request to Alibaba Cloud through its ticket system.

8. What is encryption context?

Encryption context is a JSON string in the String-String format that may be used in KMS APIs including Encrypt, GenerateDataKey, and Decrypt to protect data integrity.

Upgraded Support For You

1 on 1 Presale Consultation, 24/7 Technical Support, Faster Response, and More Tickets.

1 on 1 Presale Consultation

Consulting by experienced cloud experts. Learn More

24/7 Technical Support

Extended service time from 10 hours 5 days a week to 24/7. Learn More

6 Free Tickets per Quarter

The number of free tickets doubled from 3 to 6 per quarter. Learn More

Faster Response

Shorten after-sale response time from 36 hours to 18 hours. Learn More

Get Started for Free

About Alibaba Cloud

Our Global Network

Alibaba Cloud in Analyst Research

What is Cloud Computing

Global Offices

Customer Success StoriesNEW

Security & Compliance Center

View All Special OffersNEW

Free Trial

Starter Package

Beyond APAC's No.1 Cloud

Struggling with DDoS Attacks? Get Free Support Now！

Upgraded Support For You

Smart, Agile & Powerful Cloud Computing

40% Off Alibaba Mail

Alibaba Cloud E-Commerce CampaignHot

Save Big on Cloud Servers and More

Alibaba Cloud for Students Program

Alibaba Cloud's Galaxy Program

Refer a Friend

Short Message Service Package Deals

Press Room

Product & Feature UpdateNEW

Notice

China Gateway

China Gateway - Information Compliance

China Gateway - Networking

China Gateway - Security

ICP Support

Smart Olympics

Elastic Compute Service

Simple Application Server

Elastic GPU Service

Auto Scaling

Server Load Balancer

Container Service

Container Service for Kubernetes

Elastic Container InstanceNEW

Container Registry

Resource Orchestration Service

E-HPC

ECS Bare Metal Instance

Super Computing ClusterBeta

Function Compute

Batch ComputeNew

Dedicated Host

Object Storage Service

Table Store

Alibaba Cloud CDN

Network Attached Storage

Hybrid Cloud Storage ArrayComing Soon

Data Transport

Hybrid Backup RecoveryBeta

Cloud Storage GatewayBeta

Dynamic Route for CDNBeta

Networking OverviewNew

Virtual Private Cloud

Express Connect

NAT Gateway

Server Load Balancer

Elastic IP Address

Data Transfer Plan

VPN Gateway

Cloud Enterprise Network

Smart Access GatewayBeta

Alibaba Cloud DNS PrivateZoneBeta

Database Overview

ApsaraDB for POLARDBNEW

ApsaraDB for Redis

ApsaraDB RDS for MySQL

ApsaraDB for MariaDB TX

ApsaraDB RDS for SQL Server

ApsaraDB RDS for PostgreSQL

ApsaraDB RDS for PPAS

ApsaraDB for MongoDB

ApsaraDB for Memcache

Data Transmission Service

Database Backup

AnalyticDB for PostgreSQL

Distributed Relational Database Service