Key Management Service

Create master keys as needed, in order to produce, encrypt, and decrypt data keys

Get for Free

Key Management Service

Using Key Management Service (KMS), you no longer have to spend a great deal to protect the confidentiality, integrity, and availability of your keys. You can use keys securely and conveniently, and focus on developing encryption/decryption function scenarios.

Major problems to resolve using KMS:

RoleProblemHow to resolve the problem using KMS
Application/Website developerMy program needs to use a key for encryption or a certificate for signature, and I hope the key is managed in a secure and independent manner. I hope I can safely access the key no matter where my application is deployed. I would never allow deploying the plaintext key randomly, which is too risky.Through the envelop encryption technology, users can store the Customer Master Key (CMK) in KMS and deploy only the encrypted data key, and users can call KMS to decrypt the data key only when they need to use it.
Service developerI do not want to be responsible for the security of users’ keys and data. I hope users can manage their keys by themselves and I can use specified keys to encrypt their data with their authorization. In this way, I can devote all energy to developing service functions.Based on the envelop encryption technology and the open APIs of KMS, service developers can use specified CMKs to encrypt and decrypt data keys, easily satisfying the requirement of not storing the plaintext directly in a storage device; therefore, service developers do not need to worry about how to manage users’ keys.
Chief Security Officer (CSO)I hope the key management of my company can meet compliance requirements. I need to ensure that keys are reasonably authorized and any use of keys must be audited.KMS can be associated with RAM for unified authorization management.


Easy to Use

  • Enables integration with third party software vendors using RESTful APIs.


  • Transfers data over TLS.


Product Details

In key management scenarios, you can use the API or console to produce and manage master keys.

In common encryption/decryption scenarios, you can simply use the API to encrypt/decrypt small volumes of data. Or, you can use the envelope encryption technology to encrypt/decrypt large volumes of data locally.


Key management-related functions:

  • Produce master key

  • View master key list

  • View master key details

  • Enable/Disable master keys

Common encryption/decryption scenarios:

  • Produce data key

  • Encrypt

  • Decrypt


Directly use the KMS for encryption and decryption:

You can directly call the KMS API and use the specified CMK to encrypt and decrypt data. This scenario applies to encryption and decryption of a small amount of data (less than 4 KB). Data is transmitted to the KMS server through secure channels, encrypted or decrypted at the server, and returned through secure channels.

Scenario example: Protect the HTTPS certificate on the server


  • Create a CMK.

  • Call the Encrypt interface of the KMS to encrypt the plaintext certificate to a ciphertext certificate.

  • Deploy the ciphertext certificate on the server.

  • Call the Decrypt interface of the KMS to decrypt the ciphertext certificate to the plaintext certificate when the server starts and needs to use the certificate.

Use envelop encryption to perform local encryption and decryption:

You can directly call the KMS API, use the specified CMK to generate and decrypt the data key, and use the data key for local data encryption and decryption. This scenario applies to mass data encryption and decryption, and you do not need to transmit mass data through the network, resulting in mass data encryption and decryption at low cost.

Scenario example: Encrypt a local file

Encryption steps:

  • Create a CMK.

  • Call the GenerateDataKey interface of the KMS to generate data keys. You can obtain a plaintext data key and a ciphertext data key.

  • Use the plaintext data key to encrypt the file and generate a ciphertext file.

  • Save the ciphertext data key and the ciphertext file to a persistent storage device or service.

Scenario example: Decrypt a local file

Decryption steps:

  • Read the ciphertext data key and the ciphertext file from the persistent storage device or service.

  • Call the Decrypt interface of the KMS to decrypt the ciphertext data key to obtain the plaintext data key.

  • Use the plaintext data key to decrypt the file.

Getting Started

For better management of your keys get access to KMS APIs, SDKs.

Using KMS through the Management Console

The Alibaba Cloud Management Console provides a simple web based user interface, which is used to create, describe, enable and disable your keys.

Accessing Alibaba Cloud Documentation

For more information please visit KMS Documentation.


These resources will help you understand how Key Management Service works.

Below are the links to the documentation, SDKs, and other resources.

Developer Resources


What is envelope encryption technology?

Envelope encryption is an encryption mechanism similar to the digital envelope technology. The technology allows you to store, transfer and use encrypted data by encapsulating its data keys (DKs) in an envelope, instead of encrypting/decrypting data directly with Customer Master Keys (CMKs).

2. How can Key Management Service be accessed from different regions?

LocationLocationIdPublic Network AddressPrivate Network Address
China East 1 (Hangzhou)
China East 2 (Shanghai)
China North 2 (Beijing)
China South 1 (Shenzhen)

3. Can the Key Management Service endpoint not be accessed?

To ensure your data security, the Key Management Service only supports HTTPS. Therefore, make sure that HTTPS is enabled when you use SDK to access the Key Management Service.

4. Why does the error "Forbidden.KeyNotFound" occur during decryption?

The error generally occurs because you tried to decrypt data in an incorrect region. The Key Management Service is completely independent in each region. Please make sure that you decrypt data in the same region as you encrypted data.