Key Management Service

Alibaba Cloud Key Management Service (KMS) helps you protect, manage, use, and audit your encryption keys

Alibaba Cloud Key Management Service (KMS) provides secure and qualified key hosting and cryptography services to help you encrypt and protect sensitive data assets with keys. You can use KMS to encrypt data in various cloud services and control the distributed computing and storage environment inside cloud services. KMS can be integrated with multiple Alibaba Cloud services, such as with ActionTrail to provide key usage logs. KMS also allows you to configure custom key rotation policies. KMS provides managed HSMs that are tested and certified by State Cryptography Administration (SCA) or that have passed FIPS 140-2 Level 3 validation to help you meet the regulatory compliance requirements for enterprises or industries.


Full Key Hosting
KMS provides key hosting and cryptography services. Alibaba Cloud fully manages the cryptographic infrastructure to ensure the availability, security, and reliability of services and facilities. You focus on management tasks such as key lifecycle and permission policies, as well as data encryption, data decryption, and digital signature verification.
Availability, Reliability, and Elasticity
KMS builds multi-zone redundant cryptographic computing capabilities in each region to ensure that requests sent to KMS can be processed with low latency. You can create as many keys in KMS across multiple regions based on your needs, without having to scale the underlying infrastructure. You can also use BYOKs to keep key copies for higher persistence.
Security and Compliance
KMS has passed strict security design and verification to ensure stringent protection of your keys on the cloud. You can use managed HSMs that are tested and certified by State Cryptography Administration (SCA) or that have passed FIPS 140-2 Level 3 validation, configure custom key rotation policies, manage roles and permissions in RAM, and track key usage in ActionTrail. KMS helps you quickly meet regulatory and compliance requirements. If you export key usage logs from ActionTrail to OSS or Log Service, KMS can further be integrated with the SIEM solution to obtain additional analysis and threat detection capabilities.
Data Encryption for Integrated Cloud Services
KMS is integrated with multiple Alibaba Cloud services such as ECS, ApsaraDB for RDS, OSS, Apsara File Storage NAS, and MaxCompute. You can use keys in KMS to encrypt data in these services, which helps you maintain control over the distributed computing and storage environment. You only need to pay for key management. You do not need to implement complex encryption capabilities. You can also transfer the data encryption work that was originally implemented in application systems to the cloud by using server side encryption (SSE) methods such as OSS SSE and ApsaraDB for RDS TDE. KMS and RAM work together to control SSE.
Custom Encryption and Digital Signatures
KMS abstracts the cryptographic technology and HSM interfaces to help you implement custom data encryption protection through simple APIs. This combines security and compliance requirements with business systems and further reduces the risks of attacks against sensitive data from malicious users. You can also use asymmetric key pairs to implement digital signatures to protect the integrity of key data or messages.
With KMS, you only pay for the resources that you use. You do not need pay for the initial cost of HSMs, as well as the cost of operating, maintaining, repairing, and replacing HSMs. KMS reduces the R&D and maintenance costs for user-created key management facilities.


Comprehensive Management Features

KMS provides rich key management features to meet all your needs.

Keys Generated in KMS or Imported from External Sources

You can generate keys in KMS or import Bring Your Own Keys (BYOKs) to managed HSMs. BYOKs allow you to keep additional offline key copies. Managed HSMs ensure that imported keys will not be exported.

Key Lifecycle Management and Automatic Key Rotation

You can enable or disable keys, or schedule a regular cycle to delete keys. For BYOK, you can delete keys at any time, or specify an automatic expiration policy. KMS allows you to configure custom rotation policies to automatically rotate encryption keys periodically and therefore enhance the security of keys.

Authentication, Authorization, and Auditing (AAA)

You can manage KMS user authentication and authorization policies through RAM. You can track and audit key usage through ActionTrail, or store key usage logs in OSS or Log Service for diverse scenarios such as long-term storage, data analysis, and SIEM integration.

Fully Managed HSMs

Managed HSMs provide a high security protection mechanism for keys.

HSM Certification and Compliance

To meet different regulatory requirements, KMS offers HSMs that are tested and certified by State Cryptography Administration (SCA) and that support commercial cryptographic algorithms compliant with Chinese and industrial standards in some regions. In other regions, KMS provides HSMs that have passed FIPS 140-2 Level 3 validation and that run in the FIPS Level 3 mode.

Secure Generation of Keys

Managed HSMs use a secure and licensed random number generation algorithm. The algorithm uses high entropy seeds to generate key materials. This protects keys from being recovered or anticipated by malicious parties.

Hardware Protection of Keys

Managed HSMs protect keys in KMS through hardware mechanisms. The plaintext of keys is only processed inside HSMs for key operations. It is kept within the hardware security boundary of HSMs.

Integration with Other Alibaba Cloud Services

KMS can be integrated with multiple Alibaba Cloud services to provide native encryption experience and advanced security capabilities.

Entry-level Default Encryption

KMS allows each cloud service to automatically manage a dedicated encryption key. By default, cloud services can use this key without caring about its lifecycle and authorization policies.

Optional Sources for Encryption Keys

You can create keys in KMS or import external key materials, and authorize cloud services to employ user-managed keys for data encryption protection. Therefore, you obtain full control over keys by managing their permissions and lifecycle.

Auditing Key Usage by Cloud Services

Regardless of service-managed keys or user-managed keys, you can audit key usage by cloud services by calling KMS API operations on your behalf.

Simple and Effective Cryptographic Operations

KMS uses abstract cryptographic concepts and provides simple cryptographic operation APIs.

Envelope Encryption

With envelope encryption built in KMS, you can generate a secondary key and encrypt the CMK through a single API call.


KMS encapsulates authenticated encryption with associated data (AEAD). You can use encryption context to provide additional integrity and authenticity for encrypted data.

Digital Signature Verification

KMS can host asymmetric keys and provide digital signature verification algorithms based on asymmetric keys. KMS can be used in a wide range of scenarios such as identity verification, code signature, and blockchain.


  • High-performance and Scalable Envelope Encryption
  • Build a Secure and Trusted Computing Environment
  • Server Side Encryption
CMK Encryption Configuration

CMK Encryption Configuration

DevSecOps Best Practices for Cloud Application Deployment

Applications deployed in services such as ECS, Container Service, and Function Compute involve sensitive data such as passwords, OAuth secrets, and server certificate keys. KMS encrypts data before deployment and decrypts data after deployment or during use to ensure the security of sensitive data during operations, maintenance, transfer, and storage.


  • Prevent DevOps from Accessing Sensitive Data

    The O&M system only provides R&D personnel with ciphertext of sensitive data required in the cloud production environment. R&D personnel package the ciphertext into a profile or use the ciphertext as an environment variable for Function Compute to control data leak risks.

  • Prevent Cloud Disks from Storing Plaintext of Sensitive Data

    Applications deployed on the cloud only decrypt sensitive data from profiles or environment variables as needed. The plaintext is only used in memory to prevent leak risks of sensitive data in the cloud environment.

Related Services

High-performance and Scalable Envelope Encryption

High-performance and Scalable Envelope Encryption

Two-level Key Structure Supports a Large Amount of Data and High Concurrency

With envelope encryption, KMS produces a two-level key structure: CMKs encrypt data keys (DKs). Cryptographic libraries of applications such as JCE and OpenSSL use DKs to encrypt local business data. The ciphertext of DKs is stored together with the encrypted business data. In the decryption stage, the ciphertext of DKs is decrypted first. The plaintext of DKs is used to decrypt business data locally after the plaintext is obtained.


  • Encrypt and Store Large Amounts of Data with OSS

    You can use the encryption SDK of the OSS client to encrypt a large amount of data before uploading data. You can also call KMS to perform envelope encryption.

  • High-concurrency Reads/Writes of Encrypted Data with NoSQL

    The same DK is used to encrypt data in a specified spatial or time range (such as in a table or every 5 seconds). DK plaintext is cached in the memory and DK ciphertext is stored in the NoSQL storage.

Related Services

Build a Secure and Trusted Computing Environment

Build a Secure and Trusted Computing Environment

KMS Works with ECS Bare Metal Instances to Build a Secure Computing Environment

ECS Bare Metal Instance provides secure physical isolation and supports a chip-level trusted execution environment (Intel® SGX). You can build a secure computing environment to transfer DKs between KMS and other services through envelope encryption. Such DKs are used in the secure computing environment to encrypt the sensitive business data that exits the boundary and decrypt the ciphertext data that enters the boundary.


  • Keeping Sensitive Data within a Secure Environment

    The plaintext of sensitive business data is kept within the secure environment. Before data is stored in persistent storage, it is encrypted by KMS. In the encryption stage, no sensitive business data is transmitted to KMS.

  • Keeping DKs within a Secure Environment

    DKs obtained from KMS are kept within the secure computing environment and used for encryption and decryption of persistent data that enters and exits the boundary of the environment. The ciphertext of the data key can be transmitted out of the secure environment and stored persistently together with encrypted business data.

Related Services

Server Side Encryption

Server Side Encryption

KMS encryption is integrated at the server side and you only need to configure keys and permissions.

When KMS is integrated with other cloud services, you can use CMKs in KMS to encrypt and protect data in other cloud services. You only need to specify the CMKs in the encryption configuration of other cloud services. The permissions on CMKs are defined through RAM and KMS calls by other cloud services are audited in ActionTrail.


  • Managing Risks with Encryption for Distributed Computing and Storage Environment

    A distributed and multi-tenant computing and storage environment is used on the cloud. The encryption feature of cloud services combines computing and storage behaviors with KMS. For example, you need to decrypt encrypted cloud disks before starting an ECS instance. KMS protects multiple redundant copies of encrypted cloud disks in the distributed storage system and snapshots automatically generated from encrypted cloud disks.

  • Hassle-free Encryption for Large Amount of Data

    Encrypting and decrypting a large amount of data consumes a large amount of computing resources, which negatively affects the system performance and throughput. Alibaba Cloud provides server side encryption for cloud services, which helps you manage encryption while allowing you to maintain control and visibility of data encryption behaviors.

Related Services

Using Managed Hardware Security Modules (HSM)