Key Management Service

Create, delete and manage encryption keys with Alibaba Cloud Key Management Service

Get it FreeContact Sales

Alibaba Cloud Key Management Service (KMS) is a fully managed service to create, delete and manage encrypted keys to protect your data. For common key management scenarios, you can use APIs or Alibaba Cloud management console to produce and manage Customer Master Keys (CMKs).

KMS enables you to protect the confidentiality, integrity, and availability of keys while also saving on costs. You can integrate KMS with other Alibaba Cloud services such as ApsaraDB for RDS and Object Storage Service, to encrypt critical information including certificates and keys stored with these services. You can use these keys securely and conveniently, and focus on developing encryption/decryption function scenarios.

For common encryption/decryption scenarios, you can use the API to locally encrypt/decrypt small volumes of data or envelope encryption technology for relatively larger volumes of data. Also, you can define usage policies for data encryption. You can integrate it with various Alibaba Cloud storage services to ensure the security of the stored data.


Tab #2 content goes here!

Donec pulvinar neque sed semper lacinia. Curabitur lacinia ullamcorper nibh; quis imperdiet velit eleifend ac. Donec blandit mauris eget aliquet lacinia! Donec pulvinar massa interdum risus ornare mollis. In hac habitasse platea dictumst. Ut euismod tempus hendrerit. Morbi ut adipiscing nisi. Etiam rutrum sodales gravida! Aliquam tellus orci, iaculis vel.

Tab #3 content goes here!

Donec pulvinar neque sed semper lacinia. Curabitur lacinia ullamcorper nibh; quis imperdiet velit eleifend ac. Donec blandit mauris eget aliquet lacinia! Donec pulvinar massa interdum ri.

Tab #4 content goes here!

Donec pulvinar neque sed semper lacinia. Curabitur lacinia ullamcorper nibh; quis imperdiet velit eleifend ac. Donec blandit mauris eget aliquet lacinia! Donec pulvinar massa interdum risus ornare mollis. In hac habitasse platea dictumst. Ut euismod tempus hendrerit. Morbi ut adipiscing nisi. Etiam rutrum sodales gravida! Aliquam tellus orci, iaculis vel.

Major Problems to Resolve Using KMS

  • Role
  • Application/Website developer

  • Service developer

  • Chief Security Officer (CSO)

  • Problem
  • My program needs to use a key for encryption or a certificate for signature, and I hope the key is managed in a secure and independent manner. I hope I can safely access the key no matter where my application is deployed. I would never allow deploying the plaintext key randomly, which is too risky.

  • I do not want to be responsible for the security of users’ keys and data. I hope users can manage their keys by themselves and I can use specified keys to encrypt their data with their authorization. In this way, I can devote all energy to developing service functions.

  • I hope the key management of my company can meet compliance requirements. I need to ensure that keys are reasonably authorized and any use of keys must be audited.

  • How to resolve the problem
  • Through the envelop encryption technology, users can store the Customer Master Key (CMK) in KMS and deploy only the encrypted data key, and users can call KMS to decrypt the data key only when they need to use it.

  • Based on the envelop encryption technology and the open APIs of KMS, service developers can use specified CMKs to encrypt and decrypt data keys, easily satisfying the requirement of not storing the plaintext directly in a storage device; therefore, service developers do not need to worry about how to manage users’ keys.

  • KMS can be associated with RAM for unified authorization management.

Benefits

Fully Managed
Enables easy encryption/decryption of data keys by allowing storage of Customer Master Key
Manages availability, security, and maintenance of underlying infrastructure
Secure
Transfers data over Transport Layer Security (TLS) to ensure complete security of your data
Easy Management of User Keys
Uses specified CMKs for easy encryption/decryption of data Eliminates need to store plain text directly in storage device
Multi-region Support
Supports five regions worldwide; usage limits are relatively independent for each user in different regions

Features

How it works

Enterprise User Account Management and Permission Allocation

An enterprise has a project for which it has purchased multiple cloud resources like ECS/RDS/SLB instances and OSS buckets. Employees with different responsibilities and permissions need to perform various operations. They can be allocated independent user or operator accounts to perform only those resource operations to which they have permissions. This way the enterprise does not compromise on security and can also grant/revoke permissions for any user account at any time. Also, charges for resource operations are billed collectively to the enterprise that is the primary account.

Recommended configuration for this scenario

RAM-user accounts and authorization management function

Advantages

- Bind the primary account to an MFA device and configure MFA for the primary account to prevent risks caused by disclosure of primary account password

- Activate RAM

- Create user accounts and RAM user accounts for different employees (or application systems) and set logon passwords or create access keys as needed

- Create a group for multiple employees with same responsibilities and add users to the group

- Create custom authorization policies and grant permissions by binding one or more policies to groups/users

Temporary Authorization Management for Mobile Apps

An enterprise does not want to allow all apps to use the AppServer to transmit data. However, mobile apps run on mobile devices and controlling these devices is not possible. The enterprise also wants to minimize security risks by giving each app an access token with minimal permissions and reducing the access duration.

Recommended configuration for this scenario

RAM STS-tokens

Advantages

-To complete the authorization process, the enterprise creates a role and grants permissions to the role by binding it with authorization policy

-Enterprise creates a RAM-user for AppServer and authorizes this user to assume the role it created

- AppServer issues STS-tokens for resource access

Resource Operations and Authorization Management Between Enterprises

Enterprise A has purchased multiple cloud resources and granted cloud resource O&M, monitoring management, and other tasks to Enterprise B. Enterprise B can allocate access permissions for A’s resources to one or more of its employees. B needs to precisely control the operations its employees can perform on A’s resources. A needs to revoke B’s permissions at will if the O&M entrustment contract is revoked.

Suggested configuration for this scenario

RAM roles for cross-account authorization

Advantages

-A role is created and permissions are granted for cross-account authorization

-Cross-account resources can be accessed through the console by creating sub-users and authorizing them to assume the role

FAQs

1. What is a Customer Master Key (CMK)?

CMK is the master key created by a user in the Alibaba Cloud Key Management Service (KMS) to encrypt data keys and generate envelopes. It can also be directly used to encrypt a small amount of data.

2. What is envelope encryption technology?

Envelope encryption is an encryption mechanism similar to the digital envelope technology. It allows you to store, transfer and use encrypted data by encapsulating its data keys (DKs) in an envelope, instead of encrypting/decrypting data directly with CMKs.

3. In what regions can KMS be accessed?

The following is the list of regions where KMS is available with their corresponding location ID and public/private network addresses:

Location Location Id Public Network Address Private Network Address
China East 1 (Hangzhou) cn-hangzhou kms.cn-hangzhou.aliyuncs.com kms-vpc.cn-hangzhou.aliyuncs.com
Singapore ap-southeast-1 kms.ap-southeast-1.aliyuncs.com kms-vpc.ap-southeast-1.aliyuncs.com
China East 2 (Shanghai) cn-shanghai kms.cn-shanghai.aliyuncs.com kms-vpc.cn-shanghai.aliyuncs.com
China North 2 (Beijing) cn-beijing kms.cn-beijing.aliyuncs.com kms-vpc.cn-beijing.aliyuncs.com
China South 1 (Shenzhen) cn-shenzhen kms.cn-shenzhen.aliyuncs.com kms-vpc.cn-shenzhen.aliyuncs.com
Japan ap-northeast-1 kms.ap-northeast-1.aliyuncs.com kms-vpc.ap-northeast-1.aliyuncs.com
Frankfurt eu-central-1 kms.eu-central-1.aliyuncs.com kms-vpc.eu-central-1.aliyuncs.com
Dubai me-east-1 kms.me-east-1.aliyuncs.com kms-vpc.me-east-1.aliyuncs.com
Sydney ap-southeast-2 kms.ap-southeast-2.aliyuncs.com kms-vpc.ap-southeast-2.aliyuncs.com
Hong Kong cn-hongkong kms.cn-hongkong.aliyuncs.com kms-vpc.cn-hongkong.aliyuncs.com
China North 3 (Zhangjiakou) cn-zhangjiakou kms.cn-zhangjiakou.aliyuncs.com kms-vpc.cn-zhangjilou.aliyuncs.com
China North 1 (Qingdao) cn-qingdao kms.cn-qingdao.aliyuncs.com kms-vpc.cn-qingdao.aliyuncs.com
Kuala Lumpur ap-southeast-3 kms.ap-southeast-3.aliyuncs.com kms-vpc.ap-southeast-3.aliyuncs.com
China North 5(huhehaote) cn-huhehaote kms.cn-huhehaote.aliyuncs.com kms-vpc.cn-huhehaote.aliyuncs.com

4. Can the KMS endpoint not be accessed?

To ensure data security, KMS only supports HTTPS protocol when you use SDKs to access it.

5. Why does the error "Forbidden.KeyNotFound" occur during decryption?

The error typically occurs when you try to decrypt data in an incorrect region. KMS is completely independent in each of the regions. You need to ensure that you decrypt data in the same region where the data was encrypted.

6. How can I manage user keys using KMS?

Based on the envelope encryption technology and open APIs of KMS, you can use specified CMKs to encrypt and decrypt data keys. Then you don’t have to store the plain text directly in a storage device. This way, you can easily concentrate on development work without worrying about managing users’ keys.

7. How many CMKs can be created by one user in each region?

Each user can create up to 200 CMKs in each region. In case you need to create more than 200 CMKs, you can submit a request to Alibaba Cloud through its ticket system.

8. What is encryption context?

Encryption context is a JSON string in the String-String format that may be used in KMS APIs including Encrypt, GenerateDataKey, and Decrypt to protect data integrity.

Upgraded Support For You

1 on 1 Presale Consultation, 24/7 Technical Support, Faster Response, and More Tickets.

1 on 1 Presale Consultation

Consulting by experienced cloud experts. Learn More

24/7 Technical Support

Extended service time from 10 hours 5 days a week to 24/7. Learn More

6 Free Tickets per Quarter

The number of free tickets doubled from 3 to 6 per quarter. Learn More

Faster Response

Shorten after-sale response time from 36 hours to 18 hours. Learn More