Alibaba Cloud

Key Management Service

Product Introduction

Issue: 20200703
Key Management Service Product Introduction /  Legal disclaimer

Legal disclaimer
Alibaba Cloud reminds you to carefully read and fully understand the terms and conditions
of this legal disclaimer before you read or use this document. If you have read or used this
document, it shall be deemed as your total acceptance of this legal disclaimer.

1. You shall download and obtain this document from the Alibaba Cloud website or other
Alibaba Cloud-authorized channels, and use this document for your own legal business
activities only. The content of this document is considered confidential information of
Alibaba Cloud. You shall strictly abide by the confidentiality obligations. No part of this
document shall be disclosed or provided to any third party for use without the prior
written consent of Alibaba Cloud.

2. No part of this document shall be excerpted, translated, reproduced, transmitted, or

disseminated by any organization, company, or individual in any form or by any means
without the prior written consent of Alibaba Cloud.

3. The content of this document may be changed due to product version upgrades,
adjustments, or other reasons. Alibaba Cloud reserves the right to modify the content
of this document without notice and the updated versions of this document will be
occasionally released through Alibaba Cloud-authorized channels. You shall pay
attention to the version changes of this document as they occur and download and
obtain the most up-to-date version of this document from Alibaba Cloud-authorized
channels.

4. This document serves only as a reference guide for your use of Alibaba Cloud products
and services. Alibaba Cloud provides the document in the context that Alibaba Cloud
products and services are provided on an "as is", "with all faults" and "as available"
basis. Alibaba Cloud makes every effort to provide relevant operational guidance based
on existing technologies. However, Alibaba Cloud hereby makes a clear statement that it
in no way guarantees the accuracy, integrity, applicability, and reliability of the content
of this document, either explicitly or implicitly. Alibaba Cloud shall not bear any liability
for any errors or financial losses incurred by any organizations, companies, or individual
s arising from their download, use, or trust in this document. Alibaba Cloud shall not,
under any circumstances, bear responsibility for any indirect, consequential, exemplary
, incidental, special, or punitive damages, including lost profits arising from the use or
trust in this document, even if Alibaba Cloud has been notified of the possibility of such
a loss.

Issue: 20200703 I
Key Management Service Product Introduction /  Legal disclaimer

5. By law, all the contents in Alibaba Cloud documents, including but not limited to
pictures, architecture design, page layout, and text description, are intellectual property
of Alibaba Cloud and/or its affiliates. This intellectual property includes, but is not
limited to, trademark rights, patent rights, copyrights, and trade secrets. No part of
this document shall be used, modified, reproduced, publicly transmitted, changed,
disseminated, distributed, or published without the prior written consent of Alibaba
Cloud and/or its affiliates. The names owned by Alibaba Cloud shall not be used,
published, or reproduced for marketing, advertising, promotion, or other purposes
without the prior written consent of Alibaba Cloud. The names owned by Alibaba Cloud
include, but are not limited to, "Alibaba Cloud", "Aliyun", "HiChina", and other brands
of Alibaba Cloud and/or its affiliates, which appear separately or in combination, as
well as the auxiliary signs and patterns of the preceding brands, or anything similar
to the company names, trade names, trademarks, product or service names, domain
names, patterns, logos, marks, signs, or special descriptions that third parties identify as
Alibaba Cloud and/or its affiliates.

6. Please contact Alibaba Cloud directly if you discover any errors in this document.

II Issue: 20200703
Key Management Service Product Introduction /  Legal disclaimer

Issue: 20200703 III

Key Management Service Product Introduction /  Document conventions

Document conventions
Style Description Example

A danger notice indicates a

situation that will cause major Danger:
system changes, faults, physical Resetting will result in the loss of
injuries, and other adverse results. user configuration data.

A warning notice indicates a

situation that may cause major
system changes, faults, physical
injuries, and other adverse results.
Warning:
Restarting will cause business
interruption. About 10 minutes
are required to restart an
instance.

A caution notice indicates warning

information, supplementary Notice:
instructions, and other content If the weight is set to 0, the server
that the user must understand. no longer receives new requests.

A note indicates supplemental

instructions, best practices, tips, Note:
and other content. You can use Ctrl + A to select all
files.

> Closing angle brackets are used Click Settings > Network > Set
to indicate a multi-level menu network type.
cascade.

Bold Bold formatting is used for buttons Click OK.

, menus, page names, and other UI
elements.

Courier font Courier font is used for commands. Run the cd /d C:/window
command to enter the Windows
system folder.

Italic Italic formatting is used for bae log list --instanceid

parameters and variables.
Instance_ID

[] or [a|b] This format is used for an optional ipconfig [-all|-t]

value, where only one item can be
selected.

Issue: 20200703 I
Key Management Service Product Introduction /  Document conventions

Style Description Example

{} or {a|b} This format is used for a required switch {active|stand}

value, where only one item can be
selected.

II Issue: 20200703
Key Management Service Product Introduction /  Document conventions

Issue: 20200703 III

Key Management Service Product Introduction /  Contents

Contents

Legal disclaimer......................................................................... I
Document conventions................................................................I
1 What is KMS?.......................................................................... 1
2 Benefits.................................................................................. 4
3 Scenarios................................................................................7
4 Terms................................................................................... 11
5 Limits................................................................................... 13

IV Issue: 20200703
Key Management Service Product Introduction /  1 What is KMS?

1 What is KMS?
Key Management Service (KMS) provides features such as key hosting and cryptographic
operations. KMS implements security practices such as key rotation and can be integrated
with other Alibaba Cloud services to encrypt user data managed by these services. KMS
frees you up from maintaining the security, integrity, and availability of your keys. You only
need to focus on data encryption, data decryption, and digital signature generation and
verification based on your business requirements.

Features

• Encryption key hosting

KMS supports encryption key hosting. An encryption key hosted on KMS is

called a customer master key (CMK). You can manage the lifecycle of a CMK
by enabling or disabling the CMK. For more information, see #unique_4/
unique_4_Connect_42_section_i54_gmj_3gb.

• BYOK

KMS supports Bring Your Own Key (BYOK). You can lease your own keys to KMS to
encrypt data on the cloud. This facilitates key management. The following types of keys
can be leased:

- Keys in your on-premises key management infrastructure (KMI)

- Keys in user-managed hardware security modules (HSMs) that are deployed in

Note:
With secure key exchange algorithms used in KMS, keys imported to managed HSMs
in KMS cannot be exported by using any method. Operators or third parties are not
allowed to check the plaintext of keys. For more information, see #unique_5 and
#unique_6/unique_6_Connect_42_section_x1y_emf_972.

• Automatic rotation of encryption keys

A CMK in KMS can have multiple key versions. Each version represents an independently
generated key and does not have any relation with other versions. KMS can
automatically rotate encryption keys. This helps you implement best security practices
and meet compliance audit requirements. For more information, see #unique_7 and
#unique_8.

Issue: 20200703 1
Key Management Service Product Introduction /  1 What is KMS?

• Fully managed HSMs

KMS provides fully managed HSMs. You can host keys to HSMs, so that cryptographic
operations are implemented within HSMs to protect key security. HSMs in KMS meet the
compliance requirements for cryptographic security in different regions and markets. For
more information, see #unique_6 and #unique_9.

• Simple cryptographic API operations

- KMS provides cryptographic API operations that are simpler than those for traditional
cryptographic modules or cryptographic software libraries. For more information, see
#unique_4/unique_4_Connect_42_section_bmq_3mj_3gb.

- Encryption keys in KMS support authenticated encryption with associated data (AEAD)
and protect data integrity by delivering additional authenticated data (AAD). For
more information, see #unique_10.

• CMK aliases

KMS allows you to create CMK aliases, which can facilitate CMK usage. For more
information, see #unique_11. For example, you can use CMK aliases to manually rotate
CMKs in specific scenarios. For more information, see #unique_12.

• Resource tags

Like other Alibaba Cloud services, KMS also supports resource tags. Resource tags
make it easier to manage key resources in KMS. For more information, see #unique_4/
unique_4_Connect_42_section_hb4_mmj_3gb.

Benefits

KMS is integrated with multiple Alibaba Cloud services. This significantly improves the
advantages of KMS. For more information, see Benefits.

• KMS is integrated with Elastic Compute Service (ECS), ApsaraDB for RDS, and Object
Storage Service (OSS). You can use CMKs in KMS to encrypt and control data stored in
these services and protect native data of these services.

• KMS is integrated with Resource Access Management (RAM). You can configure a variety
of custom policies by using RAM to meet requirements for different authorization
scenarios.

• KMS is integrated with ActionTrail. This allows you to view the recent KMS usage and
store the KMS usage information in other services such as OSS to meet audit requiremen
ts in the long term.

2 Issue: 20200703
Key Management Service Product Introduction /  1 What is KMS?

Related concepts

Benefits

Scenarios

Terms

Limits

Related topics

#unique_4

Issue: 20200703 3
Key Management Service Product Introduction /  2 Benefits

2 Benefits
Compared with key management infrastructure (KMI), Key Management Service (KMS)
features multi-service integration, ease of use, high reliability, and cost-effectiveness.

Multi-service integration

• Authentication and access control

KMS authenticates the validity of requests by using AccessKey pairs. KMS is integrated
with Resource Access Management (RAM). This allows you to configure a variety of
custom policies to meet requirements in different authorization scenarios. Requests that
are initiated by valid users and pass attribute-based access control (ABAC) of RAM can
be accepted by KMS. For more information, see #unique_17.

• Key usage auditing

KMS is integrated with ActionTrail. This allows you to view the recent KMS usage
and store the KMS usage information in other services such as OSS to meet audit
requirements in the long term. For more information, see #unique_18.

• Data encryption for integrated cloud services

KMS is integrated with multiple Alibaba Cloud services such as ECS, ApsaraDB for
RDS, and OSS. You can easily use customer master keys (CMKs) in KMS to encrypt and
control the data stored in these services and maintain control over the cloud computing
and storage environments. You only need to pay for the service and do not need to
implement complex encryption capabilities. In addition, KMS also protects native data of
these services. For more information, see #unique_19 and #unique_20.

Ease of use

• Easy encryption

KMS simplifies abstract cryptographic concepts and provides cryptographic API

operations that allow you to easily encrypt and decrypt data. For applications that
require a key hierarchy, KMS provides convenient envelope encryption to quickly
implement the key hierarchy: It generates data keys (DKs) and uses CMKs as key
encryption keys (KEKs) to protect DKs. For more information, see #unique_21

4 Issue: 20200703
Key Management Service Product Introduction /  2 Benefits

• Centralized key hosting

KMS provides centralized key hosting and control.

- You can create a new CMK at any time and use RAM to easily manage who can access
the CMK.

- You can use ActionTrail to audit key usage.

- You can import keys to KMS from KMI or from HSMs of Data Encryption Service. For
keys that are imported from external sources or created in KMS, their confidenti
al information or sensitive data is used by other Alibaba Cloud services for data
encryption and protection.

• BYOK

KMS supports Bring Your Own Key (BYOK). You can lease your own keys to KMS for
encryption of cloud data to facilitate key management. The following types of keys can
be leased:

- Keys in KMI

- Keys in HSMs of Data Encryption Service

Note:
Keys imported to HSMs managed in KMS cannot be exported by using any method
because secure key exchange algorithms are used in KMS. Operators or third parties are
not allowed to check the plaintext of keys. For more information, see #unique_5 and
#unique_6/unique_6_Connect_42_section_x1y_emf_972.

• Custom key rotation policies

KMS supports automatic rotation of symmetric encryption keys based on your

security policies. You only need to configure a custom rotation cycle for a CMK. KMS
automatically generates new CMK versions. A CMK can have multiple key versions. Each
version can be used to decrypt corresponding ciphertext data. The latest key version
(called the primary version) is an active encryption key and is used to encrypt current
data. For more information, see #unique_8.

High reliability, availability, and scalability

As a fully managed distributed service, KMS builds multi-zone redundant cryptographic

computing capabilities in each region. This ensures that Alibaba Cloud services and your
custom applications can send requests to KMS with low latency. You can create many keys

Issue: 20200703 5
Key Management Service Product Introduction /  2 Benefits

in KMS across multiple regions based on your business requirements without the need to
scale the underlying infrastructure.

Security and compliance

KMS has passed strict security design and verification to ensure stringent protection of your
keys on the cloud.

• KMS only provides TLS-based access channels and uses secure transmission encryption
algorithm suites. It complies with security standards such as PCI DSS.

• KMS provides cryptographic facilities verified and certified by regulatory agencies.

It offers hardware security modules (HSMs) that are tested and certified by State
Cryptography Administration (SCA) or have passed FIPS 140-2 Level 3 validation. For
more information, see #unique_6/unique_6_Connect_42_section_vyz_io3_a0v.

• KMS uses HSMs to host keys for higher levels of security. For more information, see
#unique_6.

Low costs

With KMS, you only pay for the resources that you use.

• You do not need to pay for the initial cost of HSMs, as well as the cost of operating,
maintaining, repairing, and replacing HSMs.

• KMS reduces the costs of building highly available and reliable cryptographic device
clusters and reduces the R&D and maintenance costs for user-created key management
facilities.

• KMS is integrated with other cloud services to eliminate the R&D overhead of a data
encryption system. You only need to manage keys to achieve controllable data
encryption on the cloud.

6 Issue: 20200703
Key Management Service Product Introduction /  3 Scenarios

3 Scenarios
This topic describes the common scenarios where Key Management Service (KMS) is used.

Common scenarios

Role Demand Scenario Solution

Application Ensures the As a developer, I have applications that Encrypt

developer security of contain some sensitive data. I want and protect
sensitive the sensitive data to be encrypted and sensitive data
data in the encryption keys to be protected by KMS.
application
system.

O&M Provides The IT infrastructure on the cloud is shared Control

personnel a secure with other tenants, so I cannot establish the cloud
environment physical security boundaries on the cloud computing
for IT facilities like for traditional user-created data and storage
deployed on centers. However, I still want to build a environment
the cloud. trusted, visible, and controllable security
mechanism for the cloud computing and
storage hosting environment.

Chief security Ensures the As a chief security officer (CSO), I need Help
officer security and to meet key management requirements information
compliance in some compliance standards and use systems meet
of informatio cryptographic technologies to meet more compliance
n systems. requirements for application and informatio requirements
n system security.

Independen Uses third As an independent service vendor (ISV), Provide

t service -party we are asked by customers to encrypt and third-party
vendor encryption protect user data in the service. encryption
to provide solution for
• We focus on developing service-related
security ISVs
features rather than implementing key
capabiliti
management and distribution features.
es for the
• Customers hope that we provide
service.
controllable and reliable capabilities to
encrypt and protect data.

Encrypt and protect sensitive data

You can use data encryption to protect sensitive data generated or stored on the cloud.
Alibaba Cloud provides multiple ways to encrypt and protect sensitive data:

Issue: 20200703 7
Key Management Service Product Introduction /  3 Scenarios

• Envelope encryption

KMS provides envelope encryption, allowing you to store customer master keys (CMKs) in
KMS and deploy only encrypted data keys (EDKs). For more information, see #unique_21.
You can simply call the API operation to decrypt DKs only when necessary. For more
information, see #unique_22.

• Direct encryption

You can also call the API operations to encrypt or decrypt sensitive data directly with
CMKs. For more information, see #unique_23.

• Server-side encryption

If you use Alibaba Cloud services to store data, you can use the server-side encryption
feature of these services to encrypt and protect data in a simple and effective way. For
example, you can use the server-side encryption feature of OSS to protect buckets that
store sensitive data or use transparent data encryption (TDE) to protect tables that store
sensitive data. For more information, see #unique_20.

Control the cloud computing and storage environment

When KMS is integrated with other cloud services (in the server-side encryption method),
you can control the cloud computing and storage environment, isolate and protect your
computing and storage resources in a distributed multi-tenant system. You can control the
distributed computing and storage environment by managing the lifecycle, usage status
, and access control policies of CMKs in KMS. When KMS is integrated with ActionTrail, you
can check and audit KMS key usage. KMS is commonly used in the following scenarios to
control the cloud computing and storage environment:

• ECS

After you authorize ECS to use KMS keys, ECS can encrypt and protect system disks,
data disks, snapshots, and images. Then ECS resources can be controlled by KMS. For
example, to start an ECS instance, you must decrypt both the system disk and data disk
. You must encrypt snapshots created from encrypted disks. These restriction measures
enhance the security of ECS instances and storage resources through KMS.

• Persistent storage

Persistent storage services provided by Alibaba Cloud such as RDS, OSS, and NAS ensure
data storage reliability through the distributed and redundancy method. When KMS is
integrated with these services to encrypt data before it is stored, data redundancy in

8 Issue: 20200703
Key Management Service Product Introduction /  3 Scenarios

distributed systems becomes controllable and visible. For any read requests, data must
first be decrypted by KMS.

• Other computing and storage scenarios

For more information, see #unique_20.

Help information systems meet compliance requirements

Enterprises or organizations may encounter the following situations when evaluating the
compliance requirements for cryptographic technologies:

• Compliance regulations require that information systems are protected with cryptograp
hic technologies and that the cryptographic technologies used meet relevant technical
standards and security specifications.

• Although the use of cryptographic technologies is not mandatory in compliance

specifications, it conduces to the compliance process. For example, the use of
cryptographic technologies helps you obtain higher scores in scoring rules.

KMS provides the following capabilities to help enterprises meet compliance requirements:

• Managed HSMs

KMS provides managed hardware security modules (HSMs). Managed HSMs are
third-party hardware devices that are certified by regulatory agencies. They run in
an approved security mode. Managed HSMs have passed the certification by State
Cryptography Administration (SCA) and FIPS 140-2 Level 3 validation. For more
information, see #unique_6 and Using Managed HSM.

• Automatic key rotation

KMS supports automatic rotation of encryption keys. Enterprises can customize rotation
policies to quickly meet data security specifications and best practices. For more
information, see #unique_7 and #unique_8.

• AccessKey pairs and RAM

KMS is integrated with Resource Access Management (RAM) to implement unified

authentication and authorization. For more information, see #unique_17.

• Key usage auditing

KMS stores all API call records in ActionTrail, which allows you to perform compliance
auditing on key usage. For more information, see #unique_18.

Issue: 20200703 9
Key Management Service Product Introduction /  3 Scenarios

Provide third-party encryption solution for ISVs

As an ISV, you can also integrate KMS as a third-party data security solution to protect user
data in your services. After you allow customers to manage keys in KMS and authorize
ISV services to use these keys, KMS acts as a third-party security protection mechanism
between ISV services and customers. Customers and ISV services can work together to
protect system security.

• Customer administrators

Generate keys in KMS and manage their lifecycle. They can also use RAM to manage the
permissions to use keys and allow ISV services to use specified keys in KMS through the
#unique_24 method.

• ISV services

Use customer-specified keys to encrypt and protect data in ISV services by integrating
KMS API operations. For more information, see #unique_4.

• Customer auditors

Use ActionTrail to audit usage records of keys in KMS.

10 Issue: 20200703
Key Management Service Product Introduction /  4 Terms

4 Terms
This topic describes the terms used in Key Management Service (KMS).

Key Management Service

An Alibaba Cloud service. It provides features such as key hosting and cryptographic
operations. KMS implements security practices such as key rotation and can be integrated
with other cloud services to encrypt user data managed by these services. With KMS, you
can focus on developing services such as data encryption, data decryption, and digital
signature generation and verification. It helps you save costs in maintaining the security,
integrity, and availability of your keys.

Customer master key

The key is primarily used to encrypt data keys (DKs) and generate enveloped data keys
(EDKs), as well as to encrypt a small amount of data. You can call the #unique_25 operation
to create a CMK.

Envelope encryption

To encrypt business data, you can call the #unique_26 or #unique_27 operation to generate
a symmetric key and use the specified CMK to encrypt the symmetric key (EDK). The EDK
secures data when it is stored and transferred over unsecured communication processes.
You can retrieve the EDK when you need it. For more information, see #unique_21

Data key

The plaintext key used to encrypt data.

Note:
You can call the #unique_26 operation to generate a DK, use the specified CMK to encrypt
the DK, and return the plaintext (DK) and ciphertext (EDK) of the DK.

Enveloped data key or encrypted data key

The ciphertext key generated through envelope encryption.

Note:
If the plaintext of a DK is not needed, you can call the #unique_27 operation to return only
the ciphertext of the DK.

Issue: 20200703 11
Key Management Service Product Introduction /  4 Terms

Hardware security module

The hardware device that performs cryptographic operations, and securely generates
and stores keys. Managed HSM provided by KMS can meet the testing and validation
requirements from regulatory agencies and provide users with high security assurances for
their keys managed in KMS. For more information, see #unique_6.

Encryption context

The encapsulation of authenticated encryption with associated data (AEAD). KMS uses
the imported encryption context as additional authenticated data (AAD) of the symmetric
encryption algorithm for cryptographic operations and therefore provides additional
integrity and authenticity for encrypted data. For more information, see #unique_10.

12 Issue: 20200703
Key Management Service Product Introduction /  5 Limits

5 Limits
This topic describes the limits of Key Management Service (KMS).

KMS is a region-specific service. It has different limits for different regions. For more
information about the regions supported by KMS, see #unique_28.

Resource quotas

KMS defines resource quotas to provide fast and elastic services. Some quotas only limit
the resources that you create, but do not apply to the resources that are created for you by
Alibaba Cloud. If the resources that you use do not belong to your Alibaba Cloud account,
the resources are not counted as a part of your resource quota.

If the quota of a resource is exhausted, the system reports the error Rejected.LimitExceeded
for other requests that create this type of resource, except for the current request.

The following table lists the KMS resource quotas for each Alibaba Cloud account in a
region. If you want to increase a quota, submit a ticket.

Resource type Default quota Description

Customer master key 200 The maximum number of CMKs that can be
(CMK) created in a region

Alias 300 The maximum number of aliases that can

be created in a region

CMK version 10,000 The maximum number of versions for all

CMKs that can be created in a region

Request quotas

KMS sets a quota for the number of API operations that can be called per second. When the
API request quota is exceeded, KMS blocks valid requests and returns an error similar to
the following code. This type of error can be fixed by retries. You can configure the request
backoff and retry policies for your application.

{
"HttpStatus": 429
"Code": "Rejected.Throttling"
"Message": "QPS Limit Exceeded"
"RequestId": "e85db688-a2d3-44ca-9790-4259********"

Issue: 20200703 13
Key Management Service Product Introduction /  5 Limits

The following table lists the KMS request quotas for each Alibaba Cloud account in a region
. If you want to increase a quota, submit a ticket.

Table 5-1: Default request quotas for CMKs per second

CMK specification Create Key Read-only Write

operation operation operation operation

10 750 20 10
Aliyun_AES_256

Aliyun_SM4

10 200 20 10
RSA_2048

10 200 20 10
EC_P256

EC_P256K

EC_SM2

Note:
The default request quotas for CMKs are grouped by operation. All operations in a group
share the request quota for this group. The groups are defined as follows:

• Create operation group: consists of the CreateKey operation. For more information, see
#unique_25.

• Key operation group: includes the key operations for a specific CMK. For more
information, see #unique_4/unique_4_Connect_42_section_bmq_3mj_3gb.

• Read-only operation group: includes the operations that are related to CMKs, aliases,
and CMK tags and do not change the metadata, properties, or status of resources.

• Write operation group: includes the operations that are related to CMKs, aliases, and
CMK tags and change the metadata, properties, and status of resources.

14 Issue: 20200703