keep on record Console
<View all products
Key management service
Key Management Service (KMS for short) is a cryptographic application service designed by Alibaba Cloud for the encryption needs of data on the cloud. It provides your applications with key services that meet the requirements of national security and simple application encryption and decryption services, helping you easily use keys to encrypt and protect sensitive data assets.
View product documentation product price

Product advantages

Complete key control
Alibaba Cloud provides a special version of key management service with high security. You can store your keys in your own cloud password machine cluster. With full control of the cloud password machine, you will have higher key security guarantees, and thus higher data security guarantees on the cloud.
Strict design, safety and compliance
The key management service has undergone strict security design and review to ensure that your keys are protected most strictly in Alibaba Cloud. You can meet the corresponding regulatory and compliance requirements by using a password machine hosted by the State Password Administration of China.
Extensive cloud product integration
The key management service is widely integrated with AliCloud products such as ECS, cloud database, object storage, and file storage. You can use the key in the key management service to encrypt the data in these products, help you protect sensitive data assets, and enhance the default security capabilities of cloud products.
Available, reliable and resilient
The key management service builds redundant password computing capabilities in multiple zones in each region to ensure that requests to the key management service can be processed with low latency. You can create enough keys for key management services in different regions as needed without worrying about the expansion or contraction of the underlying facilities.

Key Product Usage Practice

  • Applicable scenarios
  • Encryption mode
  • Data access characteristics
  • Processing performance
  • Whether SDK integration is required
  • SDK development language support
  • Does Terraform support
  • SLA
  • Billing Unit
  • product price
  • Cloud product launch/transparent encryption
  • AliCloud 80+cloud products include ECS, RDS, OSS, etc
  • Drop tray/transparent
  • Real time access - cloud product call
  • Unlimited
  • no
  • Not involved
  • yes
  • Follow various cloud products
  • Free Admission
  • ¥ RMB 0.0 /Month
    Free Admission
  • Data field encryption
  • Support encryption of files, data fields, certificate chains, etc
  • Apply encryption
  • Real time access/cache access
  • 100000+QPS
  • yes
  • JAVA, Go, PHP, Python, etc
  • yes
  • 99.95%
  • QPS, number of keys, VPC, etc
  • ¥ 2499 yuan /Month
    Software Key
  • AK/SK credential management
  • Support AK/SK, Token, database account password, etc
  • Apply encryption
  • Real time access
  • 100000+QPS
  • yes
  • JAVA, Go, PHP, Python, etc
  • yes
  • 99.95%
  • QPS, number of credentials
  • ¥ 2748 yuan /Month
    Credential housekeeper
  • Key backup and recovery
  • Support global multi region backup of keys and credentials
  • Not involved
  • Real time request after archiving
  • Not involved
  • no
  • Not involved
  • no
  • 99.9999%
  • Backup cycle
  • ¥ 64 yuan /Month
    Key backup
  • National secret reconstruction
  • Support national security algorithm and enterprise national security transformation
  • Application encryption/disk storage/transparent encryption
  • Real time access
  • 100000+QPS
  • yes
  • JAVA, Go, PHP, Python, etc
  • no
  • 99.95%
  • QPS, VPC, HSM, etc
  • ¥ 7699 yuan /Month
    Hardware key management

Product Functions

Ideal cloud data encryption scheme
Use authoritative authentication cipher machine to meet regulatory compliance requirements The generation of the key management service key is based on the random number generation algorithm in the cryptomachine, which is secure and has high system entropy as the seed, so as to protect the key from being recovered by the attacker. The key is protected by the hardware security mechanism. The clear text of the key is only used for cryptographic operations inside the cipher machine, and will not leave the security boundary of the cipher machine hardware.
Comprehensive key management to help build an on cloud key management center The key management service provides key life-cycle management. You can generate keys in the key management service, or import your own keys into the managed cipher machine (that is, BYOK: Bring Your Own Key), or disable, enable, delay deletion, and automatically rotate keys.
Minimal application encryption interface to accelerate the rapid integration of user applications In order to simplify the use of cryptographic services for applications, the key management service has carefully designed a minimalist cryptographic service interface, providing symmetric encryption and decryption, asymmetric encryption and decryption, signature verification and other cryptographic services for SM2/SM3/SM4 and other national security algorithms or international algorithms.
Integration with Alibaba Cloud products to achieve "default encryption" of cloud data The key management service is widely integrated with Alibaba Cloud products. You can use cloud product service hosting to create a key, create a key on the KMS console, or import an external key to encrypt and protect your data stored on more than 20 cloud products, such as RDS, ECS, OSS, and ensure your data security.
Fully audit the use of the key and confirm that the key is used correctly You can track and audit the use of keys through the ActionTrail service. Whether you use keys for cloud products or user applications, you can audit the use of keys by calling the KMS interface. You can also output logs to OSS, log services for long-term storage, data analysis, SIEM integration and other scenarios.

Application scenarios

Encrypt sensitive data to prevent it from being dragged by plaintext
Client file data encryption to prevent leakage
Account secret, certificate private key and other credentials are encrypted to prevent leakage
Cloud product data server encryption
Scenario description and summary
The Internet application you deploy stores user sensitive data such as user mobile phone number, ID number, bank card number, etc., which may lead to the risk of being attacked and dragging the database in plaintext. Using the minimalist application encryption service provided by kms, sensitive data is encrypted and protected at the application layer before being stored in the database, increasing the difficulty of attacks and reducing the risk of data batch plaintext disclosure.
Able to solve
Centralized encrypted storage of sensitive data
Sensitive data has been encrypted by KMS before the database persistent storage, and the data encryption key is protected by the hardware protection mechanism of the cipher machine, which can not be stolen by anyone, and the data security is high.
Business system decrypts data on demand
When the business system needs to process or display sensitive data, it calls KMS after user authentication to decrypt the data on demand. Only a small part of the data required by the business is decrypted into clear text in memory in the whole process, so the risk of data exposure and leakage is small.
Recommended combination
RDS MySQL
Object Storage OSS
ECS
Scenario description and summary
Your client application needs to encrypt the file and then transmit or store it. In the conventional encryption scheme of transferring files to the cipher machine, the encryption process crosses the Internet, which is difficult to guarantee security, and the network overhead leads to a long encryption delay. KMS envelope encryption technology is used, KMS is responsible for key security management and exchange, and the application of KMS interface is used to complete data encryption locally to ensure the security and encryption efficiency of file data.
Able to solve
Massive data encryption storage OSS
You can use the OSS client encryption SDK to encrypt a large amount of data before uploading. You can also call KMS to encrypt envelopes.
NoSQL highly concurrent read/write encrypted data
According to the spatial or temporal classification, the same data key is used for encryption within a certain range (such as every table or every 5 seconds), and the data ciphertext is stored in NoSQL.
Recommended combination
Object Storage OSS
ApsaraDB for Redis
Time series database TSDB
Table store
Scenario description and summary
Your applications deployed in ECS, containers, function computing and other services need sensitive data such as passwords, OAuth Secrets, and server certificate private keys. The KMS manages the credentials before deployment and uses them dynamically after deployment to ensure the security of sensitive data during operation and maintenance, transmission, storage and other processes.
Able to solve
Avoid disclosing sensitive data such as passwords and keys in the code base or configuration.
Avoid the access of R&D personnel to sensitive data such as passwords and keys to prevent artificial disclosure.
Automatically rotate the credentials periodically to raise the safe water level and meet the specification requirements.
Simplify the emergency disposal after credential leakage and reduce the failure risk caused by emergency deployment.
Meet the centralized and large-scale security management requirements for various credentials.
It supports simple application access through various client tools.
Recommended combination
ECS
Container Service ACK
Function calculation FC
Scenario description and summary
Cloud products integrate KMS, and use the master key in KMS to encrypt and protect the data of cloud products. You only need to specify the KMS key to be used in the encryption configuration of the cloud product, and then use the RAM configuration key to audit the operation of the cloud product calling KMS in ActionTrail.
Able to solve
Control distributed computing storage environment through encryption
The cloud computing and storage environment is distributed and multi tenant. Cloud product encryption binds computing with storage behavior and KMS. For example, to start an ECS instance, you need to decrypt the encrypted cloud disk. The multiple redundant copies of the encrypted cloud disk in the distributed storage system and the snapshots automatically generated from the cloud disk are also protected by KMS.
Deliver the encryption load of massive data to Alibaba Cloud
If you generate massive data, the encryption and decryption of the data will consume a large amount of computing resources and have a negative impact on system performance and throughput. By encrypting the server side of the cloud product, you hand over the encryption load to Alibaba Cloud, while still maintaining the ability to control and see the data encryption behavior.
Recommended combination
Object Storage OSS
RDS MySQL
ECS
File Storage (NAS)

Product Dynamics

2016-11-25 New Region/New Availability Zone
Australian data center goes online
View details
2016-11-25 New Region/New Availability Zone
Dubai Data Center goes online
View details
2016-11-28 Function optimization
The DescribeKey interface adds the creator of the display key
View details
2017-01-26 New region/new zone
Hong Kong Data Center went online
View details
2017-03-01 Function optimization
Master key rotation function
View details
2017-03-01 Function optimization
API call flow control
View details
New functions/specifications on March 30, 2018
Key management service supports key import (BYOK)
View details
New functions/specifications on July 24, 2018
KMS support operation audit
View details
2019-05-01 New functions/specifications
Key management service supports label management and label based access control
View details
2020-01-01 New Features/Specifications
KMS releases asymmetric key (RSA, elliptic curve ECC) function
View details
2020-12-17 New Features/Specifications
KMS Credential Manager's new online dynamic RDS credentials
View details
2023-02-09 New Features/Specifications
Console version 3.0 release (China station)
View details
View all logs

More products and services

Encryption service
The encryption service is based on the hardware encryption machine certified by the National Cryptographic Administration and provides cloud data encryption and decryption services. Users can manage the key securely and reliably, and can also use a variety of encryption algorithms to perform reliable encryption and decryption operations on cloud business data.
ECS
It provides cloud computing servers with default encryption capabilities, supports cloud disk encryption and system disk encryption, and provides users with secure and reliable data encryption capabilities.
RDS MySQL
MySQL is one of the most popular open source databases in the world. As an important part of LAMP, it is widely used in various application scenarios.
Object Storage OSS
It provides the default encryption service capability for OSS storage and supports the encryption capabilities of the server and client.

Documentation and Tools

Product documentation
View KMS related documents
API & SDK
Learn about KMS API&SDK
quick get start
Quickly use KMS products
Cloud product integrated encryption
Enable the automatic encryption capability of cloud products