Certified third-party HSMs are used to generate keys and random numbers and save Root Keys. Data Encryption Keys (DEKs) are transmitted in encrypted channels.
Key persistence is ensured by online backup of Customer Master Keys (CMKs) in redundant storage and offline backup of Root Keys on physical devices.
KMS interworks with OBS, EVS, IMS, and VBS, facilitating key management and protection of service data. Users can make KMS API requests to encrypt local data.
Default Master Keys are free of charge. CMKs can be added or removed as required, and charges are based on CMKs created and key usage. KMS provides 20,000 free API requests per month.
KMS provides server-side encryption in OBS for you to encrypt important data, such as your personal data, private data, or information asset. The encryption keys can be managed together on the KMS console.
You can assign a CMK and generate a DEK separately for each object. This facilitates the control of key usage.
CMKs enable you to control the access to your encrypted data. In addition, you can audit each and every operation on your CMKs.
KMS encrypts all data written to disks, including temporary OS and application files, as well as memory SWAP.
KMS performs application-unaware encryption before data is written to disks.
Encryption keys are managed in a centralized manner on KMS.
CMKs can be directly used to encrypt, decrypt, and protect up to 4 KB of data. A CMK+DEK combination is used to protect large data objects, with the CMK protecting the DEK that encrypts data.
Data encryption and decryption only require an API request.
Large amounts of data can be locally encrypted or decrypted.
Data can be frozen by disabling CMKs. Disabled CMKs can be enabled again.
Data can be frozen with just a click.
A large volume of data can be frozen simply by disabling the CMK.
Performs complete lifecycle management of CMKs on the cloud, from creation to deletion.
Generates, encrypts, and decrypts DEKs, and uses DEKs to perform cloud-based encryption and decryption.
Invokes an encryption or decryption API to encrypt or decrypt 4 KB of data.
Generates true random numbers from a physical device.