Key Management Service (KMS)

KMS is a secure, easy-to-use service that uses Hardware Security Modules (HSMs) to protect your keys. It seamlessly interworks with other services to protect service data and can be used to develop encryption applications.

20,000 free API requests each month. Learn more

Security

Certified third-party HSMs are used to generate keys and random numbers and save Root Keys. Data Encryption Keys (DEKs) are transmitted in encrypted channels.

Reliability

Key persistence is ensured by online backup of Customer Master Keys (CMKs) in redundant storage and offline backup of Root Keys on physical devices.

Interoperability

KMS interworks with OBS, EVS, IMS, and VBS, facilitating key management and protection of service data. Users can make KMS API requests to encrypt local data.

Pay-Per-Use

Default Master Keys are free of charge. CMKs can be added or removed as required, and charges are based on CMKs created and key usage. KMS provides 20,000 free API requests per month.

Application Scenarios

  • Object Storage Service (OBS)

  • Elastic Volume Service (EVS)

  • Local Files

  • Data Deletion and Freezing

Object Storage Service (OBS)

OBS

KMS provides server-side encryption for OBS data.

Advantages

  • Dedicated

    CMKs can be assigned to files for easier key management.

  • Access Control

    With CMKs, it is easier to control user access to OBS data.

Elastic Volume Service (EVS)

System Disk

KMS encrypts data, including temporary OS and application files, as well as memory SWAP, before the data is written to the system disk.

Data Disk

KMS performs application-unaware encryption before data is written to data disks.

Advantages

  • Manageability

    Encryption keys of EVS data can be managed by KMS.

Local Files

Small Data Objects

CMKs can be directly used to encrypt, decrypt, and protect up to 4 KB of data.

Large Data Objects

A CMK+DEK combination is used to protect large data objects, with the CMK protecting the DEKs that encrypt and decrypt data.

Advantages

  • Convenient

    Data encryption and decryption only require an API request.

  • Efficient

    Large amounts of data can be locally encrypted or decrypted.

Data Deletion and Freezing

Data Deletion

Deleting a CMK automatically deletes associated DEKs and the data encrypted by the DEKs.

Data Freezing

Data can be frozen by disabling CMKs. Disabled CMKs can be enabled again.

Advantages

  • Convenience

    Data can be removed or frozen with just a click.

Functions

CMK Management

Performs complete lifecycle management of CMKs on the cloud, from creation to deletion.

DEK Management

Generates, encrypts, and decrypts DEKs, and uses DEKs to perform cloud-based encryption and decryption.

Direct Encryption

Invokes an encryption or decryption API to encrypt or decrypt 4 KB of data.

Hardware Random Number

Generates true random numbers from a physical device.

Register Now