Certified third-party HSMs are used to generate keys and random numbers and save Root Keys. Data Encryption Keys (DEKs) are transmitted in encrypted channels.


Key persistence is ensured by online backup of Customer Master Keys (CMKs) in redundant storage and offline backup of Root Keys on physical devices.


KMS interworks with OBS, EVS, IMS, and VBS, facilitating key management and protection of service data. Users can make KMS API requests to encrypt local data.


Default Master Keys are free of charge. CMKs can be added or removed as required, and charges are based on CMKs created and key usage. KMS provides 20,000 free API requests per month.

Application Scenarios

  • Object Storage Service (OBS)

  • Elastic Volume Service (EVS)

  • Local File Encryption

  • Data Freezing

Object Storage Service (OBS)

On-Cloud Object Encryption

KMS provides server-side encryption in OBS for you to encrypt important data, such as your personal data, private data, or information asset. The encryption keys can be managed together on the KMS console.


  • Dedicated

    You can assign a CMK and generate a DEK separately for each object. This facilitates the control of key usage.

  • Access Control

    CMKs enable you to control the access to your encrypted data. In addition, you can audit each and every operation on your CMKs.

Elastic Volume Service (EVS)

System & Data Disks

KMS encrypts all data written to disks, including temporary OS and application files, as well as memory SWAP.


  • Transparent Data Encryption

    KMS performs application-unaware encryption before data is written to disks.

  • Centralized Key Management

    Encryption keys are managed in a centralized manner on KMS.

Local File Encryption

Local Data Protection

CMKs can be directly used to encrypt, decrypt, and protect up to 4 KB of data. A CMK+DEK combination is used to protect large data objects, with the CMK protecting the DEK that encrypts data.


  • Convenient

    Data encryption and decryption only require an API request.

  • Efficient

    Large amounts of data can be locally encrypted or decrypted.

Data Freezing

Data Freezing

Data can be frozen by disabling CMKs. Disabled CMKs can be enabled again.


  • Convenience

    Data can be frozen with just a click.

  • Batch Freezing

    A large volume of data can be frozen simply by disabling the CMK.


CMK Management

Performs complete lifecycle management of CMKs on the cloud, from creation to deletion.

DEK Management

Generates, encrypts, and decrypts DEKs, and uses DEKs to perform cloud-based encryption and decryption.

Direct Encryption

Invokes an encryption or decryption API to encrypt or decrypt 4 KB of data.

Hardware Random Number

Generates true random numbers from a physical device.