Getting Started with Key Management Service (KMS)

Key Management Service (KMS) is a one-stop service platform for key management and data encryption. KMS provides simple, reliable, secure, and standard-compliant capabilities to encrypt and protect data. KMS greatly reduces your costs of purchase, operations and maintenance (O&M), and research and development (R&D) on cryptographic infrastructure and data encryption services. This helps you focus on the business development.

Benefits of KMS

1.       Multi-service integration

KMS authenticates the validity of requests by using AccessKey pairs. KMS is integrated with Resource Access Management (RAM). This allows you to configure a variety of custom policies to meet requirements in different authorization scenarios. Requests that are initiated by valid users and pass attribute-based access control (ABAC) of RAM can be accepted by KMS. For more information, see Use RAM to authorize KMS resources.

2.       Ease of use

KMS simplifies abstract cryptographic concepts and provides cryptographic API operations that allow you to easily encrypt and decrypt data. For applications that require a key hierarchy, KMS provides convenient envelope encryption to quickly implement the key hierarchy: It generates data keys (DKs) and uses CMKs as key encryption keys (KEKs) to protect DKs.

3.       High reliability, availability, and scalability

As a fully managed distributed service, KMS builds multi-zone redundant cryptographic computing capabilities in each region. This ensures that Alibaba Cloud services and your custom applications can send requests to KMS with low latency. You can create many keys in KMS across multiple regions based on your business requirements without the need to scale the underlying infrastructure.

What If You Need/Want More Protection

Fair enough. We live in a world where there are more and more data breaches and you shouldn’t rely 100% on others if you don’t really feel is acceptable for you. Other reasons are that, by company policy or contracts with clients, you are required to go one step further in terms of protecting your data.

For those and even more reasons… Please welcome Alibaba Cloud KMS (Key Management Service). According to Wikipedia, key management “refers to management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols”.

Creating a key

This is the first obvious step to use the KMS functionality. Once in the KMS console, click “Create Key” and fill the details like “Key Spec”, “Alias Name”, “Protection Level”, “Rotation Period” and wether you are letting Alibaba generating the key or otherwise you will upload your own.

BYOK (Bring Your Own Key)

This would be the highest level of security in terms of data ownership you could have, as the key wasn’t even generated in the cloud but your computer instead. If you choose “External” as “Key Material Source”, you will need to upload later the key from your computer. Remember that you can import a 256-bit symmetric key only when “Aliyun_AES_256” or “Aliyun_SM4” are chosen in the “Key Spec” parameter.

In Summary

At the cloud product layer, data security is mainly embodied in products' security features, such as end-to-end data encryption, backup, and verification of cloud products. Among these, end-to-end data encryption is a best practice in the field of data encryption protection. End-to-end data encryption provides advanced data encryption capabilities on transmission links (i.e. data-in-motion), compute nodes (i.e. data-in-use), and storage nodes (i.e. data-at-rest). For encryption in storage nodes, cloud services can be integrated with Alibaba Cloud's Key Management Service (KMS) to offer data-at-rest encryption with Customer Managed Keys.