Key Management Service (KMS) is a one-stop service platform for key management and data encryption. KMS provides simple, reliable, secure, and standard-compliant capabilities to encrypt and protect data. KMS greatly reduces your costs of purchase, operations and maintenance (O&M), and research and development (R&D) on cryptographic infrastructure and data encryption services. This helps you focus on the business development.
Benefits of KMS
KMS authenticates the validity of requests by using AccessKey pairs. KMS is integrated with Resource Access Management (RAM). This allows you to configure a variety of custom policies to meet requirements in different authorization scenarios. Requests that are initiated by valid users and pass attribute-based access control (ABAC) of RAM can be accepted by KMS. For more information, see Use RAM to authorize KMS resources.
KMS simplifies abstract cryptographic concepts and provides cryptographic API operations that allow you to easily encrypt and decrypt data. For applications that require a key hierarchy, KMS provides convenient envelope encryption to quickly implement the key hierarchy: It generates data keys (DKs) and uses CMKs as key encryption keys (KEKs) to protect DKs.
As a fully managed distributed service, KMS builds multi-zone redundant cryptographic computing capabilities in each region. This ensures that Alibaba Cloud services and your custom applications can send requests to KMS with low latency. You can create many keys in KMS across multiple regions based on your business requirements without the need to scale the underlying infrastructure.
Fair enough. We live in a world where there are more and more data breaches and you shouldn’t rely 100% on others if you don’t really feel is acceptable for you. Other reasons are that, by company policy or contracts with clients, you are required to go one step further in terms of protecting your data.
BYOK
This would be the highest level of security in terms of data ownership you could have, as the key wasn’t even generated in the cloud but your computer instead. If you choose “External” as “Key Material Source”, you will need to upload later the key from your computer. Remember that you can import a 256-bit symmetric key only when “Aliyun_AES_256” or “Aliyun_SM4” are chosen in the “Key Spec” parameter.
In Summary
At the cloud product layer, data security is mainly embodied in products' security features, such as end-to-end data encryption, backup, and verification of cloud products. Among these, end-to-end data encryption is a best practice in the field of data encryption protection. End-to-end data encryption provides advanced data encryption capabilities on transmission links (i.e. data-in-motion), compute nodes (i.e. data-in-use), and storage nodes (i.e. data-at-rest). For encryption in storage nodes, cloud services can be integrated with Alibaba Cloud's Key Management Service (KMS) to offer data-at-rest encryption with Customer Managed Keys.