Functions

KMS is a secure, reliable, and easy-to-use cloud service that helps users create, manage, and protect keys in a centralized manner.

It uses Hardware Security Modules (HSMs) to protect keys. All keys are protected by root keys in HSMs to avoid key leakage. The HSMs meet the FIPS 140-2 Level 3 security requirements.

It also controls access to keys and records all operations on keys with traceable logs. In addition, it provides use records of all keys, meeting your audit and regulatory compliance requirements.

Functions

**Table 1** KMS functions
Function	Description
Key lifecycle management	Creating, viewing, enabling, and disabling custom keys, as well as scheduling and canceling custom key deletion Modifying the alias and descriptions of custom keys For details about key management types and key algorithms supported by KMS, see Key Types.
Bring Your Own Key (BYOK)	Importing keys and deleting key materials
Small-size data encryption and decryption	Using the online tool to encrypt and decrypt small-size data
Signature and verification	Signing or verifying the signature of messages or message digests NOTE: This function can be called only through an API.
Key tag	Adding, searching for, editing, and deleting tags
Key rotation	Enabling, modifying, and disabling the key rotation
Key grant	Creating, canceling, and querying grants
Key grant	Retiring a grant NOTE: This function can be called only through an API.
Cloud service encryption	Integrating with cloud services for encryption. For details, see Cloud Services with KMS Integrated.
DEK management	Creating, encrypting, and decrypting DEKs NOTE: This function can be called only through an API.
Hardware true random number generation	Generating 512-bit true random numbers, which can be used as a basis for key materials or encryption parameters. NOTE: This function can be called only through an API.
Message authentication code	Generating and verifying message authentication codes NOTE: This function can be called only through an API.