Help Center/ Data Encryption Workshop/ User Guide/ Key Management Service/ Overview
Updated on 2025-09-15 GMT+08:00
View PDF

Overview

KMS allows you to manage the lifecycle of keys and encrypt and decrypt data.

The core key components in KMS include customer master keys (CMKs) and data encryption keys (DEKs). CMK, the top-level key of the user, is used to encrypt and decrypt sensitive data and generate DEKs. DEK, the second-level key in the envelop encryption process, is used to encrypt service and is protected by CMKs.

Key Types

KMS provides default keys, custom keys, and external keys to meet security and compliance requirements in different service scenarios. The following table lists the details.

Table 1 Key types

Key Type

Scenario

Function

Algorithm Type

Key Specifications

Description

Default key

Used by cloud services for server-side encryption.

For details, see Cloud Services Integrated with KMS.

Only data encryption and decryption are supported.

AES

AES_256

Default keys are created and managed by KMS. The alias of a default key ends with /default.

Custom key
  • Created by users to build application-layer cryptographic solutions. For example, you can create a master key using the AES algorithm for custom data encryption and decryption, and create a master key using the RSA or ECC algorithm for digital signature calculation and verification.
  • Used by cloud services for server-side encryption.

    For details, see Cloud Services Integrated with KMS.

Data encryption, decryption, and digital signature are supported.

AES

SHA

RSA

ECC
  • Symmetric keys: AES_256
  • Summary keys: HMAC_256, HMAC_384, and HMAC_512
  • Asymmetric keys: RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P384

For details, see Key Algorithms and Specifications Supported by KMS.

You can create a key and manage its lifecycle on KMS, which generates key materials.

External key
  • Created by users to build application-layer cryptographic solutions. For example, you can create a master key using the AES algorithm for custom data encryption and decryption.
  • Used by cloud services for server-side encryption.

    For details, see Cloud Services Integrated with KMS.

Data encryption, decryption, and digital signature are supported.

AES

RSA

ECC
  • Symmetric key specifications: AES_256
  • Asymmetric keys: RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P384

For details, see Key Algorithms and Specifications Supported by KMS.

You can create a key and manage its lifecycle on KMS. You need to import the key materials.

Key Algorithms and Specifications Supported by KMS

Table 2 Key algorithms supported by KMS

Key Type

Algorithm Type

Key Specifications

Description

Scenario

Symmetric key

AES

AES_256

AES symmetric key
  • Data encryption and decryption
  • DEK encryption and decryption
    NOTE:

    You can encrypt and decrypt a small amount of data using the online tool on the console.

    You need to call APIs to encrypt and decrypt a large amount of data.

Digest key

SHA
  • HMAC_256
  • HMAC_384
  • HMAC_512

Digest key
  • Data tampering prevention
  • Data integrity verification

Asymmetric key

RSA
  • RSA_2048
  • RSA_3072
  • RSA_4096

RSA asymmetric key
  • Digital signature and signature verification
  • Data encryption and decryption
    NOTE:

    Asymmetric keys are applicable to signature and signature verification scenarios. Asymmetric keys are not efficient enough for data encryption. Symmetric keys are suitable for encrypting and decrypting data.

Asymmetric key

ECC
  • EC_P256
  • EC_P384

Elliptic curve recommended by NIST

Digital signature and signature verification

Table 3 describes the encryption and decryption algorithms supported for user-imported keys.

Table 3 Key wrapping algorithms

Algorithm

Description

Configuration

RSAES_OAEP_SHA_256

RSA algorithm that uses OAEP and has the SHA-256 hash function

Select an algorithm based on your HSM functions.

If the HSMs support the RSAES_OAEP_SHA_256 algorithm, use RSAES_OAEP_SHA_256 to encrypt key materials.

NOTICE:

The RSAES_OAEP_SHA_1 algorithm is no longer secure. Exercise caution when performing this operation.

RSAES_OAEP_SHA_1

RSA algorithm that uses Optimal Asymmetric Encryption Padding (OAEP) and has the SHA-1 hash function

KMS-Created and Imported Key Materials

A key contains key metadata (key ID, key name, description, key status, and creation date) and key materials used for data encryption and decryption.
  • When you create a custom key on the KMS console, KMS automatically generates a key material for the key.
  • If you want to use your own key material, set Source to External when you create a key on KMS, and import the key material.
Table 4 Differences between imported key materials and key materials generated by KMS

Key Material Source

Difference

KMS
  • The key material cannot be manually deleted.
  • Only symmetric keys can be rotated.
  • You cannot set the expiration time for the key material.

User import
  • You can delete the key material, but cannot delete the custom key or its metadata.
  • Key rotation is not supported.
  • When importing the key material, you can set the expiration time of the key material. After the key material expires, KMS automatically deletes the key material within 24 hours, but does not delete the custom key or its metadata.

    It is recommended that you save a copy of the material on your local device because it may be used for re-import in cases of invalid key materials or key material mis-deletion.

    NOTE:

    Keys using RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P384 algorithms are permanently valid. Their key materials cannot be manually deleted, and their expiration time cannot be configured.
Parent Topic: Key Management Service