Tencent Cloud Key Management Service (KMS) is a security management solution that lets you to easily create and manage keys and protect their confidentiality, integrity, and availability, helping meet your key management and compliance needs in multi-application and multi-business scenarios.
KMS leverages a third-party certified hardware security module (HSM) to generate and protect keys, and utilizes secure data transfer protocols, distributed clustered service deployment and hot backup for guaranteed availability. The security and quality control practices adopted by KMS are accredited by multiple compliance schemes.
KMS can be called and integrated through APIs, SDKs, and Tencent Cloud products and services to achieve centralized management of keys from various applications, no matter whether they are in or outside of Tencent Cloud.
KMS can be seamlessly integrated with Tencent Cloud services such as COS, TencentDB for MySQL, and CBS, enabling you to manage their keys through KMS.
KMS is deployed in a distributed, clustered manner across data centers with cold and hot backup enabled, guaranteeing high availability around the clock.
KMS provides a wealth of management features, including key creation, enabling, disabling, rotation settings, alias settings, key details viewing, and related information modification, letting you create and protect keys and implement key management policies with ease.
KMS features a customer master key (CMK) rotation capability which is disabled by default and can be enabled as needed. If enabled, a CMK will be rotated once per year. Managed by the KMS system, key rotation is imperceptible to users. Existing ciphertexts encrypted by the CMK can still be decrypted, only new encryption tasks use the new CMK.
Fully integrated with CAM, KMS can control which accounts and roles can access or manage your sensitive keys through identity and policy management.
KMS is integrated with Tencent Cloud Audit to record all API requests for detailed logs of key management activities and key usage.
Sensitive information encryption is a core capability of KMS, mainly used to protect sensitive data (less than 4 KB) on the server disks such as keys, certificates and configuration files.
Envelope encryption is a high-performance encryption and decryption solution for massive amounts of data. With the aid of envelope encryption in KMS, only the data encryption keys (DEKs) need to be transferred to the KMS server (which are encrypted and decrypted with the CMK), and all data is processed with efficient local symmetric encryption which has little impact on user access.