Key Management Service

A secure, easy-to-use key management service for encrypted data


Tencent Cloud Key Management Service (KMS) is a security management solution that lets you to easily create and manage keys and protect their confidentiality, integrity, and availability, helping meet your key management and compliance needs in multi-application and multi-business scenarios.


Security and Compliance

KMS leverages a third-party certified hardware security module (HSM) to generate and protect keys, and utilizes secure data transfer protocols, distributed clustered service deployment and hot backup for guaranteed availability. The security and quality control practices adopted by KMS are accredited by multiple compliance schemes.

Rich function

The Key Management Service provides you with rich management features, including key creation, enabling, disabling, rotation settings, alias settings, viewing key details, and modifying related information.

Seamless Integration with Tencent Cloud Services

KMS can be seamlessly integrated with Tencent Cloud services such as COS, TencentDB for MySQL, and CBS, enabling you to manage their keys through KMS.

Centralized Key Management

KMS can be called and integrated through APIs, SDKs, and Tencent Cloud products and services to achieve centralized management of keys from various applications, no matter whether they are on or off Tencent Cloud.

Easy Management

KMS console is integrated with CAM and Cloud Monitor, enabling you to create keys easily for access control. Management operations and keys usages are also logged.

Low Costs

Pay-as-you-go KMS can be deployed quickly at the click of a button. Tencent Cloud covers all backend maintenance, so you do not need to purchase any dedicated hardware encryption devices and can fully focus on business development.


Managed Key Services

KMS provides a wealth of management features, including key creation, enabling, disabling, rotation settings, alias settings, key details viewing, and related information modification, letting you create and protect keys and implement key management policies with ease.


Sensitive Data Encryption

Sensitive information encryption is a core capability of KMS, mainly used to protect sensitive data (less than 4 KB) on the server disks such as keys, certificates and configuration files.

Envelope Encryption

Envelope encryption is a high-performance encryption and decryption solution for massive amounts of data. With the aid of envelope encryption in KMS, only the data encryption keys (DEKs) need to be transferred to the KMS server (which are encrypted and decrypted with the CMK), and all data is processed with efficient local symmetric encryption which has little impact on user access.