Key Management Service

A secure, easy-to-use key management service for encrypted data


Tencent Cloud Key Management Service (KMS) is a security management solution that lets you to easily create and manage keys and protect their confidentiality, integrity, and availability, helping meet your key management and compliance needs in multi-application and multi-business scenarios.


Security and Compliance

KMS leverages a third-party certified hardware security module (HSM) to generate and protect keys, and utilizes secure data transfer protocols, distributed clustered service deployment and hot backup for guaranteed availability. The security and quality control practices adopted by KMS are accredited by multiple compliance schemes.

Centralized Key Management

KMS can be called and integrated through APIs, SDKs, and Tencent Cloud products and services to achieve centralized management of keys from various applications, no matter whether they are in or outside of Tencent Cloud.

Seamless Integration with Tencent Cloud Services

KMS can be seamlessly integrated with Tencent Cloud services such as COS, TencentDB for MySQL, and CBS, enabling you to manage their keys through KMS.

Stability and Reliability

KMS is deployed in a distributed, clustered manner across data centers with cold and hot backup enabled, guaranteeing high availability around the clock.


Managed Key Services

KMS provides a wealth of management features, including key creation, enabling, disabling, rotation settings, alias settings, key details viewing, and related information modification, letting you create and protect keys and implement key management policies with ease.


Sensitive Data Encryption

Sensitive information encryption is a core capability of KMS, mainly used to protect sensitive data (less than 4 KB) on the server disks such as keys, certificates and configuration files.

Envelope Encryption

Envelope encryption is a high-performance encryption and decryption solution for massive amounts of data. With the aid of envelope encryption in KMS, only the data encryption keys (DEKs) need to be transferred to the KMS server (which are encrypted and decrypted with the CMK), and all data is processed with efficient local symmetric encryption which has little impact on user access.