Key Management Service

The Key Management Service (KMS) is a secure and easy-to-use hosting service of encryption keys on the cloud. KMS uses hardware security modules (HSMs) to protect your keys and can be integrated with other services on HUAWEI CLOUD to protect your data in these services. You can also use KMS to develop your own encryption applications to do the complex key management so you can focus on your core businesses.



Major Issue

Low Cost

Solution: You don't need to buy expensive HSMs, neither do you need to allocate separate security zones for them. KMS is available in any time of need and charges by the actual amount of usage. Log in to the console and simply click Create, the secure and reliable KMS is instantly at your service.

Major Issue: HSMs are costly to purchase and deploy, and key management regulations require a lot of human resources to formulate and implement.

High Security, Superb Reliability

Solution: KMS uses industry-leading HSMs to ensure key security and a distributed architecture to enhance availability.

Major Issue: Enterprises tend to use earlier HSM models to save costs. These models rely on offline backup that has data reliability risks.

Easy to Use

Solution: Once keys are created by one click, encryption services are immediately available. Key deletion is scheduled to ensure secure deletion and avoid misdeletion-caused decryption issues. Keys are also disabled by one click to avoid data leakage in emergencies.

Major Issue: HSM management calls for professionals who must learn varying standards of different vendors, costing a lot of human resources, time, and capital. Moreover, securely deploying HSMs also requires capital and human resources.

Integrated with CTS

Solution: KMS is integrated with the Cloud Trace Service (CTS), which makes all key-related operations traceable.

Major Issue: Encrypt data stored in other services on HUAWEI CLOUD and control the keys used.

Internal Audit

Solution: KMS works with CTS to make all key-related operations traceable.

Major Issue: Audit operations on keys in KMS.




Root Key

Protected by HSMs and cannot be obtained by anyone directly or indirectly. Root Keys are used to encrypt and protect CMKs.


Encrypted by Root Keys and saved in HSMs. No one can obtain the plaintext of CMKs directly or indirectly. CMKs are used to encrypt and protect DEKs.


Encrypted by CMKs and saved by users. Only those having permissions on the CMKs can obtain the plaintext of DEKs. DEKs are used to encrypt and protect users’ data.


  • KMS allows users to manage their keys conveniently and use DEKs to encrypt data at any time to ensure the security of their data.
  • Data is encrypted using DEKs, DEKs are encrypted using CMKs, and CMKs are encrypted using root keys on HSMs. As root of the chain of trust, HSMs ensure that root keys are unobtainable by external users.
  • In addition, TLS1.2 encrypted channels are used for communication between HSMs and KMS as well as between KMS and users' businesses, ensuring the reliable extension of the chain of trust.

Application Scenarios

  • Encrypting and Decrypting Users' Data

  • Encrypting and Decrypting Core Service Data

  • Encrypting and Decrypting Critical Information Asset

Encrypting and Decrypting Users' Data

Application Scenarios

Online games, personal cloud services, location-based services, and mobile applications


  • Data leaks can occur if an enterprise uses general-purpose storage services to store private data of users, such as account configuration, photos, audio and video files, location information, and browse records. KMS offers a simple, easy-to-use encryption and decryption solution that safeguards users' personal data on HUAWEI CLOUD, keeping enterprises far away from drag risks.

Recommended configuration:


Encrypting and Decrypting Core Service Data

Application Scenarios

TV stations, new media services, publishing houses, and print media


  • Media enterprises' core competitiveness lies in massive original texts, pictures, and audio and video materials. KMS protects core service data of enterprises against leaks. It also provides a trustworthy encryption and decryption solution to help enterprises move businesses to cloud.

Recommended configuration:


Encrypting and Decrypting Critical Information Asset

Application Scenarios

Knowledge-intensive institutions and governments' public sectors


  • These institutions have important information assets, such as education, science and technology, culture, and healthcare information. With a high-security, low-cost encryption and decryption solution, KMS safeguards the key information assets.

Recommended configuration:


Function Description

Proactive Key Management

To ensure security of users' encrypted data, KMS does not save DEKs, plaintext or ciphertext. Instead, users manage their own CMKs to ensure secure obtainment and use of DEKs.

HSMs As Root of Trust

Key encryption and decryption are performed by HSMs. As the root of trust, HSMs ensure CMK security in KMS. Security of DEKs is ensured via CMKs. The whole process is a complete chain of trust.

Lightning Fast, On-demand, Pay-As-You-Go

Not needing to buy expensive HSMs, users are not worried about extra management costs caused by device idling. KMS is available immediately upon enabling and charged by actual amount of usage, thereby saving a lot of human resources and costs.