Symmetric key encryption: also known as single key encryption, which uses one key to encrypt and decrypt data.
Asymmetric key encryption: An asymmetric key pair consists of a public key and a private key, which are cryptographically related to each other. The public key is available for all to use, but the private key must be kept secure and used only by trusted users. Asymmetric keys are used to verify digital signatures or encrypt sensitive information between systems with different trust levels.
Customer Master Key (CMK): It can be a symmetric or asymmetric CMK and can be used to encrypt a small amount of data or DEKs. You can create a CMK through the KMS console or by calling the KMS APICreateKey.
Default CMK: When you use the encryption functionality of a cloud product, the KMS automatically generates a service key, which is then managed under the user's account.
Envelope Encryption: an encryption method similar to the digital envelope technology. Envelope encryption is the practice of sealing the data key of encrypted data into an envelope for storage, transmission and use. In this case, CMKs are not required for encryption or decryption. To encrypt business data, you can call the KMS GenerateDataKey or GenerateDataKeyWithoutPlaintext API to generate a symmetric key, and use the specified CMK to encrypt the symmetric key (sealed in an envelope for protection).
Data Encryption Key (DEK): The key used to encrypt business data in envelope encryption technology, which is protected by CMK encryption.
Hardware Security Module (HSM): Also known as a cryptographic device, is a hardware device that performs cryptographic operations, and securely generates and stores keys. The cryptographic devices provided by KMS meet the inspection and authentication requirements of regulatory agencies, and provide users with a higher level of security assurance for the keys managed by KMS.
Bring Your Own Key (BYOK): You can import key materials into your CMKs, and KMS will not generate key materials.
Application Access Point: KMS provides application access points (AAPs) for identity authentication and access control. A self-managed application in VPC requires an AAP to establish a private network channel, and an access permission policy must be configured and identity credentials must be generated within the AAP before accessing KMS.