tencent cloud

Key Management Service

A secure, easy-to-use key management service for encrypted data


Tencent Cloud Key Management Service (KMS) is a security management solution that lets you to easily create and manage keys and protect their confidentiality, integrity, and availability, helping meet your key management and compliance needs in multi-application and multi-business scenarios.

Security and Compliance

KMS leverages a third-party certified hardware security module (HSM) to generate and protect keys, and utilizes secure data transfer protocols, distributed clustered service deployment and hot backup for guaranteed availability. The security and quality control practices adopted by KMS are accredited by multiple compliance schemes.

Rich function

The Key Management Service provides you with rich management features, including key creation, enabling, disabling, rotation settings, alias settings, viewing key details, and modifying related information.

Seamless Integration with Tencent Cloud Services

KMS can be seamlessly integrated with Tencent Cloud services such as COS, TencentDB for MySQL, and CBS, enabling you to manage their keys through KMS.

Easy Management

KMS console is integrated with CAM and Cloud Monitor, enabling you to create keys easily for access control. Management operations and keys usages are also logged.

Low Costs

Pay-as-you-go KMS can be deployed quickly at the click of a button. Tencent Cloud covers all backend maintenance, so you do not need to purchase any dedicated hardware encryption devices and can fully focus on business development.

Supports External Key Import

KMS allows you to use your own key to encrypt and decrypt sensitive data by implementing Bring Your Own Key (BYOK) solution.

Managed Key Services

KMS provides a wealth of management features, including key creation, enabling, disabling, rotation settings, alias settings, key details viewing, and related information modification, letting you create and protect keys and implement key management policies with ease.

Rich function

KMS features a customer master key (CMK) rotation capability which is disabled by default and can be enabled as needed. If enabled, a CMK will be rotated once per year. Managed by the KMS system, key rotation is imperceptible to users. Existing ciphertexts encrypted by the CMK can still be decrypted, only new encryption tasks use the new CMK.

Permission Control

Fully integrated with CAM, KMS can control which accounts and roles can access or manage your sensitive keys through identity and policy management.

Built-in Audit

KMS is integrated with Tencent Cloud Audit to record all API requests for detailed logs of key management activities and key usage.


Sensitive information encryption is a core capability of KMS, mainly used to protect sensitive data (less than 4 KB) on the server disks such as keys, certificates and configuration files.

Envelope encryption is a high-performance encryption and decryption solution for massive amounts of data. With the aid of envelope encryption in KMS, only the data encryption keys (DEKs) need to be transferred to the KMS server (which are encrypted and decrypted with the CMK), and all data is processed with efficient local symmetric encryption which has little impact on user access.

BYOK solution allows you to use your own key to encrypt and decrypt sensitive data on Tencent Cloud. When you implement a BYOK solution, you can generate a CMK with no key material. You can then import your own key to form an external CMK which can be managed and distributed with KMS.


KMS billing breaks down into costs of CMK storage and API calls, which is pay-as-you-go. The monthly bill will be generated and settled during the third to fifth day of the following month. Learn more.