Introduction and Business Practice of Cloud KMS for Data Security at iQIYI

With the rapid development of cloud computing, big data, and AI, enterprises store massive core data that has become a critical production resource and lifeline. Consequently, data security has become the most prominent issue.

Against the backdrop of the national Data Security Law , iQIYI's security team launched the Cloud KMS (Key Management System) platform, based on standards such as GBT22239‑2019 and the Cryptography Law , to address data‑at‑rest encryption and key management.

The platform provides a one‑stop solution for secure storage, management, and rotation of keys, leveraging HSM hardware and virtualization. Its core functions include:

Key lifecycle management (creation, rotation, deletion of Customer Master Keys – CMK).

Support for importing symmetric keys of 128‑bit and 256‑bit.

API‑driven data key creation, encryption, and decryption.

Two‑region three‑center deployment for high availability.

Access‑key (AK/SK) based authentication and fine‑grained permission control.

Typical usage scenarios are:

Envelope encryption : a master key creates a data key, which encrypts large objects (files, videos) locally.

Online encryption : the master key directly encrypts small data objects such as certificates.

iQIYI’s membership business, which handles sensitive data like member keys and activation codes, adopted a secondary encapsulation of Cloud KMS. The adaptation adds caching, retry strategies, timed ciphertext updates, and provides SpringBoot, MyBatis, and configuration‑center starters for low‑intrusion integration.

The processing flow includes permission verification (AK/SK), configuration parsing, custom logic handling, retry mechanisms, and cache updates. Business value achieved includes:

Ensuring all sensitive data encryption complies with security level protection requirements.

Improving ciphertext reusability across systems, reducing duplicate development by ~80%.

Standardizing sensitive data management, cutting operational workload by 50%.

Reducing integration frequency and system complexity, lowering operational costs by ~30%.

Future plans aim to expand the tool into a foundational component with features such as traffic splitting, disaster recovery, data backup, customizable encryption processes, support for additional algorithms, and zero‑intrusion integration via DDD templates.