Secure Sensitive Configurations in MSE Nacos Using KMS Encryption

Overview

MSE Nacos is a managed Nacos service on Alibaba Cloud that provides a configuration center for cloud‑native applications. To satisfy national Level‑3 information security requirements and prevent leakage of sensitive data such as passwords, tokens, and database credentials, MSE Nacos offers built‑in encryption using KMS.

Architecture

The solution integrates four components: MSE Console, Nacos Client (application side), KMS Service, and MSE Nacos. Sensitive configurations are encrypted on the client side, stored as ciphertext in Nacos, and never exposed in plaintext to the server.

Security Features

Data‑at‑rest encryption – ciphertext stored in Nacos.

Transport encryption – TLS can be enabled for data transmission.

Backup and recovery – encrypted configurations can be exported/imported.

Lifecycle management – create, modify, view, delete encrypted configs via console.

Fine‑grained access control – RAM policies per configuration.

Audit logging – records of configuration changes.

Encryption & Decryption Flow

User edits plaintext configuration in MSE Console or Nacos Client SDK.

The client requests KMS to encrypt the plaintext.

KMS returns ciphertext to the client.

The client stores the ciphertext in MSE Nacos.

When needed, the client requests decryption from KMS and receives the plaintext locally.

Recommended Items for Encryption

Access keys (AK, SK)

Passwords, tokens, and other secrets

Database connection strings (RDS, etc.)

Step‑by‑Step Best Practice

Enable MSE service.

Create a Nacos engine instance in the MSE console.

Activate KMS service.

Create a dedicated KMS instance and generate a symmetric key (Aliyun_AES_256).

Enable configuration encryption in the Nacos instance and bind the KMS key.

Create and use encrypted configurations via the console or Nacos Client SDK.

Code Example (Java)

<dependency>
    <groupId>com.alibaba.nacos</groupId>
    <artifactId>nacos-client</artifactId>
    <version>1.4.3</version>
</dependency>
<dependency>
    <groupId>com.alibaba.nacos</groupId>
    <artifactId>nacos-client-mse-extension</artifactId>
    <version>1.0.3</version>
</dependency>

try {
    Properties p = new Properties();
    p.put(PropertyKeyConst.SERVER_ADDR, "mse-xxxxxx-p.nacos-ans.mse.aliyuncs.com");
    p.put(PropertyKeyConst.RAM_ROLE_NAME, "${roleName}");
    p.put("regionId", "cn-hangzhou");
    p.put("kms_region_id", "cn-hangzhou");
    p.put("kmsEndpoint", "kst-hzz6xxxr.cryptoservice.kms.aliyuncs.com");
    p.put("keyId", "alias/acs/mse");
    p.put("kmsVersion", "v3.0");
    p.put("kmsClientKeyContent", "clientKey_content");
    p.put("kmsPasswordKey", "10xxxd1d");
    ConfigService cs = NacosFactory.createConfigService(p);
    cs.publishConfig("cipher-kms-aes-256-dataid", "group", "cipher-content");
    System.out.println(cs.getConfig("cipher-kms-aes-256-dataid", "group", 6000));
} catch (Exception e) {
    e.printStackTrace();
}

Additional Notes

Ensure the KMS instance resides in the same VPC as the application.

Do not delete or disable the bound KMS key; otherwise encryption stops working.

Use RAM roles to avoid hard‑coding AccessKey credentials.

References

Nacos Documentation (https://nacos.io/zh-cn/docs/v2/what-is-nacos.html)

MSE Product Overview (https://help.aliyun.com/zh/mse/product-overview/what-is-mse)

KMS Purchase Guide (https://help.aliyun.com/zh/kms/getting-started/purchase-and-enable-a-kms-instance)

Java SDK Sample (https://github.com/nacos-group/nacos-client-mse-extension/blob/dev/src/main/java/com/alibaba/nacos/client/aliyun/sample/KmsV3Sample.java)

Go SDK Sample (https://github.com/nacos-group/nacos-sdk-go/blob/master/example/config-mse-kmsv3/main.go)