This topic describes how to use Key Management Service (KMS) to create and manage customer master keys (CMKs). CMKs are used to encrypt data.
Create a CMK
- Log on to the KMS console.
- In the upper-left corner of the Keys page, click Create Key.
- In the Create Key dialog box, set Alias Name and Description.
- Click Advanced and specify Key Material Source.
- Alibaba Cloud KMS: Use KMS to generate key material.
- External: Import key material from an external source. For more information about how to import
key material, see Import and delete key material.
Note If you select External, you must also select I understand the implications of using the external key materials key.
- Click OK.
Disable a CMK
After you create a CMK, it is in the Enabled state by default. You cannot use a disabled CMK to encrypt or decrypt data. Follow these steps to disable a CMK:
- On the Keys page, find the CMK that you want to disable.
- In the Actions column, click Disable.
- In the Disable Key message, click OK.
Schedule a key deletion task
After a CMK is deleted, it cannot be recovered, and the data and ciphertext data keys encrypted by using this CMK cannot be decrypted. Therefore, to prevent you from deleting CMKs by mistake, KMS only allows you to schedule key deletion tasks. You cannot immediately delete CMKs. Rather than deleting a CMK, we recommend that you disable the CMK.
- On the Keys page, find the CMK that you want to delete.
- In the Actions column, choose .
- In the Schedule Key Deletion dialog box, specify Delete In (7-30 days).
The value ranges from 7 to 30. Unit: days. Default value: 30.
- Click OK.
- A CMK in the Pending Deletion state cannot be used to encrypt data, decrypt data, or generate data keys.
- You can choose to cancel a scheduled key deletion task.