Key Management Service (KMS) allows you to create and manage CMKs and use CMKs to encrypt data.

Create a CMK

  1. Log on to the KMS console .
  2. Select a region. Click Create Key.
  3. Enter the description and click OK.
  4. Click Advanced. The Key Material Source parameter is displayed. Select from the following options:
    • Alibaba Cloud KMS: Key material is generated by KMS.
    • External: You can import key material. KMS dos not generate anything.

      For more information, see Import key material.

    Note After the CMK is created, you can click the ID of the CMK to view information such as the ID, creation time, status, and key material source.

Disable a CMK

By default, CMKs are enabled after they are created. When a CMK is disabled, it cannot be used to encrypt or decrypt data.

Locate the CMK that you want to disable and click Disable Key.
Note If you want to enable the CMK again, click Enable Key.

Schedule key deletion

Deleted CMKs cannot be restored, and generated data keys and data encrypted by CMKs cannot be decrypted. Because of these risks, CMKs cannot be deleted directly and you must schedule their deletion in advance.

  1. Locate the CMK for which you want to schedule deletion and click Schedule Key Deletion.
  2. Specify a value from 7 to 30 days for the Delete in parameter and click OK. The CMK is in the Pending Deletion state.
    • A CMK in the Pending Deletion state cannot be used to encrypt or decrypt data or to generate data keys.
    • You can click Cancel Key Deletion to cancel key deletion.