Creates a customer master key (CMK).

You can use a CMK to encrypt small amounts of data (a maximum of 6 KB). Typically, you use CMKs to generate data keys that you can use to encrypt large amounts of data. For more information, see GenerateDataKey.

Request parameters

Name Type Required Description
Origin String No The source of the key material for the CMK.

Valid values: Aliyun_KMS and EXTERNAL.

Note Default value: Aliyun_KMS. Note that the values are case sensitive.
If you choose EXTERNAL, you need to Import key material.
Description String No The description of the CMK. Length constraints: Minimum length of 0 characters. Maximum length of 8192 characters.
KeyUsage String No The intended use of the CMK. Default value: ENCRYPT/DECRYPT.

Response parameters

Name Type Description
KeyMetadata KeyMetadata The metadata associated with the CMK.


Name Type Description
CreationDate Timestamp The date and time (in UTC format) when the CMK is created.
Description String The description of the CMK.
KeyId String The globally unique identifier for the CMK.
KeyState String The state of the CMK. For more information, see Impact of CMK states on API call.
KeyUsage String The cryptographic operations for which you can use the CMK. Valid Values: ENCRYPT/DECRYPT.
DeleteDate Timestamp The date and time after which KMS deletes the CMK.
  • A null value indicates that the CMK is not to be deleted.
  • This value is present only when KeyState is PendingDeletion.
Creator String The creator of the CMK.
Arn String The Alibaba Cloud Resource Name (ARN) of the CMK.
Origin String The source of the CMK’s key material.
MaterialExpireTime String The time at which the imported key material expires. If the value is null, the key does not expire.


Request example
&Description=<your key description>
&Origin=<key origin, default Aliyun_KMS>
&<Common request parameters>

Response example

JSON format

//json response
        "KeyMetadata": {
                "CreationDate": "2016-03-25T10:42:40Z",
                "Description": "key description example",
                "KeyId": "08c33a6f-4e0a-4a1b-a3fa-7ddfa1d4****",
                "KeyState": "Enabled",
                "KeyUsage": "ENCRYPT/DECRYPT",
                "DeleteDate": "",
        "RequestId": "3455b9b4-95c1-419d-b310-db6a53b09a39"

XML format

//xml response
        <Description>key description example</Description>