If a dedicated Key Management Service (KMS) instance is in the Connected state, you can create a customer managed key (CMK) for the dedicated KMS instance to encrypt data, decrypt data, generate digital signatures, and verify digital signatures.


  1. Log on to the KMS Console.
  2. In the upper-left corner of the page, select the region where you want to purchase a dedicated KMS instance.
    For more information about the regions that support dedicated KMS, see Supported regions.
  3. In the left-side navigation pane, click Dedicated KMS.
  4. Find the dedicated KMS instance that you want to manage and click Manage in the Actions column.
  5. In the User master key section, click Create Key.
  6. In the Create Key dialog box, configure the following parameters.
    Parameter Description
    Key Spec The type of the CMK. Valid values:
    • Symmetric:
      • Aliyun_AES_256
      • Aliyun_AES_128
      • Aliyun_AES_192
    • Asymmetric:
      • RSA_2048
      • RSA_3072
      • RSA_4096
      • EC_P256
      • EC_P256K
      • HMAC_SHA256
      • HMAC_SHA512
    Purpose The usage of the CMK. Valid values:
    • Encrypt/Decrypt: encrypts or decrypts data.
    • Sign/Verify: generates or verifies a digital signature.
    Alias Name The identifier of the CMK. The identifier can contain letters, digits, and the following special characters: underscores (_), hyphens (-), and forward slashes (/).
    Description The description of the CMK.
  7. Click Advanced and configure the Key Material Source parameter.
    Note The Advanced option appears only when you set the Key Spec parameter to Aliyun_AES_128, Aliyun_AES_192, or Aliyun_AES_256.
    • Alibaba Cloud KMS: Dedicated KMS generates key material.
    • External: You must import key material from an external source. For more information, see Import key material.
      Note If you select External, you must also select I understand the implications of using the external key materials key.
  8. Click OK.