This topic provides answers to frequently asked questions about key management.
Questions
Can I delete a key from Key Management Service (KMS)?
Yes, you can delete keys from KMS. Note that only default or purchased customer master keys (CMKs) can be deleted. Key deletion is achieved by scheduling a deletion time (7 to 366 days). Before deleting a key, we recommend that you disable it and verify that no data needs to be decrypted by using the key. Then, you can schedule the deletion.
During the scheduled deletion period, you cannot use the key. If you want to reuse the key, you can cancel the deletion before the scheduled deletion period ends. When the scheduled deletion period elapses, KMS deletes the key. You cannot restore the key after it is deleted. For instructions, see Schedule the deletion of a key.
What do I do if I cannot delete a key?
Key deletion is achieved by scheduling a deletion time. Only customer master keys (CMKs), whether default or custom-created, support scheduled deletion. If you cannot delete a key, check the following scenarios:
Scenario 1: The key is a service key
Reason: Service keys (
alias/acs/<cloud product code>) are read-only, managed by associated Alibaba Cloud services.Solution: No action is needed. Service keys are free. If you no longer require one, just leave it.
Scenario 2: The key is a CMK
Reason 1: The key is created in the KMS 1.0 console and you're using the KMS 3.0 console
KMS 1.0 (shared edition) keys are read-only in the 3.0 console. They are identified by older creation timestamps. No actions, including deletion, can be performed.
Solution: Switch to the KMS 1.0 console. Then delete the key in the 1.0 console.
On September 30, 2025, the KMS 1.0 console will enter the End of Service (EOS) phase. To ensure service continuity, migrate your KMS 1.0 resources to KMS 3.0 console as soon as possible.
Reason 2: Deletion protection is enabled for the key
Solution: In the instance details page, disable Deletion Protection.
What do I do if I cannot manage CMKs in the KMS 3.0 console?
Issue description
You can only view details of a CMK. No actions, including deletion, can be performed.
Solution
These keys are created in KMS 1.0 console. The KMS 3.0 console only provides read-only access to these keys. To manage these keys, switch to the KMS 1.0 console.
On September 30, 2025, the KMS 1.0 console will enter the End of Service (EOS) phase. To ensure service continuity, migrate your KMS 1.0 resources to KMS 3.0 console as soon as possible.
After deleting a key, can the data encrypted by the key be decrypted?
No. After a key is deleted, all data encrypted with it, including data keys it generated, cannot be decrypted. This applies to both keys generated by KMS and those with imported key material.
For keys with imported key material, if you delete only the key material (without deleting the key itself), re-import the same material to reuse the key. The data encrypted with the original key can still be decrypted.
How does KMS ensure the security of keys?
KMS uses reliable encryption algorithms to encrypt software-protected keys and then stores them in your exclusive key store.
KMS stores hardware-protected keys in your exclusive hardware security module (HSM) cluster. The HSM cluster implements cryptographic operations. In this case, you must purchase a hardware key management instance and configure an HSM cluster.
Can I import key material into a key?
Yes. When you create a key, you can use the key material that is generated by KMS or use external key material. If you use external key material to create a key, you must import the key material into the key. For more information, see Import symmetric key material and Import asymmetric key material.
What do I do if a key is unavailable or if Rejected.Unavailable is returned when I call a key-related API operation?
The KMS instance to which the key belongs has expired.
Renew the instance within 15 calendar days after expiration. Otherwise, the instance will be released. For more information, see Renewal policy. If you do not need the instance now but may require the keys or secrets in the instance later, back up the instance.