Create default keys, software keys, or hardware keys in KMS - Key Management Service

KMS provides key lifecycle management and secure storage capabilities. This topic describes how to create keys, disable keys, enable deletion protection, schedule key deletion, and set tags for keys.

Enable the default key

The default keys include one default customer master key (CMK) and service keys. You can only manage the default CMK. It is provided by KMS free of charge for each Alibaba Cloud account in each region. To use this key, simply enable it. The service key is managed by the associated service, and you cannot create, modify, or delete one through KMS.

Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Resource > Keys.
On the Keys page, click the Default Keys tab.

Click Enable in the Actions column, and click OK in the confirmation dialog.

Parameter	Description
Key Alias	The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).
Description	The description of the key.
Advanced Settings	Key Material Origin Key Management Service: The key material is generated by KMS. External (Import Key Material): KMS does not generate the key material. You need to import the key material yourself. For more information, see Import symmetric key material. Note Please read carefully and select I understand the implications of using the external key materials.

Create keys

Software keys

Before you create a software key, make sure that you have purchased and enabled a KMS instance. For more information, see Purchase and enable a KMS instance.

Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Resource > Keys.
On the Keys page, click the Customer Master Keys tab, select a software key management instance from the Instance ID drop-down list, and then click Create Key.

In the Create Key panel, configure the parameters and click OK.

Parameter	Description
Key Type	Select whether the key is a symmetric key or an asymmetric key. Important If you create a key to encrypt credential values, select a symmetric key.
Key Specifications	The specification of the key. For more information about the standards that key specifications follow and key algorithms, see Key specifications for symmetric and asymmetric encryption. Symmetric key specification: Aliyun_AES_256 Asymmetric key specifications: RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P256K
Key Usage	The purpose of the key. Valid values: ENCRYPT/DECRYPT: encrypts and decrypts data. SIGN/VERIFY: generates and verifies digital signatures.
Key Alias	The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).
Tag Key, Tag Value	The tags of the key. Tags help you classify and manage keys. Each tag consists of a key-value pair (Key:Value), which includes a tag key and a tag value. Note A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), at signs (@), and spaces. A tag key cannot start with `aliyun` or `acs:`. You can configure up to 20 key-value pairs for each key.
Automatic Rotation	Only symmetric keys support automatic rotation. This switch is enabled by default. For more information, see Key rotation.
Rotation Period	You can set the rotation period to a value from 7 to 365 days.
Description	The description of the key.
Advanced Settings	Policy Settings Default Policy: If the key is used by the current Alibaba Cloud account or an Alibaba Cloud account in the resource share, select the default policy. Instance not shared with other accounts: Only the current Alibaba Cloud account can manage and use the key. Instance shared with other accounts: For example, if Alibaba Cloud account 1 shares KMS instance A with Alibaba Cloud account 2: Keys created by Alibaba Cloud account 1: Only Alibaba Cloud account 1 can manage and use the keys. Keys created by Alibaba Cloud account 2: Both Alibaba Cloud account 1 and Alibaba Cloud account 2 can manage and use the keys. Custom Policy: If the key needs to be authorized to RAM users, RAM roles, or other accounts, select a custom policy. Important Selecting administrators and users does not consume the Access Management Quantity quota. Selecting users from other accounts consumes the Access Management Quantity quota of the KMS instance. The quota is calculated based on the number of Alibaba Cloud accounts. If you cancel the authorization, wait for about 5 minutes and then check the quota. The quota will be returned. Administrator: Performs management operations on the key but does not support cryptographic operations. You can select RAM users and RAM roles under the current Alibaba Cloud account. List of permissions supported by administrators `{ "Statement": [ { "Action": [ "kms:List", "kms:Describe", "kms:Create", "kms:Enable", "kms:Disable", "kms:Get", "kms:Set", "kms:Update", "kms:Delete", "kms:Cancel", "kms:TagResource", "kms:UntagResource", "kms:ImportKeyMaterial", "kms:ScheduleKeyDeletion" ] } ] }` User: Only supports using the key for cryptographic operations. You can select RAM users and RAM roles under the current Alibaba Cloud account. List of permissions supported by users `{ "Statement": [ { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateAndExportDataKey", "kms:AsymmetricEncrypt", "kms:AsymmetricDecrypt", "kms:DescribeKey", "kms:DescribeKeyVersion", "kms:ListKeyVersions", "kms:ListAliasesByKeyId", "kms:TagResource" ] } ] }` Users from other accounts: Uses the key for encryption and decryption. This can be RAM users or RAM roles from other Alibaba Cloud accounts. RAM user: The format is `acs:ram::<userId>:user/<ramuser>`, for example, `acs:ram::119285303511**:user/testpolicyuser`. RAM role: The format is `acs:ram::<userId>:role/<ramrole>`, for example, `acs:ram::119285303511:role/testpolicyrole`. Note After authorizing RAM users or RAM roles, you still need to use the Alibaba Cloud account of the RAM user or RAM role to authorize them to use the key in Resource Access Management (RAM). Only then can the RAM user or RAM role use the key. For more information, see Custom policies for Key Management Service, Grant permissions to a RAM user, and Grant permissions to a RAM role. List of permissions supported by users from other accounts `{ "Statement": [ { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateAndExportDataKey", "kms:AsymmetricEncrypt", "kms:AsymmetricDecrypt", "kms:DescribeKey", "kms:DescribeKeyVersion", "kms:ListKeyVersions", "kms:ListAliasesByKeyId", "kms:TagResource" ] } ] }` Key Material Origin Key Management Service: The key material is generated by KMS. External (Import Key Material): KMS does not generate the key material. You need to import the key material yourself. For more information, see Import symmetric key material and Import asymmetric key material. Note Please read carefully and select I understand the implications of using the external key materials**.

Hardware keys

Before you create a hardware key, make sure that you have purchased and enabled a KMS instance. For more information, see Purchase and enable a KMS instance.

Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Resource > Keys.
On the Keys page, click the Customer Master Keys tab, select a hardware key management instance from the Instance ID drop-down list, and then click Create Key.

In the Create Key panel, configure the parameters and click OK.

Parameter	Description
Key Type	Select whether the key is a symmetric key or an asymmetric key. Important If you create a key to encrypt credential values, select a symmetric key.
Key Specifications	The specification of the key. For more information about the standards that key specifications follow and key algorithms, see Key specifications for symmetric and asymmetric encryption. Symmetric key specifications: Aliyun_AES_256, Aliyun_AES_192, and Aliyun_AES_128 Asymmetric key specifications: RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P256K
Key Usage	The purpose of the key. Valid values: ENCRYPT/DECRYPT: encrypts and decrypts data. SIGN/VERIFY: generates and verifies digital signatures.
Key Alias	The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).
Tag Key, Tag Value	The tags of the key. Tags help you classify and manage keys. Each tag consists of a key-value pair (Key:Value), which includes a tag key and a tag value. Note A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), at signs (@), and spaces. A tag key cannot start with `aliyun` or `acs:`. You can configure up to 20 key-value pairs for each key.
Description	The description of the key.
Advanced Settings > Policy Settings	Default Policy: If the key is used by the current Alibaba Cloud account or an Alibaba Cloud account in the resource share, select the default policy. Instance not shared with other accounts: Only the current Alibaba Cloud account can manage and use the key. Instance shared with other accounts: For example, if Alibaba Cloud account 1 shares KMS instance A with Alibaba Cloud account 2: Keys created by Alibaba Cloud account 1: Only Alibaba Cloud account 1 can manage and use the keys. Keys created by Alibaba Cloud account 2: Both Alibaba Cloud account 1 and Alibaba Cloud account 2 can manage and use the keys. Custom Policy: If the key needs to be authorized to RAM users, RAM roles, or other accounts, select a custom policy. Important Selecting administrators and users does not consume the Access Management Quantity quota. Selecting users from other accounts consumes the Access Management Quantity quota of the KMS instance. The quota is calculated based on the number of Alibaba Cloud accounts. If you cancel the authorization, wait for about 5 minutes and then check the quota. The quota will be returned. Administrator: Performs management operations on the key but does not support cryptographic operations. You can select RAM users and RAM roles under the current Alibaba Cloud account. List of permissions supported by administrators `{ "Statement": [ { "Action": [ "kms:List", "kms:Describe", "kms:Create", "kms:Enable", "kms:Disable", "kms:Get", "kms:Set", "kms:Update", "kms:Delete", "kms:Cancel", "kms:TagResource", "kms:UntagResource", "kms:ImportKeyMaterial", "kms:ScheduleKeyDeletion" ] } ] }` User: Only supports using the key for cryptographic operations. You can select RAM users and RAM roles under the current Alibaba Cloud account. List of permissions supported by users `{ "Statement": [ { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateAndExportDataKey", "kms:AsymmetricEncrypt", "kms:AsymmetricDecrypt", "kms:DescribeKey", "kms:DescribeKeyVersion", "kms:ListKeyVersions", "kms:ListAliasesByKeyId", "kms:TagResource" ] } ] }` Users from other accounts: Uses the key for encryption and decryption. This can be RAM users or RAM roles from other Alibaba Cloud accounts. RAM user: The format is `acs:ram::<userId>:user/<ramuser>`, for example, `acs:ram::119285303511**:user/testpolicyuser`. RAM role: The format is `acs:ram::<userId>:role/<ramrole>`, for example, `acs:ram::119285303511:role/testpolicyrole`. Note After authorizing RAM users or RAM roles, you still need to use the Alibaba Cloud account of the RAM user or RAM role to authorize them to use the key in Resource Access Management (RAM). Only then can the RAM user or RAM role use the key. For more information, see Custom policies for Key Management Service, Grant permissions to a RAM user, and Grant permissions to a RAM role. List of permissions supported by users from other accounts** `{ "Statement": [ { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateAndExportDataKey", "kms:AsymmetricEncrypt", "kms:AsymmetricDecrypt", "kms:DescribeKey", "kms:DescribeKeyVersion", "kms:ListKeyVersions", "kms:ListAliasesByKeyId", "kms:TagResource" ] } ] }`
Advanced Settings > Key Material Origin	Key Management Service: The key material is generated by KMS. External (Import Key Material): KMS does not generate the key material. You need to import the key material yourself. For more information, see Import symmetric key material and Import asymmetric key material. Note Please read carefully and select I understand the implications of using the external key materials.

External keys

Make sure that you have purchased and enabled a KMS external key management instance. For more information, see Purchase and enable a KMS instance.
Create a key in the key management facility through the XKI Proxy service in advance and record the key ID. For more information, see the documentation of the key management facility.

Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Resource > Keys.
On the Keys page, click the Customer Master Keys tab, select an external key management instance from the Instance ID drop-down list, and then click Create Key.

In the Create Key panel, configure the parameters and click OK.

Parameter	Description
External Key ID	The ID of the key generated through the XKI management service. Note You can use the same external key ID to create one or more KMS keys.
Key Specifications	The specification of the key. Vaild value: Aliyun_AES_256. For more information about the standards that key specifications follow and key algorithms, see Key specifications for symmetric and asymmetric encryption.
Key Usage	The purpose of the key. ENCRYPT/DECRYPT: encrypts and decrypts data.
Key Alias	The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).
Tag Key, Tag Value	The tags of the key. Tags help you classify and manage keys. Each tag consists of a key-value pair (Key:Value), which includes a tag key and a tag value. Note A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), at signs (@), and spaces. A tag key cannot start with `aliyun` or `acs:`. You can configure up to 20 key-value pairs for each key.
Description	The description of the key.
Advanced Settings	Default Policy: If the key is used by the current Alibaba Cloud account or an Alibaba Cloud account in the resource share, select the default policy. Instance not shared with other accounts: Only the current Alibaba Cloud account can manage and use the key. Instance shared with other accounts: For example, if Alibaba Cloud account 1 shares KMS instance A with Alibaba Cloud account 2: Keys created by Alibaba Cloud account 1: Only Alibaba Cloud account 1 can manage and use the keys. Keys created by Alibaba Cloud account 2: Both Alibaba Cloud account 1 and Alibaba Cloud account 2 can manage and use the keys. Custom Policy: If the key needs to be authorized to RAM users, RAM roles, or other accounts, select a custom policy. Important Selecting administrators and users does not consume the Access Management Quantity quota. Selecting users from other accounts consumes the Access Management Quantity quota of the KMS instance. The quota is calculated based on the number of Alibaba Cloud accounts. If you cancel the authorization, wait for about 5 minutes and then check the quota. The quota will be returned. Administrator: Performs management operations on the key but does not support cryptographic operations. You can select RAM users and RAM roles under the current Alibaba Cloud account. List of permissions supported by administrators `{ "Statement": [ { "Action": [ "kms:List", "kms:Describe", "kms:Create", "kms:Enable", "kms:Disable", "kms:Get", "kms:Set", "kms:Update", "kms:Delete", "kms:Cancel", "kms:TagResource", "kms:UntagResource", "kms:ImportKeyMaterial", "kms:ScheduleKeyDeletion" ] } ] }` User: Only supports using the key for cryptographic operations. You can select RAM users and RAM roles under the current Alibaba Cloud account. List of permissions supported by users `{ "Statement": [ { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateAndExportDataKey", "kms:AsymmetricEncrypt", "kms:AsymmetricDecrypt", "kms:DescribeKey", "kms:DescribeKeyVersion", "kms:ListKeyVersions", "kms:ListAliasesByKeyId", "kms:TagResource" ] } ] }` Users from other accounts: Uses the key for encryption and decryption. This can be RAM users or RAM roles from other Alibaba Cloud accounts. RAM user: The format is `acs:ram::<userId>:user/<ramuser>`, for example, `acs:ram::119285303511**:user/testpolicyuser`. RAM role: The format is `acs:ram::<userId>:role/<ramrole>`, for example, `acs:ram::119285303511:role/testpolicyrole`. Note After authorizing RAM users or RAM roles, you still need to use the Alibaba Cloud account of the RAM user or RAM role to authorize them to use the key in Resource Access Management (RAM). Only then can the RAM user or RAM role use the key. For more information, see Custom policies for Key Management Service, Grant permissions to a RAM user, and Grant permissions to a RAM role. List of permissions supported by users from other accounts** `{ "Statement": [ { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateAndExportDataKey", "kms:AsymmetricEncrypt", "kms:AsymmetricDecrypt", "kms:DescribeKey", "kms:DescribeKeyVersion", "kms:ListKeyVersions", "kms:ListAliasesByKeyId", "kms:TagResource" ] } ] }`

Disable keys

If you no longer need to use a key, we recommend that you first disable the key. After you confirm that the key is no longer needed, you can delete it. After a key is disabled, it cannot be used for cryptographic operations.

Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Resource > Keys.
On the Keys page, click the Customer Master Keys or Default Keys tab, find the key that you want to disable, and click Disable in the Actions column.
In the Disable Key dialog box, select and confirm the items. Then click Disable.
You can click Key Association to check whether the key is used for server-side encryption by cloud services. For more information, see Key association detection.
After the key is disabled, its status changes from Enabling to Disabled. You can also click Enable to enable the key again.

Enable deletion protection

After you enable deletion protection for a key, you cannot delete the key using the console or API operations. This prevents accidental deletion of the key. If you confirm that you need to delete the key, you must first disable deletion protection.

Note

You cannot enable deletion protection for keys in the Pending Deletion state.

Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Resource > Keys.
On the Keys page, click the Customer Master Keys or Default Keys tab, find the key for which you want to enable deletion protection, and click Details in the Actions column.
On the key details page, turn on the Deletion Protection switch.
In the Enable dialog box, confirm the information and click Enable.

Schedule key deletion

KMS does not support direct deletion of keys. It only supports scheduled key deletion, which means that you can set a waiting period after which the key is deleted. Before you schedule key deletion, make sure that deletion protection is disabled for the key.

If you no longer use a key, we recommend that you first disable the key. After you confirm that the key does not affect your business, you can schedule the key for deletion.

Warning

The system deletes the key after the waiting period. The content encrypted using the key and the data keys generated using the key cannot be decrypted after the key is deleted. Before you delete a key, make sure that the key is no longer in use. Otherwise, your business may be affected.
Service keys cannot be deleted. Service keys are managed by cloud services. If you no longer use a service key, you do not need to perform any operations. You can retain the service key because it does not incur any fees.

Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Resource > Keys.
On the Customer Master Keys or Default Keys tab, find the target key, click the icon in the Actions column, and then click Schedule Deletion.
In the Schedule Deletion dialog box, confirm the information and click OK.
You can click Key Association to check whether the key is used for server-side encryption by cloud services. For more information, see Key association detection.
After you set the waiting period, the status of the key changes from Enabling to Pending Deletion. Keys in the Pending Deletion state cannot be used for encryption, decryption, or data key generation. Before the waiting period ends, you can click Cancel Deletion.

Download the public key of an asymmetric key

After you create an asymmetric key, you can download the public key in the key pair. You cannot download the private key.

Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Resource > Keys.
On the Customer Master Keys or Default Keys tab, find the key for which you want to download the public key, and click Details in the Actions column.
On the Key Version tab at the bottom of the page, click View Public Key in the Actions column.
In the View Public Key dialog box, click Download.

Generate and download a CSR file

KMS supports generating a Certificate Signing Request (CSR) file for asymmetric customer master keys. After a certificate applicant submits a CSR to a certification authority, the certification authority uses its CA private key to issue a digital certificate to the user. The issued digital certificate can be used for secure email, secure endpoint protection, code signing protection, trusted website services, identity authorization management, and more.

For information about how to create a certificate using a CSR, see Create a certificate in Certificate Management Service (Original SSL Certificate).

Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Resource > Keys.
On the Customer Master Keys tab, find the key for which you want to generate a CSR, and click Details in the Actions column.

On the Key Version tab at the bottom of the page, click Generate CSR in the Actions column, configure the parameters, and then click OK.

Parameter	Description
Common Name (CN)	The subject to which the certificate is bound, such as a domain name, service name, or device name.
Organization Unit	The legal name of the organization, which is used for certificate ownership verification. The name must exactly match the name on the business license, including punctuation marks and capitalization. If the organization name contains special characters such as `&` or `-`, keep them as they are.
Organizational Unit Name (OU)	The specific department or team within the organization.
State or Province (S)	The name of the province, municipality, or autonomous region where the organization is located. You can use Chinese or English characters. You do not need to add "Province" or "省".
Locality Name (L)	The name of the city where the organization is located. You can use Chinese or English characters. You do not need to add "City" or "市".
Country or Region (C)	The country code. Use the two-letter country code defined in ISO 3166-1. For more information, see ISO.
Key Algorithm	Select an appropriate key algorithm based on the support capabilities of the certification authority, business security standards, and compatibility requirements. RSA_PKCS1_SHA_256: Uses the SHA-256 algorithm to calculate the hash value of data and uses the RSASSA-PKCS1-v1_5 algorithm defined in RFC 3447/PKCS#1 to calculate the signature. RSA_PSS_SHA_256: Uses the SHA-256 algorithm to calculate the hash value of data and uses the RSASSA-PSS algorithm defined in RFC 3447/PKCS#1 to calculate the signature with MGF1 (SHA-256).
Email Address (E)	Enter your contact email address.

In the CSR dialog box, click Download CSR File and keep it secure.

Key association detection

You can only detect whether a key is used for server-side encryption by cloud services. You cannot detect whether the key is used by your self-managed applications. Based on the detection results, if the key is still in use, exercise caution when deleting it.

Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Resource > Keys.
On the Customer Master Keys or Default Keys tab, find the key for which you want to perform association detection, and click Details in the Actions column.
On the Key Association tab, click Check, wait for about 1 minute, and then click the icon on the right to view the detection results.
- Cloud Service: Supports ECS, MSE, RabbitMQ, RocketMQ, and ACK.
- Last Called At: The most recent time when the cloud service accessed the key in KMS.
  Note
  Only access requests within the last 365 days display the access time. For access requests made more than 365 days ago, the last access time is not displayed.
- Check Status: The status of the current detection. If the status is Failed, refresh the page and try again.
- Service Console: The query feature provided by the cloud service to check which cloud service resources are encrypted using the KMS key.
  Important
  Only resources that the current account has permission to access are displayed.