Key Management Service (KMS) allows you to manage keys throughout their lifecycles and store the keys in a secure manner. This topic describes how to create a key, disable a key, enable deletion protection for a key, schedule deletion of a key, and add tags to a key.
Create a key
Default key
A default key can be a service key or a customer master key (CMK). A service key is created and managed by an Alibaba Cloud service. You can create and manage a default key of the CMK type. In KMS, creating a default key of the CMK type means enabling a default key of the CMK type. To create a default key of the CMK type, perform the following steps:
You can create only one default key of the CMK type in each region. If you need to create multiple keys, we recommend that you purchase a KMS instance.
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
On the Keys page, click the Default Key tab.
Find the required key, click Enable in the Actions column, configure the parameters, and then click OK.
Parameter
Description
Key Alias
The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).
Description
The description of the key.
Advanced Settings
Key Material Source
Key Management Service: KMS generates key material.
External: KMS does not generate key material. You must import key material. For more information, see Import key material into a symmetric key.
NoteIf you select External, you must read and select I understand the implications of using the external key materials.
Software-protected key
Before you create a software-protected key, make sure that you purchased and enabled a KMS instance of the software key management type. For more information, see Purchase and enable a KMS instance.
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
On the Keys page, click the Keys tab, select a KMS instance of the software key management type from the Instance ID drop-down list, and then click Create Key.
In the Create Key panel, configure the parameters and click OK.
Parameter
Description
Key Type
The type of the key that you want to create. Valid values: Symmetric Key and Asymmetric Key.
ImportantIf you want to create a key to encrypt secrets, select Symmetric Key.
Key Specifications
The specification of the key.
Symmetric key specifications: Aliyun_AES_256
Asymmetric key specifications: RSA_2048, RSA_3072, EC_P256, and EC_P256K
Key Usage
The usage of the key. Valid values:
ENCRYPT/DECRYPT: encrypts or decrypts data.
SIGN/VERIFY: signs data or verifies a digital signature.
Key Alias
The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).
Tag
The tag that you want to add to the key. You can use tags to classify and manage keys. A tag consists of a key-value pair.
NoteA tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@).
A tag key cannot start with aliyun or acs:.
You can configure up to 20 key-value pairs for each key.
Automatic Rotation
Specifies whether to enable automatic key rotation. Automatic key rotation is supported only for symmetric keys and is enabled by default. For more information, see Configure key rotation.
Rotation Period
The rotation period. Valid values: 7 to 365. Units: days.
Description
The description of the key.
Hardware-protected key
Before you create a hardware-protected key, make sure that you purchased and enabled a KMS instance of the hardware key management type. For more information, see Purchase and enable a KMS instance.
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
On the Keys page, click the Keys tab, select a KMS instance of the hardware key management type from the Instance ID drop-down list, and then click Create Key.
In the Create Key panel, configure the parameters and click OK.
Parameter
Description
Key Type
The type of the key that you want to create. Valid values: Symmetric Key and Asymmetric Key.
ImportantIf you want to create a key to encrypt secrets, select Symmetric Key.
Key Specifications
The specification of the key.
Symmetric key specifications: Aliyun_AES_256, Aliyun_AES_192, and Aliyun_AES_128
Asymmetric key specifications: RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P256K
Key Usage
The usage of the key. Valid values:
ENCRYPT/DECRYPT: encrypts or decrypts data.
SIGN/VERIFY: signs data or verifies a digital signature.
Key Alias
The alias of the key. The alias can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).
Tag
The tag that you want to add to the key. You can use tags to classify and manage keys. A tag consists of a key-value pair.
NoteA tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@).
A tag key cannot start with aliyun or acs:.
You can configure up to 20 key-value pairs for each key.
Description
The description of the key.
Advanced Settings
Key Management Service: KMS generates key material.
External: KMS does not generate key material. You must import the key material. For more information, see Import key material into a symmetric key and Import key material into an asymmetric key.
NoteRead and select I understand the implications of using the external key materials.
Disable a key
If you no longer require a key, we recommend that you disable the key. After you confirm that the disabled key does not affect your workloads, you can delete the key. You cannot use disabled keys for cryptographic operations.
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
On the Keys page, click the Keys or Default Key tab, find the key that you want to disable, and then click Disable in the Actions column.
In the Disable Key dialog box, confirm the on-screen information and click OK.
You can click Key Association to check whether the key is used for server-side encryption in Alibaba Cloud services. For more information, see Check key association.
After the key is disabled, the status of the key changes from Enabling to Disabled. To re-enable the key, click Enable.
Enable deletion protection
After you enable deletion protection for a key, the key cannot be deleted. This prevents keys from being accidentally deleted. If you want to delete a key, you must disable deletion protection for the key.
You cannot enable deletion protection for a key that is in the Pending Deletion state.
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
On the Keys page, click the Keys or Default Key tab, find the key for which you want to enable deletion protection, and then click Details in the Actions column.
On the details page that appears, turn on Deletion Protection.
In the OK message, click OK.
Schedule deletion of a key
KMS does not support immediate key deletion. KMS supports only scheduled key deletion. You can specify a scheduled deletion period for a key, and then the key is automatically deleted when this period elapses. Before you schedule deletion of a key, you must disable deletion protection for the key.
If you no longer require a key, we recommend that you disable the key. After you confirm that the disabled key does not affect your workloads, you can schedule deletion of the key.
The system deletes a key when the scheduled deletion period of the key elapses. After the key is deleted, you cannot decrypt the data that is encrypted by using the key or related data keys. Before you delete a key, make sure that the key is no longer in use. If you delete a key that is in use, your services may become unavailable.
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
On the Keys or Default Key tab, find the key that you want to delete, click the icon in the Actions column, and then click Schedule Deletion.
In the Schedule Deletion dialog box, confirm the on-screen information, specify the scheduled deletion period, and then click OK.
You can click Key Association to check whether the key is used for server-side encryption in Alibaba Cloud services. For more information, see Check key association.
After you specify the scheduled deletion period, the status of the key changes from Enabling to Pending Deletion. You cannot use a key in the Pending Deletion state to encrypt data, decrypt data, or generate data keys. You can click Cancel Key Deletion to cancel the deletion before the scheduled deletion period elapses.
Download the public key of an asymmetric key
After you create an asymmetric key, you can download the public key of the asymmetric key. You cannot download the private key of the asymmetric key.
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
On the Keys or Default Key tab, find the key that you want to manage and click Details in the Actions column.
On the Key Version tab, click View Public Key in the Actions column.
In the View Public Key message, click Download.
Check key association
You can only check whether a key is used for server-side encryption in Elastic Compute Service (ECS). You cannot check whether a key is used for server-side encryption in other cloud services or data encryption in self-managed applications.
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
On the Keys or Default Key tab, find the key that you want to manage and click Details in the Actions column.
On the Key Association tab, click Check. Wait for about 1 minute and click the icon to view the check result.
Cloud Service: the cloud service in which the key is used for server-side encryption. Only ECS is supported.
Last Called At: the most recent time when a cloud service accessed the key.
NoteIf a cloud service accessed the key within the last 365 days, the time is displayed. If a cloud service accessed the key 365 days ago, the time is not displayed.
Check Status: the check status. If the check fails, refresh and try again.
Service Entry: the entry point to query the resources that are encrypted by using the key.
ImportantOn the ECS Disk and Key Association and ECS Snapshot and Key Association pages, only the disks or snapshots on which the current account has access permissions are displayed.
If the key is still in use, do not delete the key unless otherwise required.
Add tags to keys
You can use tags to classify and manage keys. A tag consists of a key-value pair. You can add tags only to keys that are created in KMS instances. You cannot add tags to default keys.
A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@).
A tag key cannot start with aliyun or acs:.
You can configure up to 20 key-value pairs for each key.
Add tags to a key
Method | Operation |
Method 1: Add tags on the Keys page |
|
Method 2: Add tags on the Key Details page |
|
Add tags for multiple keys at a time
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
On the Keys page, select the required instance ID from the Instance ID drop-down list, and then select the keys whose tags you want to manage in the key list.
Add tags: In the lower part of the key list, click Add Tag. In the Add Tag dialog box, enter multiple Tag Key and Tag Value, and then click OK. In the message that appears, click Close.
Remove tags: In the lower part of the key list, click Remove Tag. In the Batch Remove dialog box, select the tags that you want to remove and click Remove. In the message that appears, click Close.