Key Management Service (KMS) allows you to manage keys throughout their lifecycles and store the keys in a secure manner. After you create a key for a KMS instance, you can disable the key, enable deletion protection, or schedule the deletion of the key based on your business requirements.

Background information

KMS allows you to manage software-protected keys, hardware-protected keys, and default keys.
  • Software-protected keys and hardware-protected keys: You can create and manage software-protected keys and hardware-protected keys. The keys can be integrated into Alibaba Cloud services for server-side encryption or into applications for application-layer cryptography solutions.
  • Default keys: Default keys can be one of the following types of keys. KMS provides default keys free of charge.
    • Service key: Alibaba Cloud services automatically create and manage service keys. You can view information about the service keys in the console, but you cannot manage the service keys. Each Alibaba Cloud service can create only one service key for each Alibaba Cloud account in each region.
    • CMK: You can create and manage CMKs. You can integrate the CMKs into only Alibaba Cloud services for server-side encryption. You can create only one CMK (default key) for each Alibaba Cloud account in each region.

For more information, see Overview.

Disable a key

If you no longer use a key, we recommend that you disable the key and then delete the key. After you disable a key, you cannot use the key for cryptographic operations.

  1. Log on to the KMS console. In the upper-left corner of the page, select a region. In the left-side navigation pane, click Keys.
  2. On the Keys page, click the Software Key Management tab or the Hardware Key Management tab based on the type of your key.
  3. Find the required KMS instance and click Manage in the Actions column.
  4. Find the key that you want to disable and click Disable in the Actions column. In the Disable Key message, click OK.
    After the key is disabled, the status of the key changes from Enabled to Disabled. You can also click Enable to re-enable the key.

Enable deletion protection

After you enable deletion protection for a key, you cannot delete the key. This prevents the key from being accidentally deleted.

Note You cannot enable deletion protection for a key that is in the Pending Deletion state.
  1. Log on to the KMS console. In the upper-left corner of the page, select a region. In the left-side navigation pane, click Keys.
  2. On the Keys page, click the Software Key Management tab or the Hardware Key Management tab based on the type of your key.
  3. Find the required KMS instance and click Manage in the Actions column.
  4. Find the key for which you want to enable deletion protection, click More in the Actions column, and then click Key Details.
  5. In the Key Details section, click Enable Deletion Protection.
    After deletion protection is enabled for the key, the status of Deletion Protection changes from Disabled to Enabled. You can click Disable Deletion Protection to disable deletion protection for the key. This way, the key can be deleted.

Schedule key deletion

After a key is deleted, the key cannot be recovered. Data that is encrypted by using the key and the data key that is generated for the key cannot be decrypted. Therefore, KMS allows you to only schedule the deletion of a key. You can specify a scheduled period after which the key is deleted.

If you no longer use a key, we recommend that you disable the key and then schedule the deletion of the key. Make sure that the deletion of the key does not affect your business. Before you schedule the deletion of a key, you must disable deletion protection for the key.

  1. Log on to the KMS console. In the upper-left corner of the page, select a region. In the left-side navigation pane, click Keys.
  2. On the Keys page, click the Software Key Management tab or the Hardware Key Management tab based on the type of your key.
  3. Find the required KMS instance and click Manage in the Actions column.
  4. Find the key for which you want to schedule deletion, click More in the Actions column, and then click Schedule Deletion.
  5. In the Schedule Deletion dialog box, configure Retention Period (7 to 366 Days) and click OK.
    Valid values of Retention Period (7 to 366 Days): 7 to 366. Unit: days. Default value: 366.
    Important After the scheduled period ends, the system deletes the key.
    After you specify the scheduled period for the key, the status of the key changes from Enabled to Pending Deletion. You cannot use a key in the Pending Deletion state to encrypt data, decrypt data, or generate data keys. Before the scheduled period ends, you can choose More > Cancel Key Deletion to cancel the scheduled key deletion.