Key Management Service (KMS) instances provide key-related and secret-related features. You can use keys to encrypt and decrypt sensitive data. You can use secrets to reduce risks that are caused by hardcoded secrets in code. This helps improve data security. This topic describes how to purchase and enable a KMS instance.
Overview
Before you purchase a KMS instance, make sure that you are familiar with the specifications of KMS instances and the business components of KMS. Then, you can select appropriate specifications based on your business scenarios and security compliance requirements. For more information, see Instance selection.
Step 1: Purchase a KMS instance
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
On the Instances page, click Create Instance. In the Create Instance dialog box, select a billing method. On the buy page, configure the parameters and click Buy Now.
Parameter
Description
Site
The site on which you want to deploy the KMS instance. Valid values: Regions Outside Chinese Mainland and Regions in Chinese Mainland.
Instance Type
The type of the KMS instance. Valid values:
Software Key Management: allows you to create a key store. You can manage the lifecycles of keys and use keys for encryption and decryption.
Hardware Key Management: allows you to manage keys that are stored in a hardware security module (HSM) cluster and helps you quickly build a key management center in the cloud.
Value-added Plan: provides expert services, the instance backup feature, and the default key rotation feature. For more information, see Backups and Configure key rotation.
Region
The region of the KMS instance. For more information, see Supported regions.
Deployment Mode
KMS instances support dual-zone or multi-zone configurations to achieve high availability, disaster recovery, and load balancing.
NotePhilippines (Manila) and Thailand (Bangkok) provide only a single zone, so the KMS instance can only be deployed in a single zone. In this case, the default deployment mode is single zone.
When you select multi-zone, you can configure up to three zones.
For the number of zones in each region, see Regions and access addresses.
Computing Performance
The computing performance of the KMS instance. For more information, see Performance data.
If the provided computing performance of KMS instances of the software key management type on the buy page cannot meet your business requirements, contact us for the computing performance of 10,000 QPS or 20,000 QPS.
Number of Keys
The maximum number of keys that can be created in the KMS instance.
Number of Secrets
The maximum number of secrets that can be created in the KMS instance.
Access Management Quantity
The quota of objects that are allowed to access the KMS instance. The quota includes the number of Alibaba Cloud accounts that use the resources of the KMS instance and the number of virtual private clouds (VPCs) that are associated with the KMS instance. Default value: 1.
For example, if the KMS instance needs to be associated with three VPCs and shared with two Alibaba Cloud accounts, specify a value no less than 5 for the parameter to meet your business requirements.
Log Analysis
Specifies whether to enable the log analysis feature. For more information, see Overview of Simple Log Service for KMS.
Log Storage Capacity
The storage capacity for logs, with a minimum allocation of 1,000 GB. The capacity increases in increments of 1,000 GB. For more information about how to evaluate the storage capacity, see Overview of Simple Log Service for KMS.
purchase quantity
The number of KMS instances that you want to purchase.
ImportantIn most cases, you need to purchase only one KMS instance. If you want to purchase more than one KMS instance, contact us.
Duration
The subscription duration of the KMS instance.
NoteYou can select Auto-renewal to automatically renew the KMS instance when the instance expires.
Read and select Terms of Service, and click Pay to complete the payment.
The system requires 1 to 5 minutes to create the KMS instance. You can view the created instance on the Instances page.
Step 2: Enable the KMS instance
After you purchase a KMS instance, you must enable the instance to use the key management and secret management of KMS.
Enable a KMS instance of the software key management type
Prerequisites
A VPC and a vSwitch are available in the region of the KMS instance.
Before you enable the KMS instance, we recommend that you log on to the VPC console and view the existing VPCs, vSwitches, and zones in which the vSwitches reside. You can also create a VPC and a vSwitch. For more information, see Create a VPC and a vSwitch or Create a vSwitch.
Alibaba Cloud DNS PrivateZone is activated. If you use an account on the China site (aliyun.com) to purchase a KMS instance outside the Chinese mainland or use an account on the International site (alibabacloud.com) to purchase a KMS instance in the Chinese mainland, you must manually activate Alibaba Cloud DNS PrivateZone. For more information, see Activate Alibaba Cloud DNS PrivateZone.
NoteIf you use an account on the China site (aliyun.com) to purchase a KMS instance in the Chinese mainland or use an account on the International site (alibabacloud.com) to purchase a KMS instance outside the Chinese mainland, Alibaba Cloud DNS PrivateZone is automatically activated.
The fees for domain name resolution are billed to KMS. You do not need to complete payments on the Alibaba Cloud DNS PrivateZone side.
Procedure
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
On the Software Key Management tab, find the KMS instance that you want to enable and click Enable in the Actions column.
In the Enable KMS Instance panel, configure the parameters and click Enable Now.
Parameter
Description
Instance Name
The custom name of the KMS instance. The name can contain letters, digits, and the following special characters:
_/+=.@-.VPC ID
Specify the VPC ID associated with your KMS instance. This ID cannot be modified after enabling the instance.
Zone Configuration
The zone configurations. Set the dual-zone or multi-zone configurations based on the deployment mode that you select when you purchase the KMS instance. If you select the multi-zone deployment mode, you can configure up to three zones.
Zone and vSwitch Configuration: Configure a zone and vSwitch. Make sure that the vSwitch has at least one available IP address.
Other Zones: Select Randomly Assign or Manually Specify.
NoteSpecific regions provide only a single zone. In this case, the KMS instance can only be deployed in a single zone.
Wait for approximately 30 minutes and then refresh the page. If the status of the KMS instance changes to Enabled, the KMS instance is enabled.
Enable a KMS instance of the hardware key management type
Prerequisites
An HSM cluster to which the KMS instance is connected is available. For more information, see Configure an HSM cluster for a KMS instance of the hardware key management type.
WarningIf you want to increase the number of HSMs in the HSM cluster in subsequent operations, contact Alibaba Cloud technical support to change the cluster synchronization method to automatic synchronization. This prevents cluster synchronization failures.
One vSwitch is configured for each zone of the KMS instance. In the following example, the dual-zone deployment mode is used.
(Recommended) Use the two vSwitches that are bound to your HSM: You do not need to create vSwitches. Make sure that four available IP addresses are reserved for each vSwitch.
Do not use the two vSwitches that are bound to your HSM: You must create two vSwitches in different zones. Make sure that four available IP addresses are reserved for each vSwitch. For more information, see Create a vSwitch.
To view the number of available IP addresses on a vSwitch, perform the following steps: Log on to the VPC console. On the vSwitch page, click the ID of the vSwitch.
Alibaba Cloud DNS PrivateZone is activated. If you use an account on the China site (aliyun.com) to purchase a KMS instance outside the Chinese mainland or use an account on the International site (alibabacloud.com) to purchase a KMS instance in the Chinese mainland, you must manually activate Alibaba Cloud DNS PrivateZone. For more information, see Activate Alibaba Cloud DNS PrivateZone.
NoteIf you use an account on the China site (aliyun.com) to purchase a KMS instance in the Chinese mainland or use an account on the International site (alibabacloud.com) to purchase a KMS instance outside the Chinese mainland, Alibaba Cloud DNS PrivateZone is automatically activated.
The fees for domain name resolution are billed to KMS. You do not need to complete payments on the Alibaba Cloud DNS PrivateZone side.
Procedure
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
On the Hardware Key Management tab, find the KMS instance that you want to enable and click Enable in the Actions column.
In the Connect to HSM panel, specify an HSM cluster and click Connect to HSM. To specify an HSM cluster, you must configure the following parameters.
Parameter
Description
Instance Name
Specify a custom name for the KMS instance. The name can contain letters, digits, and the following special characters:
_/+=.@-.Configure HSM Cluster
Select the HSM cluster that you created in Cloud Hardware Security Module.
NoteYou can connect a KMS instance of the hardware key management type to only one HSM cluster.
Configure HSM Access Secret.
Username: the username of the crypto user. The value is fixed as
kmsuser.Password: the password of the crypto user. Enter the password that you specified when you created the crypto user.
Security Domain Certificate: a root certification authority (CA) certificate in the PEM format. To obtain the certificate, perform the following operations: Log on to the Cloud Hardware Security Module console. Click one HSM ID in the cluster. On the Details page, find ClusterOwnerCertificate, which is the Security Domain Certificate. Copy the content of the Security Domain Certificate or save it in PEM format, then upload it.
VPC ID
By default, the ID of the VPC that is associated with the HSM is used. You cannot modify the default ID.
Zone and vSwitch Configuration
Set the configurations based on the deployment mode that you select when you purchase the KMS instance. The deployment modes are dual-zone and multi-zone. Make sure that at least four available IP addresses are reserved for each vSwitch in a zone.
If you select the multi-zone deployment mode, you can configure up to three zones.
If you configured the Number of Secrets parameter when you purchased the KMS instance, the system requires approximately 30 minutes to enable the KMS instance. Wait for approximately 30 minutes and then refresh the page. If you did not configure the Number of Secrets parameter when you purchased the KMS instance, the system requires approximately 10 minutes to enable the KMS instance. Wait for approximately 10 minutes and then refresh the page. If the status of the KMS instance changes to Enabled, the KMS instance is enabled.
Enable a KMS instance of the external key management type
Prerequisites
A hardware security module (HSM) outside the cloud is purchased, and an external key instance (XKI) proxy is configured. For more information, contact your HSM provider.
NoteFor more information about XKI proxies, see XKI proxy servers.
KMS supports connections to the XKI proxy by using a public endpoint or a VPC endpoint service. If you want to use a VPC endpoint service to establish connections, you must first create a VPC endpoint service. For more information, see Create and manage endpoint services. Take note of the following items when you create a VPC endpoint service:
The two zones of the endpoint service must be the same as the zones that are selected when you enable the KMS instance.
The current Alibaba Cloud account is added to the whitelist of the endpoint service.
Automatically Accept Endpoint Connections is set to Yes.
Alibaba Cloud DNS PrivateZone is activated. If you use an account on the China site (aliyun.com) to purchase a KMS instance outside the Chinese mainland or use an account on the International site (alibabacloud.com) to purchase a KMS instance in the Chinese mainland, you must manually activate Alibaba Cloud DNS PrivateZone. For more information, see Activate Alibaba Cloud DNS PrivateZone.
NoteIf you use an account on the China site (aliyun.com) to purchase a KMS instance in the Chinese mainland or use an account on the International site (alibabacloud.com) to purchase a KMS instance outside the Chinese mainland, Alibaba Cloud DNS PrivateZone is automatically activated.
The fees for domain name resolution are billed to KMS. You do not need to complete payments on the Alibaba Cloud DNS PrivateZone side.
Procedure
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
Click the External Key Management tab, find the instance that you want to enable, and then click Enable in the Actions column.
In the Connect to HSM panel, configure parameters and click Connect to HSM.
Parameter
Description
Instance Name
The custom name of the KMS instance. The name can contain letters, digits, and the following special characters:
_/+=.@-.VPC ID
The VPC that is associated with the KMS instance.
Zone Configuration
The zone configurations. Set the dual-zone or multi-zone configurations based on the deployment mode that you select when you purchase the KMS instance. If you select the multi-zone deployment mode, you can configure up to three zones.
Zone and vSwitch Configuration: Configure a zone and vSwitch. Make sure that the vSwitch has at least one available IP address.
Other Zones: Select Randomly Assign or Manually Specify.
NoteSpecific regions provide only a single zone. In this case, the KMS instance can only be deployed in a single zone.
External Proxy Connectivity
Public Endpoint Connectivity: The KMS instance connects to the XKI proxy by using a public endpoint over the Internet.
VPC Endpoint Service Connectivity : The KMS instance connects to the XKI proxy by using a VPC endpoint service.
Domain Name of External Proxy
If you set External Proxy Connectivity to Public Endpoint Connectivity, enter the domain name of your XKI proxy.
Endpoint Service
If you set External Proxy Connectivity to VPC Endpoint Service Connectivity , select an endpoint service.
The two zones of the endpoint service must be the same as the zones that are selected when you enable the KMS instance.
External Proxy Configuration
Manual Configuration: You must configure External Proxy Path, Certificate Fingerprint, AccessKey ID, and AccessKey Secret. Enter the AccessKey ID and AccessKey secret of the XKI proxy.
Configuration File Upload: You can upload a configuration file.
If you configured the Number of Secrets parameter when you purchased the KMS instance, the system requires approximately 30 minutes to enable the KMS instance. Wait for approximately 30 minutes and then refresh the page. If you did not configure the Number of Secrets parameter when you purchased the KMS instance, the system requires approximately 10 minutes to enable the KMS instance. Wait for approximately 10 minutes and then refresh the page. If the status of the KMS instance changes to Enabled, the KMS instance is enabled.
FAQ
Why is a KMS instance always in the Enabling state when I enable the instance?
What do I do if an error occurs when I enable an instance of the software key management type?
What do I do if an error occurs when I enable an instance of the hardware key management type?
How do I configure an HSM cluster for a KMS instance of the hardware key management type?