All Products
Search

This Product

    Key Management Service:Purchase and enable a KMS instance

    Document Center

    Key Management Service:Purchase and enable a KMS instance

    Last Updated:Sep 26, 2025

    A Key Management Service (KMS) instance provides features for managing keys and secrets. You can use keys to encrypt and decrypt sensitive data and credentials to reduce the risks of hard-coding them in your code. This enhances the security of your business data. This topic describes how to purchase and enable a KMS instance.

    Step 1: Purchase a KMS instance

    1. Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Resource > Instances.

    2. On the Instances page, click Create Instance, select a billing method, select an instance type for the KMS instance that you want to purchase, and then click Buy Now.

      Subscription

      Parameter

      Description

      Site

      The site to which the region of the KMS instance belongs. Options: International Regions and Chinese Mainland Regions.

      Instance Type

      KMS provides default keys, including service keys and master keys, for cloud product encryption in each region. You do not need to purchase a KMS instance to use default keys, but the features are limited. Default keys are provided by KMS for free. Only the key rotation feature requires you to purchase a value-added service. Other scenarios are free of charge.

      Before you purchase a KMS instance, we recommend that you visit Product Selection for more information about default keys and KMS instances.

      • Purchase a KMS instance

        In most cases, a software key management instance is sufficient. If your business requires physical-level security protection or must meet strict compliance requirements such as financial regulations, select a hardware key management instance.

        • Software Key Management: Keys are stored in your dedicated database.

        • Hardware Key Management: Key generation, storage, encryption, and decryption rely on a dedicated hardware security module (HSM) that is compliant with Guomi or FIPS 140-2 Level 3 certification. If you select this type of instance, you must also purchase an HSM. For more information, see Configure an HSM cluster for a KMS hardware key management instance.

      • Purchase Value-added Services For Keys

        • Instance backup: This value-added service applies only to software key management instances. After a software key management instance is enabled, KMS automatically creates a free backup for data from the last 90 days. We recommend that you first learn about the free backup capability. If this capability does not meet your business requirements, you can purchase an instance backup. For more information, see Backup management.

        • Default key rotation: This value-added service applies only to free default keys. For more information, see Default key rotation.

          Note

          If you purchase a KMS instance, the keys in the instance support rotation by default. You do not need to purchase this value-added service.

      Region

      We recommend that you deploy in the same region as your business. For more information, see Supported regions.

      Deployment Mode

      KMS instances support dual-zone and multi-zone configurations, offering high availability, disaster recovery, and load balancing.

      Note

      • Multi-zone deployments support up to three zones.

      • KMS instances in the Phillippines (Manila) and Thailand (Bangkok) regions support only single-zone deployment.

        For the number of zones in each region, see Regions and zones.

      Compute Performance

      The performance data of the KMS instance. For example, a value of 2,000 indicates that the maximum computing performance is 2,000 QPS for independently processing symmetric algorithms and 300 QPS for independently processing asymmetric algorithms.

      Note

      If you need a software key management instance with a performance of 10,000 or 20,000, contact us.

      Key Quota

      The key quota. The default value is 1,000.

      The key quota is calculated based on the number of key versions, not the number of keys. For example, if a key has five versions, it consumes five from your key quota.

      Secret Quota

      The secret quota. The default value is 0.

      The secret quota is calculated based on the number of secrets, regardless of the number of secret versions. A secret consumes only one from your secret quota, no matter how many versions it has.

      Note

      If your business does not involve secrets, skip purchasing a quota now. You can purchase a secret quota by upgrading your instance later as needed.

      Access Management Quota

      This quota is related to two features:

      For example, if your instance needs to be associated with three VPCs and shared with two Alibaba Cloud accounts, the access management quota must be at least 5 to meet your business needs.

      The default value is 1. This allows the VPC attached to one instance to access KMS resources.

      Log Analysis

      Specifies whether to enable the log analysis feature. For more information, see Simple Log Service Overview.

      Warning

      Log analysis cannot be disabled after it is enabled. For information about the fees, see Product Billing.

      Log Storage Capacity

      A minimum of 1,000 GB is required. The capacity increases in increments of 1,000 GB. For more information, see How to calculate the required log storage capacity.

      Quantity

      The number of KMS instances to purchase.

      Important

      Typically, you only need to purchase one KMS instance. To purchase multiple KMS instances, contact us.

      Subscription Duration

      Select the subscription duration.

      Note

      You can select Auto-renewal On Expiration. The instance will be automatically renewed after it expires.

      Pay-as-you-go

      Parameter

      Description

      Billing Method

      Fixed value: Pay-as-you-go 3.0.

      Instance Type

      In most cases, a software key management instance is sufficient. If your business requires physical-level security protection or must meet strict compliance requirements such as financial regulations, select a hardware key management instance.

      • Software Key Management: Keys are stored in your dedicated database.

      • Hardware Key Management: Key generation, storage, encryption, and decryption rely on a dedicated hardware security module (HSM) that is compliant with Guomi or FIPS 140-2 Level 3 certification. If selecting this type of instance, you must also purchase an HSM. For more information, see Configure an HSM cluster for a KMS hardware key management instance.

      Region

      We recommend that you deploy in the same region as your business. For more information, see Supported regions.

    3. Read Terms of Service, and then click Activate Now to complete the purchase.

      After the purchase is successful, wait for 1 to 5 minutes. You can then view the purchased instance on the Instances page.

    Step 2: Enable the instance

    After purchasing a instance, you must enable it before you can use its key and secret management features.

    Enable a software key management instance

    Prerequisites

    • You must have one VPC and one vSwitch.

      We recommend that you first log on to the VPC Management Console to view your existing VPCs, vSwitches, and the zones where the vSwitches are located before enabling the instance. You can also create a new VPC and vSwitch. For more information, see Create a VPC and a vSwitch or Create a vSwitch.

    • You must manually enable Cloud DNS PrivateZone if you use an Alibaba Cloud China site (aliyun.com) account to purchase a KMS instance outside the Chinese mainland, or if you use an Alibaba Cloud international site (alibabacloud.com) account to purchase an instance in the Chinese mainland. For more information, see Enable PrivateZone.

      Note

      • If you use an Alibaba Cloud China site (aliyun.com) account to purchase an instance in the Chinese mainland, or use an Alibaba Cloud international site account to purchase an instance outside the Chinese mainland, Alibaba Cloud automatically enables PrivateZone. You do not need to manually enable it.

      • KMS covers the costs of domain name resolution for the instance. You do not need to pay fees to PrivateZone.

    Procedure

    1. Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Resource > Instances.

    2. On the Software Key Management tab, find the target software key management instance and click Enable in the Actions column.

    3. In the Enable KMS Instance panel, complete the configurations and click Enable Now.

      Parameter

      Description

      Instance Name

      Enter a custom name for the instance. The name can contain letters, digits, and special characters _/+=.@-.

      VPC ID

      Select a VPC to attach to the instance.

      Zone Configuration

      This is related to the deployment mode selected during instance purchase. Dual-zone or multi-zone deployment is supported. For multi-zone deployment, configure up to three zones.

      • Zone and vSwitch: Configure a zone and a vSwitch. Make sure that the vSwitch has at least one available IP address.

      • Other Zones: You can have zones randomly assigned or manually specify them.

      Note

      • Some regions provide only one zone. An instance in these regions can only be deployed in a single zone.

      • Dual-zone or multi-zone deployment is used to achieve high availability, disaster recovery, and load balancing for KMS. The difference is negligible in latency and performance between selecting a zone where your services are located and a zone where they are not. Select as needed.

      Wait for about 30 minutes and then refresh the page. The software key management instance is enabled when its status changes to Enabled.

    Enable a hardware key management instance

    Prerequisites

    • You must have configured a cryptor cluster that the KMS instance can connect to. For more information, see Configure a cryptor cluster for a KMS hardware key management instance.

      Warning

      If you plan to expand the number of HSMs in the HSM cluster, contact Alibaba Cloud technical support to change the cluster synchronization method to automatic synchronization. This helps prevent synchronization failures.

    • Ensure that each zone configured for the KMS instance has a vSwitch. The following section uses a dual-zone deployment as an example.

      • (Recommended) Use the two vSwitches that are attached to the HSM instance. In this case, you do not need to create vSwitches. Just ensure that four available IP addresses are reserved for each vSwitch.

      • If you do not use the two vSwitches that are attached to the HSM instance, you must create two vSwitches in different zones. Ensure that four available IP addresses are reserved for each vSwitch. For more information, see Create a vSwitch.

      You can log on to the VPC console, click the target vSwitch on the vSwitches page, and view the available IP address count on the details page.

    • You must manually enable Cloud DNS PrivateZone if you use an Alibaba Cloud China site (aliyun.com) account to purchase a KMS instance outside the Chinese mainland, or if you use an Alibaba Cloud international site account to purchase a KMS instance in the Chinese mainland. For more information, see Enable PrivateZone.

      Note

      • If you use an Alibaba Cloud China site (aliyun.com) account to purchase a KMS instance in the Chinese mainland, or use an Alibaba Cloud international site account to purchase a KMS instance outside the Chinese mainland, Alibaba Cloud automatically enables PrivateZone. You do not need to manually enable it.

      • KMS covers the costs of domain name resolution for the KMS instance. You do not need to pay fees to PrivateZone.

    Procedure

    1. Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Resource > Instances.

    2. Click the Hardware Key Management tab, find the target hardware key management instance, and click Enable in the Actions column.

    3. In the Connect to HSM panel, complete the configurations, and then click Connect to HSM to specify an HSM cluster.

      Parameter

      Description

      Instance Name

      Enter a custom name for the instance. The name can contain letters, digits, and special characters _/+=.@-.

      Select Cluster

      Select the HSM cluster that you configured in CloudHSM.

      Note

      A hardware key management instance can be attached to only one HSM cluster.

      Configure HSM Access Secret.

      HSM cluster in the Chinese mainland

      A hardware key management instance uses bidirectional TLS authentication to connect to an HSM. You can choose to automatically generate certificates when you purchase an HSM. You only need to configure the certificates on the client SDK side, and the HSM automatically deploys them to the server-side encryption machine. If you do not configure the HSM to automatically generate certificates, you must configure a client certificate (a PKCS12 format certificate with a security token) and a security domain certificate (the CA certificate in PEM format that is used to issue the TLS server-side certificate for the HSM cluster). For more information about how to generate certificates, see Configure bidirectional TLS authentication for a master HSM instance.

      • Client Protection Password: The protection password that you set when you generate the client certificate client.p12. If you use the certificate generation tool (hsm_certificate_generate), the default password is 12345678.

      • Client Certificate: A PKCS12 certificate. Click Select File and select the generated client.p12 file to upload.

      • Security Domain Certificate: A CA certificate in PEM format. Click Select File and select the generated rootca.pem file to upload.

      HSM cluster outside the Chinese mainland

      • Username: The username of the HSM operator (fixed as kmsuser).

      • Password: The access password for the HSM operator. This is the password you set when you created the HSM operator.

      • Security Domain Certificate: A CA certificate in PEM format. Log on to the CloudHSM console, click the ID of any HSM instance in the cluster, and find ClusterOwnerCertificate at the bottom of the Instance Details tab. This is the security domain certificate. Copy the content directly or save it as a PEM file and then upload it.

      VPC ID

      By default, this is the ID of the VPC attached to the HSM. It cannot be changed.

      Configure Zone and vSwitch

      This is related to the deployment mode selected during instance purchase. Dual-zone or multi-zone deployment is supported. Four available IP addresses must be reserved for the vSwitch in each zone.

      For multi-zone deployment, configure up to three zones.

      Note

      Dual-zone or multi-zone deployment is used to achieve high availability, disaster recovery, and load balancing for KMS. The difference in latency and performance between selecting a zone where your services are located and a zone where they are not is negligible. Select as needed.

      If you selected a secret quota when you purchased the instance, wait for about 30 minutes and then refresh the page. If you did not select a secret quota, wait for about 10 minutes and then refresh the page. The hardware key management instance is enabled when its status changes to Enabled.

    Enable an external key management instance

    Prerequisites

    • You must have purchased an external HSM and configured an XKI proxy. For more information, contact your HSM provider.

      Note

      For more information, see XKI Proxy server.

    • You can connect KMS to the XKI proxy using a public endpoint or a VPC endpoint service. To use a VPC endpoint, first create an endpoint service. For more information, see Create and manage endpoint services. Note the following when you create the endpoint service:

      • The two zones of the endpoint service must be the same as the zones selected when you enable the KMS instance.

      • You must add the current Alibaba Cloud account to the whitelist of the endpoint service.

      • The Auto-accept Connection setting for the endpoint service must be set to Yes.

    • You must manually enable PrivateZone if you use an Alibaba Cloud China site (aliyun.com) account to purchase a KMS instance outside the Chinese mainland, or if you use an Alibaba Cloud international site account to purchase a KMS instance in the Chinese mainland. For more information, see Enable PrivateZone.

      Note

      • If you use an Alibaba Cloud China site (aliyun.com) account to purchase an instance in the Chinese mainland, or use an Alibaba Cloud international site account to purchase an instance outside the Chinese mainland, Alibaba Cloud automatically enables PrivateZone. You do not need to manually enable it.

      • KMS covers the costs of domain name resolution for the KMS instance. You do not need to pay fees to PrivateZone.

    Procedure

    1. Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Resource > Instances.

    2. Click the External Key Management tab, find the target instance, and click Enable in the Actions column.

    3. In the Connect to HSM panel, complete the configurations, and then click Connect to HSM to specify an HSM cluster.

      Parameter

      Description

      Instance Name

      Enter a custom name for the instance. The name can contain letters, digits, and special characters _/+=.@-.

      VPC ID

      Select a VPC to attach to the instance.

      Zone Configuration

      This is related to the deployment mode selected during instance purchase. Dual-zone or multi-zone deployment is supported. For multi-zone deployment, you can configure up to three zones.

      • Zone and vSwitch: Configure a zone and a vSwitch. Make sure that the vSwitch has at least one available IP address.

      • Other Zones: You can have zones randomly assigned or manually specify them.

      Note

      • Some regions provide only one zone. A KMS instance in these regions can only be deployed in a single zone.

      • Dual-zone or multi-zone deployment is used to achieve high availability, disaster recovery, and load balancing for KMS. The difference is negligible in latency and performance between selecting a zone where your services are located and a zone where they are not. Select as needed.

      External Proxy Connectivity

      • Public Endpoint Connectivity: The KMS instance connects to the XKI proxy over the Internet.

      • VPC Endpoint Service Connectivity : The KMS instance connects to the XKI proxy using a VPC endpoint service.

      Domain Name of External Proxy

      This is required only when External Proxy Connectivity is set to Public Endpoint Connectivity. Enter the domain name of the XKI proxy.

      Endpoint Service

      This is required only when External Proxy Connectivity is set to VPC Endpoint Service Connectivity . Select an endpoint service.

      The zones selected for enabling the KMS instance must be the same as the zones of the endpoint service.

      External Proxy Configuration

      • Manual Configuration: Manually configure the External Proxy Path, Certificate Fingerprint, AccessKey ID, and AccessKey secret of the XKI proxy.

      • Configuration File Upload: Configure by uploading a file.

      If you selected a secret quota when you purchased the instance, wait for about 30 minutes and then refresh the page. If you did not select a secret quota, wait for about 10 minutes and then refresh the page. The external key management instance is enabled when its status changes to Enabled.

    FAQ

    References