KMS offers free server-side encryption with default keys. For advanced needs — custom encryption policies, key lifecycle controls, or centralized secrets management — purchase a dedicated KMS instance. This page covers subscription billing for KMS instances.
This page covers the subscription billing method only. For pay-as-you-go fees, see Pay-as-you-go.
What's free
The following are included at no additional cost:
Server-side encryption using default keys
Dual-zone deployment (included in the base instance fee)
The first 1,000 QPS for Software Key Management Instances
The first 2,000 QPS for Hardware Key Management Instances
This topic only covers the subscription billing method. For information on pay-as-you-go fees, see Pay-as-you-go.
Billing overview
| Attribute | Details |
|---|---|
| Billing method | Subscription (prepaid, monthly or annually) |
| Billing cycle | Starts immediately upon purchase or renewal; ends at midnight (UTC+8) on the expiration date |
Billable items
The fees for KMS instances are as follows:
Software Key Management Instance | Hardware Key Management Instance |
USD 500 per month | USD 1,799 per month |
Default specifications for KMS instances are as follows:
Billable item | Description | Software Key Management Instance | Hardware Key Management Instance |
Deployment Mode | KMS instances support dual-zone and multi-zone configurations, offering high availability, disaster recovery, and load balancing. Note
| Dual-Zone | Dual-Zone |
Computing Performance | The QPS for encryption and decryption operations processed by the KMS instance. For QPS data of different cryptographic operations, see Performance data. | 1,000 | 2,000 |
Number of Keys | The key quota for the KMS instance. If a key supports rotation, each version generated by the rotation also consumes quota. For example, a key with two versions consumes two quotas. | 1,000 | 1,000 |
Number of Secrets | The secret quota for the KMS instance. If a secret supports rotation, each version generated by the rotation does not consume quota. For example, a secret with two versions consumes one quota. | 0 | 0 |
Access Management Quantity | This quota includes two parts:
For example, if you want to associate the KMS instance with three VPCs and share the instance with two Alibaba Cloud accounts, specify a value of 5 to meet your business requirements. The default quota is one, allowing only the VPC bound to the KMS instance access to KMS resources. | 1 | 1 |
Log Analysis | Based on Alibaba Cloud Simple Log Service, the KMS log analysis provides log query and analysis for KMS instances, and supports storing access logs for up to 180 days. Warning Once Log Analysis is enabled, it can't be turned off. Typically, each request log occupies about 1 KB of storage. So, for example, if your average request volume is 100 QPS, then the storage space required for one day's logs is about 8.2 GB (100 × 60 × 60 × 24 × 1 = 8,640,000 KB). With a default retention period of 180 days, the log storage capacity would be 1,476 GB (8.2 × 180). When you enable the log service, you can choose a log storage capacity of up to 2,000 GB. | Disable | Disable |
If the default specifications do not meet your requirements, you can purchase additional resources. These include enhanced computing performance, additional keys, secrets, access management, and log analysis. Additional resource fees are as follows:
Billable Item | Software Key Management Instance | Hardware Key Management Instance |
Deployment Mode |
|
|
Computing Performance (QPS) |
|
|
Number of Keys | Every 10 keys: USD 9 per month. Incremental purchase: 10. Maximum quota: 100,000. | Not available. |
Number of Secrets | Every 100 secrets: USD 50 per month. Incremental purchase: 100. Maximum quota: 100,000. | Every 100 secrets: USD 50 per month. Incremental purchase: 100. Maximum quota: 100,000. |
Access Management | Each multi-account: USD 125 per month. Incremental purchase: 1. Maximum quota: 1,000. | Each multi-account: USD 125 per month. Incremental purchase: 1. Maximum quota: 1,000. |
Log Analysis | Each 1,000 GB of storage: USD 80 per month. Incremental purchase: 1,000. Maximum quota: 500,000. | Each 1,000 GB of storage: USD 80 per month. Incremental purchase: 1,000. Maximum quota: 500,000. |
Instance pricing
Base price
| Instance type | Monthly price |
|---|---|
| Software Key Management Instance | USD 500 |
| Hardware Key Management Instance | USD 1,799 |
Default specifications
Each instance includes the following by default:
| Specification | Software Key Management Instance | Hardware Key Management Instance |
|---|---|---|
| Deployment mode | Dual-zone | Dual-zone |
| Computing performance (QPS) | 1,000 | 2,000 |
| Keys | 1,000 | 1,000 |
| Secrets | 0 | 0 |
| Access management | 1 | 1 |
| Log analysis | Disabled | Disabled |
Deployment mode notes:
Multi-zone deployments support up to three zones.
Instances in the Philippines (Manila) and Thailand (Bangkok) regions support single-zone deployment only.
For the number of zones per region, see Regions and zones.
Add-on pricing
Purchase additional resources when your workload exceeds the default specifications.
| Add-on | Software Key Management Instance | Hardware Key Management Instance |
|---|---|---|
| Deployment mode | Dual-zone: included. Multi-zone: USD 120/month. | Dual-zone: included. Multi-zone: USD 120/month. |
| Computing performance (QPS) | 1,000: included. 2,000: USD 100/month. 4,000: USD 300/month. | 2,000: included. 4,000: USD 200/month. 6,000: USD 400/month. |
| Keys | USD 9/month per 10 keys. Minimum increment: 10. Maximum: 100,000. | Not available. |
| Secrets | USD 50/month per 100 secrets. Minimum increment: 100. Maximum: 100,000. | USD 50/month per 100 secrets. Minimum increment: 100. Maximum: 100,000. |
| Access management | USD 125/month per additional account. Minimum increment: 1. Maximum: 1,000. | USD 125/month per additional account. Minimum increment: 1. Maximum: 1,000. |
| Log analysis | USD 80/month per 1,000 GB. Minimum increment: 1,000 GB. Maximum: 500,000 GB. | USD 80/month per 1,000 GB. Minimum increment: 1,000 GB. Maximum: 500,000 GB. |
For QPS data by cryptographic operation type, see Performance data.
Pricing example
The following example shows how to estimate monthly costs for a Software Key Management Instance.
Scenario: A team needs a Software Key Management Instance with multi-zone deployment, 2,000 QPS, 2,000 keys, 200 secrets, and 2 access management slots (one additional VPC). No log analysis is required.
| Item | Calculation | Monthly cost |
|---|---|---|
| Base instance | Fixed fee | USD 500 |
| Multi-zone deployment | USD 120 | USD 120 |
| Additional QPS (2,000 total) | USD 100 | USD 100 |
| Additional keys (2,000 total; 1,000 included, 1,000 extra = 100 × USD 9) | 100 increments × USD 9 | USD 900 |
| Additional secrets (200 total = 2 × USD 50) | 2 increments × USD 50 | USD 100 |
| Additional access management (1 additional slot) | 1 × USD 125 | USD 125 |
| Total | USD 1,845/month |
Quota rules
Key quota: If a key supports rotation, each version generated by rotation consumes one quota slot. For example, a key with two versions consumes two quota slots.
Secret quota: Secret rotation does not consume additional quota. A secret with multiple versions still counts as one quota slot.
Access management quota: The default quota of 1 allows only the VPC bound to the instance to access KMS resources. Each additional quota slot can be used for one more associated VPC or one additional Alibaba Cloud account. For example, to associate three VPCs and share the instance with two accounts, set the quota to 5.
Log analysis: Log analysis is built on Simple Log Service and retains access logs for up to 180 days.
Once log analysis is enabled, it cannot be disabled.
To estimate your storage needs: each request log uses approximately 1 KB. At an average of 100 QPS, one day generates roughly 8.2 GB of logs (100 × 86,400 × 1 KB). With the default 180-day retention period, total storage would be approximately 1,476 GB. When enabling log analysis, you can select up to 2,000 GB of storage.
Overdue payments
Subscription is prepaid, so overdue payments do not apply. Make sure your account has sufficient balance before purchasing new instances, renewing, or upgrading configurations.
Expiration
Check the Billing Method column on the Instances page to monitor expiration dates. Renew your instance before it expires to avoid service disruption.
KMS sends renewal reminders via SMS and email 7 days, 3 days, and 1 day before expiration.
| Stage | What happens |
|---|---|
| Before expiration | Reminder notifications sent 7, 3, and 1 day before expiration. |
| Within 15 days after expiration | Keys and secrets are retained. Renew within this period to resume usage. The instance is suspended if not renewed by day 15. |
| Within 15 days after suspension | The instance is unavailable, but keys and secrets are still retained. Renew to reactivate. |
| 16th day after suspension | The instance is released. All keys and secrets are permanently deleted and irrecoverable. |
If your keys and secrets are deleted, any data encrypted with them becomes permanently inaccessible — even if you have backups of the data itself. Back up your keys and secrets before expiration, and verify that your backups are current. For instructions, see Backup management.
Refunds
Partial refunds are available for instances in the Enabled or Disabled state.
Before canceling a KMS instance, familiarize yourself with the unsubscription rules, precautions, and cases. For more information, see Rules for unsubscribing from resources (International site).
To unsubscribe from a KMS instance, use the Expenses and Costs console. For details on the unsubscription process, see Methods for unsubscribing resources. For information on the refund process after unsubscription, see Refund flow.
Before unsubscribing, review the unsubscription rules and precautions. See Rules for unsubscribing from resources (International site).
To unsubscribe, use the Expenses and Costs console. For the unsubscription process, see Methods for unsubscribing resources. For refund processing details, see Refund flow.
View billing and usage details
To review or export billing and usage details, go to the Expenses and Costs console. See Billing details and Usage records.For more information, see Billing details and Usage records.
Renew an instance
To renew via the Expenses and Costs console, see the Renewal guide.
To renew in the KMS console:
Log on to the KMS console. In the top navigation bar, select a region. In the left navigation pane, choose Resource > Instances.
On the Software Key Management or Hardware Key Management tab, find the instance to renew and click Actions in the Renew column.
On the KMS (International) | Renew page, set the Duration, agree to the Terms of Service, and click Buy Now.