The shared Key Management Service (KMS) — also known as KMS 1.0 — is being retired. This page explains the timeline, what stops working at each phase, and what you need to do before the deadlines.
Are you affected?
Your next steps depend on how your applications use KMS.
| If you use... | Impact | Action |
|---|---|---|
| Service keys for cloud product encryption | Not affected by the retirement | No migration needed. Your keys continue to work in KMS 3.0 automatically. |
| Customer managed keys (CMKs) for cloud product or custom application encryption | Affected | Migrate to a KMS instance (KMS 3.0) before September 30, 2025. |
| Certificates managed in shared KMS | Affected — certificates cannot be migrated | After EOS, KMS will no longer manage certificates. Plan accordingly. |
Key dates
March 30, 2025, 00:00:00 (GMT+8) — End of Full Support (EOFS)
The shared KMS remains operational, but the following support stops:
New resource purchases, renewals, upgrades, and downgrades
Feature updates and bug fixes
After-sales support
September 30, 2025 (GMT+8) — End of Service (EOS)
All shared KMS resources are released. The console closes and all features become unavailable.
Keys and secrets can be migrated to a KMS instance before EOS. Certificates cannot be migrated — KMS instances do not support certificate management. After EOS, KMS ceases to manage certificates entirely.
Migrate your resources
If you use CMKs, complete the following steps before September 30, 2025.
Step 1: Review the billing differences
The billing model for KMS instances differs from the shared KMS. Check the KMS billing details before migrating to understand cost implications.
Step 2: Migrate keys and secrets to a KMS instance
Follow the Migrate resources from KMS 1.0 to a KMS 3.0 instance guide to move your keys and secrets to a dedicated KMS instance.
Get help
If you have questions or need assistance with migration, contact Alibaba Cloud technical support.