Use the Key Management Service (KMS) console to create a customer master key (CMK) for encrypting data or generating digital signatures.
Prerequisites
Before you begin, ensure that you have:
A KMS instance. The instance type determines which key specs are available
The permissions required to create CMKs in KMS
Key spec and purpose compatibility
Key Spec and Purpose are linked — not every key spec supports every purpose. Review this table before creating the CMK.
| Key spec | Type | Supported purpose | Notes |
|---|---|---|---|
| Aliyun_AES_256 | Symmetric | Encrypt/Decrypt | Supports automatic rotation and external key material |
| Aliyun_SM4 | Symmetric | Encrypt/Decrypt | Chinese mainland regions with managed HSMs only; supports automatic rotation and external key material |
| RSA_2048 | Asymmetric | Encrypt/Decrypt or Sign/Verify | — |
| RSA_3072 | Asymmetric | Encrypt/Decrypt or Sign/Verify | Dedicated KMS instance only |
| EC_P256 | Asymmetric | Sign/Verify | — |
| EC_P256K | Asymmetric | Sign/Verify | — |
| EC_SM2 | Asymmetric | Sign/Verify | Chinese mainland regions with managed HSMs only |
Create a CMK
Log on to the KMS console.
In the top navigation bar, select the region where you want to create the CMK.
In the left-side navigation pane, choose Resource > Keys.
Click Create Key.
In the Create Key dialog box, configure the following parameters:
Parameter Description KMS Instance The KMS instance to associate with this CMK. Key Spec The cryptographic algorithm for the CMK. See the compatibility table above. Purpose The operations this CMK supports. Encrypt/Decrypt for data encryption; Sign/Verify for digital signatures. Alias Name (Optional) A human-readable label to identify the CMK. For alias format requirements, see Overview. Protection Level How the CMK is protected. Software uses a software module; Hsm stores the CMK in a Hardware Security Module (HSM). Description (Optional) A description of the CMK. Rotation Period For symmetric keys (Aliyun_AES_256 or Aliyun_SM4) only: the interval for automatic key rotation. Options: 30, 90, 180, or 365 days; a custom interval between 7 and 730 days; or Disable to turn off automatic rotation. For symmetric keys, click Advanced to configure Key Material Source:
Alibaba Cloud KMS: KMS generates the key material automatically.
External: Import key material from an external source. If you select this option, also select I understand the implications of using the external key materials key. For import instructions, see Import key material.
The Advanced option is available only when Key Spec is set to Aliyun_AES_256 or Aliyun_SM4.
Click OK.
The CMK is created. The key list now shows the new CMK's ID, status, and protection level.
What's next
Import key material — if you selected External as the key material source
Overview — learn more about aliases and how to manage CMKs