A dedicated Key Management Service (KMS) instance provides an isolated environment for cryptographic operations. Depending on the instance type, dedicated KMS instances can be backed by hardware security modules (HSMs). Unlike the shared KMS gateway, a dedicated instance gives your applications exclusive access to encryption resources within a specific region.
Prerequisites
Before you begin, make sure that you meet the following requirements:
You have an Alibaba Cloud account with a valid payment method.
Your account has the required Resource Access Management (RAM) permissions to purchase KMS resources. For more information about RAM, see RAM authorization.
Procedure
- Log on to the KMS console.
- In the left-side navigation pane, click Dedicated KMS. On the Dedicated KMS page, click Purchase Dedicated KMS.
- On the Dedicated KMS buy page, configure the following parameters.
Important
If you do not specify the number of secrets when you purchase a dedicated KMS instance, you cannot increase the number of secrets for the dedicated KMS instance. To use the Secrets Manager feature, you must specify the number of secrets when you purchase a dedicated KMS instance.
Parameter Description Site The site on which you want to deploy the dedicated KMS instance. Valid values: Regions Outside Chinese Mainland and Regions in Chinese Mainland. Region The region where you want to purchase a dedicated KMS instance. Instance Type The type of the dedicated KMS instance. If you select Regions Outside Chinese Mainland for Site, the valid values are Software Key Management, Hardware Key Management, and Value-added Plan. If you select Regions in Chinese Mainland for Site, the valid values also include External Key Management. Quantity The number of dedicated KMS instances that you want to purchase. You can purchase up to 20 instances at a time. In most cases, you need to purchase only one instance. To purchase more than one instance, submit a ticket. Number of Secrets The number of secrets that can be managed by the KMS instance. Valid values: 0 to 100,000. Default value: 100. Access Management Quantity The access management quota, which includes the number of accounts to which the KMS instance is shared and the number of VPCs that are associated with the KMS instance. Duration The subscription duration of the dedicated KMS instance. You can select Auto-renewal so the instance is automatically renewed before it expires. - Confirm the total configuration cost and click Buy Now.
Result
After payment, the instance appears on the Dedicated KMS page with a Status of Disabled. Before you can use the instance, you must enable it.
Next steps
Billing of Dedicated KMS -- Review pricing and billing rules.
Getting started with a dedicated KMS instance of the Standard edition -- Enable the instance and connect your applications.