All Products
Search

This Product

    Key Management Service:FAQs about migrating secrets

    Document Center

    Key Management Service:FAQs about migrating secrets

    Last Updated:Jan 16, 2025

    This topic answers some frequently asked questions (FAQs) about migrating secrets from Key Management Service (KMS) 1.0 to 3.0.

    Which secrets support migration?

    All types of secrets are supported for migration. Before migration, take note of the following:

    • In KMS 3.0, secrets are unique to the Alibaba Cloud account and KMS instance within a single region. If there are multiple secrets with the same name in KMS 1.0, or if the target KMS 3.0 instance already has secrets with the same name, migration is not supported.

    • If the secret is encrypted by a customer master key (CMK), you must first migrate the CMK. If the secret is encrypted by a system-managed CMK, you can migrate the secret directly.

    Do I need to migrate the encryption key when migrating secrets?

    Yes, but you must first migrate the encryption key before migrating the secrets, or else the migration will fail.

    Do secrets with automatic rotation support migration?

    Yes, but you need to disable automatic rotation before migration to ensure version consistency.image

    Does the secret name or other data change after migration?

    No, the secret name and other data remain unchanged. KMS migrates the metadata and all versions of the secret, such as the secret name, status and tags. This data remains unchanged after migration.

    Can I operate secrets during the migration process?

    No, you cannot operate secrets during migration. The migration process maintains management and data separation, ensuring business operations continue uninterrupted. During migration, you can get the secret value as normal. However, to prevent migration failures due to data consistency issues, operations related to management, such as creating, modifying, or deleting resources, cannot be performed on secrets during the migration process. Therefore, we recommend performing the migration during off-peak hours.

    Is cross-region secret migration supported?

    No, migration is not supported for cross-region secrets. You can first migrate the secrets to a KMS 3.0 instance within the same region and then use the backup feature to transfer them to a KMS 3.0 instance in a different region. For more information, see Disaster recovery.