If you are using the Alibaba Cloud shared version of KMS (also called KMS 1.0), for higher service quality and stability, we recommend that you migrate resources to a same-region KMS software or hardware key management instance (also called KMS 3.0). KMS 3.0 and 1.0 differ in various aspects, such as features and billing methods. This topic helps you perform the pre-migration assessment, after which you can proceed with the migration based on your business needs.
Why migrate from KMS 1.0 to 3.0?
To provide higher service quality and stability, KMS 1.0 is planned to enter the End of Full Support (EoFS) phase at 00:00:00 on March 30, 2025 (UTC+8), transitioning to the End of Service (EoS) phase at 00:00:00 on September 30, 2025 (UTC+8). The main benefits of migrating to a KMS 3.0 instance include the following:
Business impact and cost assessment
Business impact
Migration impacts the following aspects of the business:
Terraform configurations: If your KMS 1.0 is Terraform-managed, after migration, Terraform configuration changes are required due to the instance ID attribute added. This change can prevent resource release when you perform management operations.
Management operations: To prevent migration failures due to data consistency issues, operations related to management, such as creating, modifying, or deleting resources, cannot be performed on keys, secrets, or KMS instances during the migration process. We recommend performing the migration during off-peak hours.
The migration has no impact on the following aspects of the business:
Service availability: The migration process maintains management and data separation, ensuring business operations continue uninterrupted. During migration, you can get the secret value, cloud product encryption, and application encryption as normal.
SDK integration: Self-built applications can seamlessly continue using the original SDK without code or application changes. SDK modifications are not required when using other product SDKs, such as Function Compute (FC), for business encryption and decryption, ensuring a smooth migration process.
Access control policies: No reconfiguration is needed and existing policies can continue to be used.
Performance: Before migration, if you use public network access key secrets before migration, you can continue using the original SDK after migration with no performance change. To enhance performance, switch from public network access to VPC network access, with performance depending on the instance type.
Cost assessment
KMS 1.0 and 3.0 instances use different billing methods. Before migration, familiarize yourself with the costs associated with KMS instances. For more information, see Subscription and Pay-as-you-go.
Key migration considerations
KMS 1.0 keys include service keys and customer master keys (CMKs).
Service keys
Service keys do not require migration and continue to function as usual. They can be accessed directly in the new KMS console and are automatically created by cloud products for server-side encryption. Service keys have a standard alias format: alias/acs/<cloud product>.
CMKs
CMKs must be migrated. The support for migration of CMK varies depending on the key protection level.
The key protection level is software.
The following table lists the specifications of keys supported for migration along with their compatibility with software and hardware key management instances. (√ indicates it is supported, and × indicates it is not.)
Specifications of keys to be migrated
Software key management instance
Hardware key management instance
Aliyun_AES_256 (single version)
√
√
Aliyun_AES_256 (multi-version)
√
×
RSA_2048 (single version)
√
×
EC_P256 (single version)
√
×
EC_P256K (single version)
√
×
When you migrate a CMK whose key protection level is software, consider the following:
The metadata and key material of the CMK, such as key ID, key status, deletion protection, alias and tags, are migrated along with it. This data remains unchanged after migration.
If the key is Bring Your Own Key (BYOK), the materials are directly migrated without needing manual uploading.
If the key is multi-version, all versions can be migrated.
If automatic rotation is enabled for a key, disable it before migration to maintain version consistency. For more information, see Automatic key rotation.
The key protection level is hardware (for regions in Chinese mainland only).
The following table lists the specifications of the keys, along with their compatibility with software and hardware key management instances. (√ indicates it is supported, and × indicates it is not.)
ImportantIf you want to migrate keys that are not supported for migration, contact us.
Specifications of keys to be migrated
Software key management instance
Hardware key management instance
Aliyun_AES_256 (single version)
√
√
Aliyun_AES_256 (multi-version)
√
×
Aliyun_AES_256 (BYOK)
×
×
Aliyun_AES_SM4 (single version)
×
√
Aliyun_AES_SM4 (multi-version)
×
×
Aliyun_AES_SM4 (BYOK)
×
×
RSA_2048 (single version)
√
√
EC_P256 (single version)
√
√
EC_P256K (single version)
√
√
RSA_3072 (single version)
√
√
EC_SM2 (single version)
×
√
When you migrate a CMK whose key protection level is hardware, consider the following:
The metadata and key material of the CMK, such as key ID, key status, deletion protection, alias and tags, are migrated along with it. This data remains unchanged after migration.
If the key is multi-version, all versions can be migrated.
If automatic rotation is enabled for a key, disable it before migration to maintain version consistency. For more information, see Automatic key rotation.
Secret migration considerations
All types of secrets are supported for migration.
In KMS 3.0, secrets are unique to the Alibaba Cloud account and KMS instance within a single region. If there are multiple secrets with the same name in KMS 1.0, or if the target KMS 3.0 instance already has secrets with the same name, migration is not supported.
When you migrate a secret, consider the following:
The metadata of the secret, such as secret name, secret status and tags, are migrated along with it. This data remains unchanged after migration.
If the secret is multi-version, all versions can be migrated.
If the secret is encrypted by a CMK, you must first migrate the CMK. If the secret is encrypted by a system-managed CMK, you can migrate the secret directly. After migration, the backup and cross-region synchronization function for the secret are not supported. For more information, see Disaster recovery.
If the secret has automatic rotation enabled, disable it to ensure version consistency before migration.
Quickly check resources to migrate
This method only displays the keys that support migration. For ones that do not, you can view the remaining keys in the old KMS console after the migration, and then contact Alibaba Cloud Technical Support.
Log on to the old KMS console and click Migration Tool in the left-side directory.
Check if there are resources that need migration.
If the Migrate in the Actions column is enabled, this indicates that there are resources available for migration in the corresponding region. You can click on the numbers in the Keys Not Migrated and Secrets Not Migrated columns to check the details. The data is displayed by region, so review all regions to ensure that you see all resources that you may want to migrate.
Which type of KMS 3.0 instance should I use?
After migration, keys and secrets are stored in the KMS instance, with keys being unique to the region and secrets unique to both the Alibaba Cloud account and the KMS instance within that region. KMS supports the following types of instances:
Software Key Management: Offers key and secret management services, securely storing keys and secrets. It provides high scalability and security, with the master key generated and stored by software.
Hardware Key Management: Connects to a Hardware Security Module (HSM) cluster within Alibaba Cloud HSM, offering key services and secret management with enhanced security and compliance. Before enabling a hardware key management instance, an HSM must be purchased and an HSM cluster must be configured in Alibaba Cloud HSM.
Consider the following factors when selecting a KMS 3.0 instance:
Business requirements: Different KMS 3.0 instances support different software-protected keys. Select the KMS instance that supports the keys to be migrated.
Performance: Consider the queries per second (QPS) of encryption and decryption operations in your business. For high-traffic platforms like e-commerce sites that process many transactions each day, including encryption of payment details and order data, a KMS instance with higher QPS will meet your requirement to avoid transaction delays or failures. Check the supported QPS by each type of KMS 3.0 instance on the buy page.
Security compliance: If your business must comply with national cryptographic regulations and FIPS certification, select hardware key management instance.
Budget for costs: For both types of KMS 3.0 instances you can use either subscription or pay-as-you-go billing. If you use secrets and keys on demand, or are limited to cloud product encryption, we recommend selecting the pay-as-you-go option. For more information on billing methods, see Billing.
In most cases, a software key management instance with 1,000 QPS is sufficient for the majority of users. We recommend starting with this capacity. You can monitor the instance's performance and QPS metrics in the console, both before and after migration. KMS supports on-demand scaling, allowing you to adjust the throughput as needed.