Key Management Service (KMS) supports backup management for keys and secrets. This feature helps you quickly restore data in scenarios such as accidental deletion or disaster recovery, preventing data loss. This topic describes how to back up and restore data.
If you do not back up keys and secrets, or the backup expires, these resources will become irrecoverable after the keys and secrets are expired and deleted. Regular backups are essential for ensuring business continuity.
Supported instance types
Only software key management instances support backup. If you cannot use the backup feature, upgrade the image version of your instance first. For more information, see Upgrade the image version of a KMS instance.
Hardware key management instances do not support backup, but hardware-protected keys can back up some data through the HSM backup feature. A hardware-protected key consists of key material (encryption key) and key metadata.
Key material refers to the key mapped to the HSM from the hardware-protected key. You can back up key material by using the HSM backup feature. For more information, see Data backup and restoration.
Key metadata refers to business data information stored in KMS, such as key ID, the KMS instance to which the key belongs, ARN, and key policy. Key metadata does not support backup.
Scenarios
You want to restore a KMS instance of the software key management type after the instance is released.
You want to restore a key or a secret that is deleted.
Your services are distributed in multiple regions. You want to copy a key or a secret to other regions for disaster recovery or nearest calls.
Function introduction
Each KMS backup can back up data from one software key management instance. KMS supports two backup methods: automatic backup and manual backup.
Automatic backup: For software key management instances created after 00:00 on April 26, 2024, KMS automatically creates a backup to back up the data of the software key management instance after the instance is enabled. For more information, see [Notice] KMS software key management instances support free automatic backup.
NoteWe recommend that you use this backup first. If it does not meet your business requirements, you can purchase a backup through the manual backup method.
Manual backup: This includes default backup (KMS provides one free default backup in each region) and purchased backup. You need to enable the backup before KMS starts backing up data.
Comparison item | Description | Automatic backup | Manual backup | |
Default backup | Purchased backup | |||
Cost | Whether additional fees are required. | Free. | Free. | Paid. The cost depends on the subscription duration and the queryable range you set. |
Backup deletion time | The default time when backup data is deleted. | The lifecycle of backup data depends on the KMS instance it backs up. Backup data will be deleted 90 days after the KMS instance is released. Manual deletion of backup data is not supported. | Valid for a long time, but you can manually delete backup data through the reset operation. | The lifecycle of backup data depends on the subscription duration of the backup. The backup will be released 15 days after it expires, and the backup data will be deleted. You can also manually delete backup data through the reset operation. Important After a backup expires, no operations are supported. However, before the backup is released, you can reactivate and use the backup through renewal. The fee for reactivation is the same as purchasing a new backup with the same specifications. |
Queryable range | The period of time during which you can query backup data. Unit: days. For example, if the queryable range of a purchased backup is set to 50 days. Assuming data has been backed up for 80 days after the backup is enabled, since the queryable range is 50 days, you can only view backup data within the last 50 days. If you need to view data from the previous 30 days, you need to extend the queryable range. Note We recommend that you configure the queryable range based on key rotation and business disaster recovery requirements. | 90 days. You cannot extend the queryable range. | 7 days. You cannot extend the queryable range. | You can select 7 to 600 days when you purchase a backup instance. You can extend the queryable range after you purchase a backup instance. You cannot reduce the queryable range. |
Backup time | The point in time at which data is backed up on a daily basis. | The first time you enable a backup instance, a full backup is performed. Subsequent full backups are performed on a daily basis at 00:00. After each full backup, incremental backups are performed every 5 minutes. | ||
You can quickly identify the type of backup on the Backups page. System Created indicates automatic backup, Default indicates default backup, and Paid indicates purchased backup.
Back up data
Automatic backup
After you enable a software key management instance, KMS automatically backs up the data of the instance. For information about how to enable an instance, see Purchase and enable a KMS instance.
After the instance is successfully enabled, KMS automatically generates a backup. You can view it on the Backups page. The Backup Type is System Created and the Backup Object is your software key management instance, which is the backup created by KMS.
Manual backup
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
(Optional) Purchase a backup.
NoteIf you use the default backup, skip this step.
On the Backups page, click Create Backup. Configure the parameters based on your business needs, and then click Buy Now.
Parameter
Description
Key Management Type
Select Key Value-added Service.
Key Value-added Service
Select Instance Backup.
Region
The region of the KMS instance of the key management software type that you want to back up.
Queryable Range
The period of time during which you can query backup data.
Quantity
The number of backups.
NoteEach backup can back up data from one software key management instance.
Subscription Duration
The subscription duration of the backup.
On the Confirm Order page, read and select Service Agreement, and then click Pay to complete the purchase.
Enable the backup.
On the Backups page, find the target backup and click Enable in the Actions column.
In the Enable Backup dialog box, complete the configuration and click OK.
Parameter
Description
Instance Type
The default value is Software Key Management. This parameter cannot be modified.
Source Instance
The instance of the key management software type that you want to back up.
Data Type
The default values are Key and Secret. This parameter cannot be modified.
Backup Alias
The custom alias of the backup.
The first time you enable a backup instance, a full backup is performed. Subsequent full backups are performed on a daily basis at 00:00. After each full backup, incremental backups are performed every 5 minutes.
(Optional) View backup data.
Find the target backup and click View Data in the Actions column. Select a date to view the backup data for that day.
Backup data type
Description
Fully Backed up Keys
The keys that are fully backed up at 00:00 on the selected date.
Incrementally Backed up Keys
The keys that are created on the selected date.
Rotated Keys
The keys that are rotated on the selected date.
Fully Backed up Secrets
The secrets that are fully backed up at 00:00 on the selected date.
Incrementally Backed up Secrets
The secrets that are created on the selected date.
Rotated Secrets
The secrets that are rotated on the selected date.
Restore data
When you restore data, the destination instance must meet the following requirements:
The destination instance has a sufficient key quota or secret quota.
The key or secret that you want to restore does not exist in the region where the destination instance resides. Otherwise, the restoration fails. If you still want to restore a key or secret in this scenario, delete the existing key or secret.
If you want to restore a secret, the destination instance must have the key that is used to encrypt the secret.
Depending on the number of Alibaba Cloud accounts using the KMS instance, keys and secrets can be restored to different destination instances.
Single-account scenario: Keys and secrets can be restored to any software key management instance under the current Alibaba Cloud account.
Multi-account sharing scenario: Only the resource owner can perform backup and restoration operations. For example, if Alibaba Cloud account A shares KMS instance M with Alibaba Cloud account B:
Resources created by the resource owner in the KMS instance: These can be restored to any software key management instance of the resource owner. That is, keys or secrets created by A in instance M can be restored to any software key management instance of A.
Resources created by the principal in the shared KMS instance: These can only be restored to the shared KMS instance, and both the resource owner and the principal can use them normally after restoration. That is, keys and secrets created by B in instance M can only be restored to instance M, and both A and B can use them after restoration.
NoteIf the sharing relationship has been terminated, keys and secrets created by the principal cannot be restored.
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
Find the target backup and click View Data in the Actions column. Select the date of the data you want to restore.
ImportantWhen the backup is a purchased backup, if the date of the data you want to restore is not within the queryable range, you can first extend the queryable range of the backup and then restore the data. However, you cannot restore data from before the backup was enabled by extending the queryable range.
For example, if you enabled a backup on May 1, 2024, with a queryable range of 10 days, and on May 20, 2024, you want to restore data from May 5, 2024, you can extend the queryable range to 16 days.
Restore data.
Data type
Procedure
Key
Click the tab where the key is located (for example, Fully Backed up Keys). Find the target key and click Restore Data in the Actions column.
In the Restore Data dialog box, select the region and instance information where you want to restore the data, and then click OK.
Secret
Restore the key that is used to encrypt a secret.
NoteIf you want to restore a secret, the key that is used to encrypt the secret must exist in the destination instance. If the key exists in the destination instance, skip this step.
Click the tab where the key is located (for example, Fully Backed up Keys). Find the target key and click Restore Data in the Actions column.
In the Restore Data dialog box, select the region and instance information where you want to restore the data, and then click OK.
Restore the secret.
Click the tab where the secret is located (for example, Fully Backed up Secrets). Find the target secret and click Restore Data in the Actions column.
In the Restore Data dialog box, select the region and instance information where you want to restore the data, and then click OK.
More operations
Extend the queryable range
Only purchased backups support extending the queryable range, and only upgrades are supported, not downgrades.
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
Find the target backup and click View Data in the Actions column.
On the backup details page, click Extend Queryable Range, select the extended queryable range, click Buy Now, and complete the payment.
Reset a backup
Only default backups and purchased backups support reset. You can delete backed up data and unbind the backup from the software key management instance by resetting the backup.
Resetting will delete all data that has been backed up by the backup. Please proceed with caution.
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
Find the target backup and click Reset in the Actions column.
Read the prompt in the Reset dialog box. If you confirm, click OK.
After the backup is reset, its status becomes Disabled. You can rebind it to a software key management instance.
Renew a backup
Only purchased backups support renewal.
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
Find the target backup and click Renew in the Actions column.
On the Renew page, select Subscription Duration, read and select Service Agreement, click Buy Now, and complete the payment.
Download backup data files
After you download backup data, keep the data confidential. You can only use the backup data to restore data in the KMS console.
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
Find the target backup and click Download in the Actions column.
In the Download dialog box, select Backup Date and click OK.
NoteFor backup data outside the Queryable Range, you need to extend the queryable range first before downloading.
Save the backup data.
Click the Encryption Key
icon after to copy it, and then save it locally.Click Download after Backup Data, download the backup data file, and keep it secure.
ImportantThe Data Encryption KEY is used to decrypt the downloaded backup data file. KMS does not save the Data Encryption KEY or Backup Data File, so please keep them secure and prevent leakage.
Upload backup data files
If you want to upload backup data files across borders, you must comply with the relevant laws and regulations on data.
On the Backups page, click Upload Backup.
In the Import Backup Data dialog box, enter Decryption Key and Backup Name, and then click OK.
In the file selection dialog box that appears, select the backup data file and click Open.
After the upload is successful, you can see the uploaded data on the Backups page. The Backup Type is Upload
FAQ
How do I view the queryable range of a backup?
On the Backups page, check the Queryable Range.
