Key Management Service (KMS) lets you back up and restore keys and secrets. This enables quick recovery from accidental deletion or disaster. This topic describes how to do this.
If you do not back up keys and secrets, or the backup expires, these resources will become irrecoverable after the keys and secrets are expired and deleted. Regular backups are essential for ensuring business continuity.
Supported instance types
Only software key management instances support backup.
If you cannot use the backup feature, upgrade the image version of your instance first. For more information, see Upgrade the image version of a KMS instance.
Hardware key management instances do not support backup, but hardware-protected keys can back up some data through the HSM backup feature. A hardware-protected key consists of key material (encryption key) and key metadata.
Key material refers to the key mapped to the HSM from the hardware-protected key. You can back up key material by using the HSM backup feature. For more information, see Data backup and restoration.
Key metadata refers to business data information stored in KMS, such as key ID, the KMS instance to which the key belongs, Alibaba Cloud Resource Name (ARN), and key policy. Key metadata does not support backup.
Scenarios
Restore a software key management instance after the instance is released.
Recover accidentally deleted keys or secrets.
Copy keys or secrets across regions for disaster recovery or latency optimization.
Features
Each KMS backup can back up data from one software key management instance.
KMS supports the following backup types:
Automatic backup: Enabled by default only for software key management instances created after 00:00 on April 26, 2024. The Backup Type is System Created.
We recommend prioritizing this type of backup. If it does not meet your needs, you can purchase a backup using the manual backup.
Manual backup: Supports a free default backup (Backup Type: Default) and purchased backup (Backup Type: Paid). KMS provides a free default backup in each region for each Alibaba Cloud account. To use the manual backup, first enable it.
Feature | Automatic Backup | Manual Backup (Default) | Manual Backup (Purchased) |
Pricing | Free. | Free. | Paid. |
Retention period | 90 days after the associated instance is released. | Permanently valid. | 15 days after the purchased backup expires. |
Manual deletion | Not supported. | Supported by resetting. | Supported by resetting. |
Viewable days | 90 days and non-extensible. | 7 days and non-extensible. | 7 to 600 days selectable at purchase. Extension are supported, but downgrades are not. |
Daily backup time | The first time you enable a backup, a full backup is performed. Subsequently, a full backup is performed daily at 00:00, followed by incremental backups every 5 minutes. | ||
Best practice: Select the viewable days for purchased backups based on your key rotation and disaster recovery requirements. This ensures you retain necessary data while minimizing storage costs.
Automatic backup
Software key management instances enabled after April 26, 2024, are automatically backed up by KMS. To view this backup data, go to the Backups page. Then, locate the backup with Backup Type: System Created and Backup Object matching your instance.
Manual backup
Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose .
(Optional) Purchase a backup.
If you want to use the free default backup, skip this step.
On the Backups page, click Create Backup, configure the parameters, and then click Buy Now.
Parameter
Description
Instance Type
Select Value-added Plan.
Value-added Plan
The plan that you want to purchase. Select instance backup.
Region
The region of the software key management instance that you want to back up.
Viewable days
The number of recent days of backup data you can view.
purchase quantity
The number of backups that you want to purchase.
Each backup includes data from a single software key management instance.
Duration
The subscription duration of the backup.
On the Confirm Order page, read and select Terms of Service. Click Pay, then complete the payment.
Enable the backup.
On the Backups page, locate the target backup and click Enable in the Actions column.
In the Enable Backup panel, configure the parameters and click OK.
Parameter
Description
Instance Type
The type of instance to be backed up. The value is fixed as Software Key Management.
Source Instance
The software key management instance that you want to back up.
Data Type
The type of data that you want to back up. Key and Secret are selected by default. You cannot change the value.
Backup Alias
The alias of the backup.
The first time you enable a backup, a full backup is performed. Then, a full backup is performed daily at 00:00, along with incremental ones every 5 minutes.
Optional. View backup data.
Find the target backup and click Details in the Actions column. On the page that appears, select a date to view the backup data for that day.
Data Type
Description
Fully Backed up Keys
The keys fully backed up at 00:00 on the selected date.
Incrementally Backed up Keys
The keys created on the selected date.
Rotated Keys
The keys rotated on the selected date.
Fully Backed up Secrets
The secrets fully backed up at 00:00 on the selected date.
Incrementally Backed up Secrets
The secrets created on the selected date.
Rotated Secrets
The secrets rotated on the selected date.
Restore data
Data restoration is supported only for software key management instances within the same Alibaba Cloud account. The destination instance must meet the following requirements:
The destination instance has a sufficient key or secret quota.
The key or secret that you want to restore does not exist in the destination instance's region. If it does, delete the existing key or secret before restoring.
If restoring a secret, ensure the encryption key exists in the destination instance.
Key and secret restoration rules vary by account scenario:
Single account
Keys and secrets can be restored to any software key management instance within the current Alibaba Cloud account.
Multi-account sharing
Only the resource owner can perform backup and restoration operations. For example, if Alibaba Cloud account A shares KMS instance M with Alibaba Cloud account B:
The resource owner (account A) can restore their keys and secrets to any of their software key management instances.
The principal (account B) can only restore to the shared instance.
That is, keys and secrets created by the B in instance M can only be restored to the instance M, and both A and B can use them after restoration.
The principal's resources cannot be restored if the sharing is terminated.
Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose .
Find the target backup and click Details in the Actions column.
For purchased backups, extend the viewable days to restore data outside the current range. You cannot restore data from before the backup feature was enabled. For example, if you enabled backups beginning May 1, 2024, with a 10-day viewable period, extending the period on May 20 to 16 days will allow recovery of data from May 5 to May 20.
On the page that appears, select the data type and date to which you want to restore data, and click Restore Data in the Actions column.
Restore keys:
Click the required key type, such as Fully Backed up Keys, locate the target backup, then click Restore Data in the Actions column.
In the Restore Data panel, select the destination instance to which you want to restore the data, and click OK.
Restore secrets:
Restore the key that is used to encrypt a secret.
If you want to restore a secret, the key used to encrypt it must exist in the destination instance. If it does, skip this step.
Click the required key type, such as Fully Backed up Keys, locate the target backup, then click Restore Data in the Actions column.
In the Restore Data panel, select the destination instance to which you want to restore the data, and click OK.
Restore the secret.
Click the required secret type, such as Fully Backed up Secrets, locate the target secret, then click Restore Data in the Actions column.
In the Restore Data panel, select the destination instance to which you want to restore the data, and click OK.
More operations
Extend the queryable range
You can extend the queryable range only for purchased backups. You cannot reduce it.
Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose .
Find the required backup and click Details in the Actions column.
On the details page of the backup, click Extend Queryable Range, select the number of days to which you want to extend the queryable range. Click Buy Now and complete the payment.
Reset a backup
Only free default and purchased backups can be reset. Resetting a backup deletes its data and disassociates it from the source KMS instance.
When you reset a backup, all data that is backed up by the instance is deleted. Proceed with caution.
Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose .
Locate the target backup and click Reset in the Actions column.
In the Reset message, confirm the information and click Reset.
After you reset the backup, the backup enters the Disabled state. You can associate the backup with a new software key management instance.
Renew a backup
Only purchased backups can be renewed.
Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose .
Locate the target backup, and click Renew in the Actions column.
On the Renew page, configure the subscription duration, read and select Terms of Service. Click Buy Now and complete the payment.
Download backup data
After you download backup data, keep it confidential. You can only use the backup data to restore data in the KMS console.
Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose .
Locate the target backup and click Download in the Actions column.
In the Download dialog box, configure Backup Date and click Download.
If the date of the required backup data is not included the Queryable Range, extend the queryable range, then download the data.
Save the backup data.
Click the
icon next to Encryption Key to copy and save the encryption key locally.Click Download next to Backup Data to download the backup data. Keep the backup data confidential.
ImportantEncryption keys are used to decrypt downloaded backup data. KMS does not store the encryption keys or the backup data. Keep encryption keys and backup data confidential.
Upload a backup data file
If you want to upload backup data files across borders, you must comply with the relevant laws and regulations on data.
On the Backups page, click Upload Backup.
In the Import Backup Data panel, configure Decryption Key and Backup Name, then click OK.
In the dialog box that appears, select the backup data file that you want to upload, and click Open.
After you upload the backup data file, you can view the uploaded data on the Backups page. The Backup Type of the uploaded data is Upload.
FAQ
How do I view the queryable range?
You can view the value of Queryable Range on the Backups page.
