Bring Your Own Key (BYOK) lets you import your own cryptographic material into a Key Management Service (KMS) symmetric key rather than letting KMS generate it. This gives you full control over the key material lifecycle — including rotation, expiration, and deletion.
If your KMS instance does not support importing key material, or if an error occurs during the import, contact Alibaba Cloud technical support to upgrade the instance.
How it works
A KMS key consists of a key ID, metadata (such as key status), and key material. When you set the key material origin to External (Import Key Material), KMS creates the key without any key material. You then supply the material in four steps:
Create a symmetric key with an external origin. The key starts in Pending Import status.
Download a wrapping public key and an import token from KMS.
Encrypt your key material locally using the wrapping public key.
Upload the encrypted key material and the import token to KMS.
Once imported, the key material is permanently bound to that key. You cannot replace it with different key material, but you can re-import the same key material if it expires or is deleted.
Supported key types
The following key management types support importing symmetric key material.
| Key management type | Import symmetric key material | Import asymmetric key material |
|---|---|---|
| Default key (customer master key) | Customer master key: supported / Service key: not supported | Not supported |
| Software-protected key | Supported | Supported |
| Hardware-protected key | Supported | Not supported |
For more information about key management types, see Key management types and key specifications.
Usage notes
Use a compliant random number generator to produce the key material.
Once you import key material into a key, that key is permanently bound to it. You cannot import different key material into the same key.
You can re-import the same key material multiple times — for example, after it expires or is deleted.
KMS does not export key material after import. Store your key material securely in a separate, durable location.
Prerequisites
Before you begin, ensure that you have:
A KMS instance (purchased and enabled). For more information, see Purchase and enable a KMS instance.
A KMS instance is not required to import key material for a default customer master key.
Step 1: Create a symmetric key with an external key material origin
Before importing key material, create a key with the key material origin set to External.
Default key (customer master key)
Log on to the KMS console. In the top navigation bar, select a region. In the left navigation pane, choose Resource > Keys.
On the Default Keys tab, click Enable in the Actions column for a customer master key.
On the Create Key tab, set the following parameters and click OK.
| Parameter | Description |
|---|---|
| Key alias | An identifier for the key. Allowed characters: letters, digits, underscores (_), hyphens (-), and forward slashes (/). |
| Description | A description of the key. |
| Advanced settings | Under Key Material Origin, select External (Import Key Material). Read and select I understand the implications of using the external key materials. |
Software-protected key
Log on to the KMS console. In the top navigation bar, select a region. In the left navigation pane, choose Resource > Keys.
On the Customer Master Keys tab, select a software key management instance from the Instance ID list and click Create Key.
In the Create Key panel, set the following parameters and click OK.
| Parameter | Description |
|---|---|
| Key type | Select Symmetric Key. If you are creating a key to encrypt a secret value, symmetric keys are required. |
| Key specifications | Select Aliyun_AES_256. |
| Key usage | Select ENCRYPT/DECRYPT for data encryption and decryption. |
| Key alias | An alias for the key. Allowed characters: letters, digits, underscores (_), hyphens (-), and forward slashes (/). |
| Tag key, Tag value | Tags help you categorize and manage keys. Each tag is a key-value pair. Constraints: Each tag key or value can be up to 128 characters (letters, digits, /, \, _, -, ., +, =, :, @, spaces). Tag keys cannot start with aliyun or acs:. Each key supports up to 20 tags. |
| Description | A description of the key. |
| Advanced settings | Policy settings: See Overview of key policies. Key material origin: Select External (Import Key Material). Read and select I understand the methods and implications of using external key material. |
Hardware-protected key
Log on to the KMS console. In the top navigation bar, select a region. In the left navigation pane, choose Resource > Keys.
On the Customer Master Keys tab, select a hardware key management instance from the Instance ID list and click Create Key.
In the Create Key panel, set the following parameters and click OK.
| Parameter | Description |
|---|---|
| Key type | Select Symmetric Key. If you are creating a key to encrypt a secret value, symmetric keys are required. |
| Key specifications | Supported specifications: Aliyun_AES_256, Aliyun_AES_192, Aliyun_AES_128. |
| Key usage | Valid values: Encrypt/Decrypt (data encryption and decryption) or Sign/Verify (digital signature generation and verification). |
| Key alias | An alias for the key. Allowed characters: letters, digits, underscores (_), hyphens (-), and forward slashes (/). |
| Tag key, Tag value | Tags help you categorize and manage keys. Each tag is a key-value pair. Constraints: Each tag key or value can be up to 128 characters (letters, digits, /, \, _, -, ., +, =, :, @, spaces). Tag keys cannot start with aliyun or acs:. Each key supports up to 20 tags. |
| Description | A description of the key. |
| Advanced settings | Policy settings: See Overview of key policies. Key material origin: Select External (Import Key Material). Read and select I understand the methods and implications of using external key material. |
The key is created with a status of Pending Import.
Step 2: Download a wrapping public key and an import token
KMS issues a wrapping public key and an import token as a matched pair. The wrapping public key encrypts your key material locally before it leaves your environment. The import token authorizes the upload operation.
Find the target key and click Details in the Actions column. In the Key Material and Version section, click Import Initial Key Material.
In the Import Key Material panel, select a Public key type and an Encryption algorithm.
All key management types use RSA_2048 as the wrapping public key type. Select an encryption algorithm based on your key management type:
| Key management type | Supported encryption algorithms |
|---|---|
| Default key (customer master key) | RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, RSAES_PKCS1_V1_5 (not recommended) |
| Software-protected key | RSAES_OAEP_SHA_256, RSAES_PKCS1_V1_5 (not recommended) |
| Hardware-protected key | RSAES_OAEP_SHA_256, RSAES_PKCS1_V1_5 (not recommended) |
Do not use RSAES_PKCS1_V1_5 for new implementations. The National Institute of Standards and Technology (NIST) Transitioning the Use of Cryptographic Algorithms and Key Lengths states this algorithm should no longer be used for encrypting transport keys after December 31, 2023.
RSAES_OAEP_SHA_256: RSA encryption using the RSAES-OAEP scheme defined in RFC 3447/PKCS#1, with MGF1 and SHA-256.
RSAES_OAEP_SHA_1: RSA encryption using the RSAES-OAEP scheme defined in RFC 3447/PKCS#1, with MGF1 and SHA-1.
Download the wrapping public key and the import token, and store them securely.
Wrapping key format: PEM (default filename:
publickey_****.pem`) or DER (default filename: `publickey_****.bin).Import token: Default filename is
token_******.txt.
The import token is valid for 24 hours and can be used multiple times within that period. After it expires, download a new token and public key.
The wrapping public key and import token must come from the same download. Do not mix a public key from one download with a token from another.
Step 3: Encrypt the key material
Use the wrapping public key from Step 2 and the RSAES_OAEP_SHA_256 algorithm to encrypt your key material before uploading it.
The following example uses OpenSSL.
Generate a 32-byte random number as your key material. Skip this step if you already have key material.
openssl rand -out KeyMaterial.bin 32Encrypt the key material with the wrapping public key.
- The public key file in this example is in DER format. If you downloaded a PEM file, replace
-keyform DERwith-keyform PEM. - ReplacePublicKey.binwith the actual filename of the public key you downloaded in Step 2.openssl pkeyutl -encrypt \ -in KeyMaterial.bin \ -inkey PublicKey.bin \ -keyform DER \ -pubin \ -out EncryptedKeyMaterial.bin \ -pkeyopt rsa_padding_mode:oaep \ -pkeyopt rsa_oaep_md:sha256 \ -pkeyopt rsa_mgf1_md:sha256Base64-encode the encrypted key material and save it to a text file.
openssl enc -e -base64 -A -in EncryptedKeyMaterial.bin -out EncryptedKeyMaterial_base64.txtThe file
EncryptedKeyMaterial_base64.txtcontains the key material ready for import.
Step 4: Import the key material
In the Import Key Material panel, upload the files and set an expiration policy, then click OK.
| Parameter | Description |
|---|---|
| Wrapped key material | Upload the encrypted key material file generated in Step 3. |
| Import token | Upload the token file downloaded in Step 2. |
| Set expiration date | Select Never Expire or specify a custom expiration time. |
If you set an expiration time, plan ahead. When key material expires, KMS deletes it and the key becomes unusable — any data encrypted with it is inaccessible until you re-import the same key material. Store the key material securely, and build a process to re-import it before it expires.
After a successful import, the key status changes from Pending Import to Enabling.
FAQ
Can I delete key material?
Yes. After imported key material expires or is deleted, the key becomes unusable. Re-import the same key material to restore access.
To delete key material:
Console: On the key details page, click Delete Key Material in the Key Material and Version section.
API: Call the DeleteKeyMaterial operation. This deletes only the key material, not the key itself.
To automatically delete key material at a specific time, set an expiration time when importing.
How do I re-import the same key material?
On the key details page, go to the Key Material and Version tab and click Delete Key Material.
Download a new wrapping public key and import token (see Step 2).
Encrypt the key material using the new wrapping public key (see Step 3).
The key wrapping process does not affect the key material itself, so you can use a different wrapping public key or encryption algorithm each time.
Import the encrypted key material using the new import token (see Step 4).
The key material must be identical to the original.
How do I check whether key material was imported or generated by KMS?
Console:
Default key: On the Default Keys tab, find the key and click Details. Check the Key Material Origin field.
Software-protected or hardware-protected key: On the Customer Master Keys tab, select an instance, find the key, and click Details. Check the Key Material Origin field.
API: Call the DescribeKey operation. If the Origin field returns EXTERNAL, the key material was imported. If it returns Aliyun_KMS, KMS generated it.
Can I rotate a key that uses imported key material?
Rotation support depends on the key type:
Software-protected symmetric keys: Only immediate manual rotation is supported. Automatic periodic rotation is not supported. See Rotate a Bring-Your-Own-Key (BYOK) key.
Software-protected asymmetric keys: Rotation is not supported.
Hardware-protected keys (symmetric and asymmetric): Rotation is not supported.