Can I delete a key from Key Management Service (KMS)?
Yes. KMS supports deleting customer master keys (CMKs), including both default and purchased CMKs. Service keys cannot be deleted.
Deletion works by scheduling a deletion date 7 to 366 days in the future. During this window, the key is suspended and cannot be used for cryptographic operations. If you change your mind, cancel the deletion before the scheduled date — once the date passes, the key is permanently deleted and cannot be restored.
Before scheduling deletion:
Disable the key.
Confirm no data still depends on it.
For instructions, see Schedule the deletion of a key.
Why can't I delete a key?
The answer depends on the key type.
Service keys (alias/acs/<cloud product code>) are read-only and managed by associated Alibaba Cloud services. Deletion is not supported. Service keys are free of charge, so you can leave them as-is if they are no longer needed.
CMKs may be undeletable for one of two reasons:
The key was created in the KMS 1.0 console. KMS 1.0 (shared edition) keys are read-only in the KMS 3.0 console. Switch to the KMS 1.0 console to delete them.
ImportantThe KMS 1.0 console enters the End of Service (EOS) phase on September 30, 2025. Migrate your KMS 1.0 resources to KMS 3.0 as soon as possible.
Deletion protection is enabled. On the instance details page, disable Deletion Protection, then retry.
Why can't I manage CMKs in the KMS 3.0 console?
These CMKs were created in the KMS 1.0 console. The KMS 3.0 console provides read-only access to KMS 1.0 keys — you can view their details, but cannot modify or delete them.
To manage these keys, switch to the KMS 1.0 console.
The KMS 1.0 console enters the End of Service (EOS) phase on September 30, 2025. Migrate your KMS 1.0 resources to KMS 3.0 as soon as possible.
After deleting a key, can the data encrypted by that key be decrypted?
No. After a key is deleted, all data encrypted with it — including any data keys it generated — cannot be decrypted. This applies to both keys generated by KMS and those with imported key material.
| Key type | After deletion | Recovery option |
|---|---|---|
| KMS-generated key | All ciphertexts are permanently unreadable | None |
| Key with imported key material (key deleted) | All ciphertexts are permanently unreadable | None |
| Key with imported key material (key material only deleted) | Key is suspended; existing ciphertexts cannot be decrypted | Re-import the same key material to restore the key's ability to decrypt |
How does KMS protect key security?
KMS uses different protection mechanisms based on the key type:
Software-protected keys: Encrypted using reliable encryption algorithms and stored in your exclusive key store.
Hardware-protected keys: Stored in your exclusive hardware security module (HSM) cluster. The HSM cluster handles all cryptographic operations. To use hardware-protected keys, purchase a hardware key management instance and configure an HSM cluster.
Can I import external key material into a key?
Yes. When creating a key, choose between KMS-generated key material or your own external key material. If you use external key material, import it into the key after creation:
Why is my key unavailable, or why does Rejected.Unavailable appear when I call a key-related API operation?
The KMS instance that the key belongs to has expired. Renew the instance within 15 calendar days of expiration — after that, the instance is released. For renewal steps, see Renewal policy.
If you do not need the instance right now but may need the keys or secrets later, back up the instance before it is released.