All Products
Search

This Product

    Key Management Service:Manage KMS instances

    Document Center

    Key Management Service:Manage KMS instances

    Last Updated:Mar 19, 2025

    This topic describes the steps in Key Management Service (KMS) instance lifecycle management, including enabling instances, viewing details, modifying instance specifications, and enabling security audit.

    Enable a KMS instance

    After purchasing a KMS instance, enable it by associating it with a virtual private cloud (VPC) and vSwitch. This network configuration provides secure access for managing cryptographic resources within the instance, including key and secrets management, encryption, and decryption.

    The supported KMS instance types are software, hardware and external key management instances.

    Software key management instance

    Prerequisites

    • When you purchase a KMS instance under the following conditions, Private DNS (a new form of Alibaba Cloud DNS PrivateZone) must be activated:

      • Using an International site (alibabacloud.com) account within the Chinese mainland.

      • Using a China site (aliyun.com) account outside the Chinese mainland.

    Note

    • Private DNS is automatically activated without additional configuration under other purchase conditions.

    • KMS covers the domain name resolution fees. You do not need to pay for them in Private DNS.

    Procedure

    Console

    1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

    2. On the Software Key Management tab, find the KMS instance that you want to enable and click Enable in the Actions column.

    3. In the Enable KMS Instance panel, configure the parameters and click Enable Now.

      Important

      Specify the correct VPC ID when enabling your KMS instance. You cannot modify it after the instance is enabled.

      Parameter description

      Parameter

      Description

      Instance Name

      Specify a name for the KMS instance. It supports letters, digits, and the following special characters: _/+=.@-.

      VPC ID

      Specify the VPC ID associated with your KMS instance. This ID cannot be modified after enabling the instance.

      Zone Configuration

      Set the zone and associated vSwitch for the instance. The number of zones depends on your purchase option:

      • Subscription: Supports dual-zone and multi-zone deployments. If you selected multi-zone during purchase, you can configure up to three zones.

      • Pay-as-you-go: Defaults to a dual-zone setup.

      Single-zone regions

      Specific regions provide only a single zone, such as Thailand (Bangkok). In these regions, the KMS instance will be automatically configured for a single zone.

      • Zone and vSwitch Configuration: Configure a zone and associated vSwitch. Make sure that the vSwitch has at least one available IP address. KMS requires this IP to access your network.

      • Other Zones: Select Randomly Assign or Manually Specify.

    Wait for approximately 30 minutes and then refresh the page. If the status of the KMS instance changes to Enabled, the KMS instance is enabled.

    API

    Call the ConnectKmsInstance operation.

    Terraform

    For instructions, see Purchase and enable a software key management instance with Terraform.

    Hardware key management instance

    Prerequisites

    • A connected Cloud Hardware Security Module (HSM) cluster is available for the KMS instance. Configure an HSM cluster.

      The region of the cluster and the hardware key management instance must be the same.

      Warning

      To increase the number of HSMs in the HSM cluster in subsequent operations, contact Alibaba Cloud technical support to change the cluster synchronization method to automatic synchronization. This prevents cluster synchronization failures.

    • Network setting: Each zone requires one vSwitch with at least four available IP addresses for the KMS instance.

      For a dual-zone deployment, choose one of the following options:

      • (Recommended) Use the two vSwitches that are bound to your HSM.

        You do not need to create vSwitches. Just ensure each one has at least four available IP addresses.

      • Do not use the two vSwitches that are bound to your HSM.

        Create two vSwitches in different zones for network planning flexibility. Ensure that four available IP addresses are reserved for each vSwitch.

      To view the number of available IP addresses on a vSwitch, log on to the VPC console, and click the vSwitch ID on the vSwitch page.

      Why four available IP addresses: In dual-zone KMS deployments, each HSM in the cluster requires two IP addresses for its highly available Elastic Network Interface (ENI) pair. So, to host two HSMs in a zone, four IP addresses are needed for each vSwitch.

    • When you purchase a KMS instance under the following conditions, Private DNS (a new form of Alibaba Cloud DNS PrivateZone) must be activated:

      • Using an International site (alibabacloud.com) account within the Chinese mainland.

      • Using a China site (aliyun.com) account outside the Chinese mainland.

    Note

    • Private DNS is automatically activated without additional configuration under other purchase conditions.

    • KMS covers the domain name resolution fees. You do not need to pay for them in Private DNS.

    Procedure

    Hardware key management instances can only be enabled through the console.

    1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

    2. On the Hardware Key Management tab, find the KMS instance that you want to enable and click Enable in the Actions column.

    3. In the Connect to HSM panel, specify an HSM cluster and click Connect to HSM.

      To specify an HSM cluster, you must configure the following parameters.

      Parameter

      Description

      Instance Name

      Specify a name for the KMS instance. It supports letters, digits, and the following special characters: _/+=.@-.

      Configure HSM Cluster

      Select the HSM cluster that you created.

      Note

      You can connect a hardware key management instance to only one HSM cluster.

      Configure HSM Access Secret.

      • Username: the username of the crypto user. The value is fixed as kmsuser.

      • Password: the password of the crypto user. Enter the password that you specified when you created the crypto user.

      • Security Domain Certificate: a root certification authority (CA) certificate in the PEM format. To obtain the certificate, perform the following operations: Log on to the Cloud Hardware Security Module console. Click one HSM ID in the cluster. On the Details page, find ClusterOwnerCertificate, which is the Security Domain Certificate. Copy the content of the Security Domain Certificate or save it in PEM format, then upload it.

      VPC ID

      By default, the ID of the VPC that is associated with the HSM is used. You cannot modify this default ID.

      Zone and vSwitch Configuration

      Set the zone and associated vSwitch for the instance. The deployment modes are dual-zone and multi-zone. If you selected multi-zone, you can configure up to three zones. Make sure that at least four available IP addresses are reserved for each vSwitch in a zone.

      The enablement time for the KMS instance depends on whether you configured the Number of Secrets parameter during purchase. Refresh the page to monitor the status. The KMS instance is enabled when its status displays Enabled.

      • With Number of Secrets: ~30 minutes.

      • Without Number of Secrets: ~10 minutes.

    External key management instance

    Prerequisites

    • A hardware security module outside the cloud is purchased, and an external key instance (XKI) proxy is configured. For instructions, contact your HSM provider.

    • If you want to use a VPC endpoint service to connect to KMS, you must first create a VPC endpoint service. Note the following:

      • The endpoint service zones match your KMS instance zones.

      • The current Alibaba Cloud account must be added to the endpoint service whitelist.

      • Automatically Accept Endpoint Connections is set to Yes.

      Alternatively, if you do not want to use VPC Endpoint Service, KMS supports connections to the XKI proxy by using a public endpoint.

    • When you purchase a KMS instance under the following conditions, Private DNS (a new form of Alibaba Cloud DNS PrivateZone) must be activated:

      • Using an International site (alibabacloud.com) account within the Chinese mainland.

      • Using a China site (aliyun.com) account outside the Chinese mainland.

    Note

    • Private DNS is automatically activated without additional configuration under other purchase conditions.

    • KMS covers the domain name resolution fees. You do not need to pay for them in Private DNS.

    Procedure

    External key management instances can only be enabled through the console.

    1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

    2. Click the External Key Management tab, find the instance that you want to enable, and then click Enable in the Actions column.

    3. In the Connect to HSM panel, configure parameters and click Connect to HSM.

      Parameter

      Description

      Instance Name

      Specify a name for the KMS instance. It supports letters, digits, and the following special characters: _/+=.@-.

      VPC ID

      Specify the VPC ID associated with your KMS instance. This ID cannot be modified after enabling the instance.

      Zone Configuration

      Set the zone and associated vSwitch for the instance. The deployment modes are dual-zone and multi-zone. If you select multi-zone, you can configure up to three zones.

      Single-zone regions

      Specific regions provide only a single zone, such as Thailand (Bangkok). In these regions, the KMS instance will be automatically configured for a single zone.

      • Zone and vSwitch Configuration: Configure a zone and vSwitch. Make sure that the vSwitch has at least one available IP address. KMS requires this IP to access your network.

      • Other Zones: Select Randomly Assign or Manually Specify.

      External Proxy Connectivity

      • Public Endpoint Connectivity: The KMS instance connects to the XKI proxy by using a public endpoint over the Internet.

      • VPC Endpoint Service Connectivity : The KMS instance connects to the XKI proxy by using a VPC endpoint service.

      Domain Name of External Proxy

      If you set External Proxy Connectivity to Public Endpoint Connectivity, enter the domain name of your XKI proxy.

      Endpoint Service

      If you set External Proxy Connectivity to VPC Endpoint Service Connectivity , select an endpoint service.

      The two zones of the endpoint service must be the same as those that you select when you enable the KMS instance.

      External Proxy Configuration

      • Manual Configuration: You must configure External Proxy Path, Certificate Fingerprint, AccessKey ID, and AccessKey Secret. Enter the AccessKey ID and AccessKey secret of the XKI proxy.

      • Configuration File Upload: You can upload a configuration file.

      The enablement time for the KMS instance depends on whether you configured the Number of Secrets parameter during purchase. Refresh the page to monitor the status. The KMS instance is enabled when its status displays Enabled.

      • With Number of Secrets: ~30 minutes.

      • Without Number of Secrets: ~10 minutes.

    Modify instance specifications

    If your KMS instance specifications no longer meet your needs, you can modify them. For example, you can increase computing performance or the number of secrets and keys.

    Console

    1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

    2. On the Instances page, click the tab of the instance type based on your business requirements.

    3. Find the KMS instance that you want to upgrade and click Upgrade in the Actions column. On the Upgrade/Downgrade page, specify new specifications.

    4. Read and select Terms of Service, click Buy Now, and then complete the payment.

    API

    Call the ModifyInstance operation.

    Release a KMS instance

    • Pay-as-you-go instances: These must be manually released.

    • Subscription instances: Automatically released 16 days after expiration. To release before expiration, follow procedures for unsubscribing resources. When the instance is refunded, it's automatically released.

    Before you release:

    • Data loss: Note that all keys and secrets will be permanently deleted from the instance. The data encrypted by these keys will be irrecoverable, and secrets will be unobtainable. Ensure no data remains encrypted using these keys before releasing.

    • Backup recommendation: Back up all data to enable restoration to the KMS if needed.

    • Billing: Understand that KMS calculates resource usage daily. If released on Day T, bills for Day T usage are generated before 12:00 (UTC+8) on Day T+1.

    To release a pay-as-you-go instance:

    1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

    2. On the Software Key Management or Hardware Key Management tab, find the KMS instance that you want to release.

    3. Click Release in the Actions column. After you confirm the release information, click OK.

    View the KMS instance details

    Procedures

    After creating a KMS instance, you can view its details, such as the instance ID, VPC address, and associated VPCs.

    Console

    1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

    2. On the Instances page, click the tab of the instance type based on your business requirements.

    3. Find the KMS instance whose details you want to view and click Manage in the Actions column. On the instance details page, view the details of the instance.

    API

    Call the GetKmsInstance operation.

    Set an alias for a KMS instance

    Procedures

    The alias must be 1-128 characters and can contain letters, digits, forward slashes (/), underscores (_), plus signs (+), equal signs (=), periods (.), at signs (@), and hyphens (-).

    1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

    2. Choose the tab including the target KMS instance, click the image icon below the instance ID, and set an alias.

    Enable the security audit for a KMS instance

    Procedures

    Audit logs are automatically generated whenever you access a KMS instance. These logs record comprehensive access information, including request details, user identification, accessed resources, and access results. Below is a sample log:

    2021-10-19T212021-10-19T21:40:01     [INFO]  - - 3dd60a7a-4587-4c57-8197-d749c3578974 CreateKey - TMP.3KfAHseF5DVULM2s8YUhdB8YvwM4nZA1wXr8AcAAhR7YhdyosXG2eSpsRFPMjYbvUArPRtsCWKzxEo88bC5w5LBfyp**** 111760096384**** 111760096384**** - kst-phzz6108e50c15333w**** - 37 - -40:01     [INFO]  - - 3dd60a7a-4587-4c57-8197-d749c3578974 CreateKey - TMP.3KfAHseF5DVULM2s8YUhdB8YvwM4nZA1wXr8AcAAhR7YhdyosXG2eSpsRFPMjYbvUArPRtsCWKzxEo88bC5w5LBfyp**** 111760096384**** 111760096384**** - kst-phzz6108e50c15333w**** - 37 - -

    After you enable the security audit, compliance with requirements is ensured. KMS delivers audit logs to your specified OSS bucket on an hourly basis. Before enabling this feature, ensure you have a pre-existing OSS bucket. Create a bucket if needed.

    1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

    2. On the Instances page, click the tab of the instance type based on your business requirements.

    3. Find the KMS instance for which you want to enable the security audit and click Manage in the Actions column. On the instance details page, turn on Security Audit.

    4. In the Configure Security Audit dialog box, configure Log Storage Bucket and click OK.

      After you enable the security audit, audit logs are generated and delivered to OSS within 1 hour.

    FAQs