Key Management Service (KMS) allows you to manage the backups of key data and secret data. You can quickly restore data and avoid data loss in scenarios such as accidental deletion and disaster recovery. This topic describes how to back up and restore data.
If you use a KMS instance of the software key management type but cannot use the backup and restoration feature, submit a ticket to contact technical support.
Introduction
Scenarios
KMS provides the backup and restoration feature to allow you to back up keys and secrets in KMS instances of the software key management type. You can use the feature in the following scenarios:
You want to restore a KMS instance of the software key management type after the instance is released.
You want to restore a key or a secret that is deleted.
Your services are distributed in multiple regions. You want to copy a key or a secret to other regions for disaster recovery or nearest calls.
Backup instance type
KMS uses the following backup instances to back up data: default backup instances and purchased backup instances. KMS provides a default backup instance in each region free of charge. Each backup instance can back up the data of one KMS instance of the software key management type. The following table describes the differences between default backup instances and purchased backup instances.
Item | Default backup instance | Purchased backup instance |
Queryable range | Seven days. The range cannot be extended. | You can select 7 to 600 days when you purchase a backup instance. You can also extend the range after you purchase a backup instance. |
Expiration time | Permanently valid. | The expiration time of a backup instance varies based on the subscription duration of the backup instance. Important After a backup instance expires, no operations are supported. A backup instance is released 15 days after the backup instance expires. Before a backup instance is released, you can renew the backup instance to continue using the instance. The renewal fee is the same as the fee for a new instance of the same specification. |
Fee | Free of charge. | Purchased. |
Queryable range
The queryable range indicates the period during which backup data can be queried.
KMS starts to back up data only after you enable your backup instance. KMS does not delete data that is backed up before your backup instance expires. The period during which you can query backup data varies based on the value of Queryable Range.
Backup point in time
The first time you enable a backup instance, a full backup is performed. Then, a full backup is performed at 00:00 every day. After a full backup is complete, an incremental backup is performed every 5 minutes.
Limits
KMS supports data backup only for instances of the software key management type.
You can only increase the value of Queryable Range. You cannot decrease the value.
KMS can restore the data of a source instance only to a destination instance of the software key management type within the Alibaba Cloud account of the source instance. The destination instance must meet the following requirements:
The destination instance has a sufficient key quota or secret quota.
The key or secret that you want to restore does not exist in the region where the destination instance resides. If the key or secret that you want to restore exists in the region where the destination instance resides, the restoration fails. If you still want to restore the key or secret in this scenario, delete the existing key or secret.
If you want to restore a secret, the destination instance must have the key that is used to encrypt the secret.
Back up data
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Backups.
(Optional) Purchase a backup instance.
NoteIf you want to use the default backup instance, skip this step.
On the Backups page, click Create Backup, configure the parameters based on your business requirements, and then click Buy Now.
Parameter
Description
Instance Type
The type of instance that you want to purchase. Select service value-added.
Region
The region of the instance of the key management software type that you want to back up.
Viewable days
The period during which you can query backup data. Unit: days.
purchase quantity
The number of backup instances that you want to purchase.
NoteEach backup instance can back up the data of one KMS instance of the software key management type.
Duration
The subscription duration of the backup instance.
On the Confirm Order page, read and select Terms of Service, click Pay, and then complete the payment.
Enable the backup instance.
On the Backups page, find the backup instance that you want to enable and click Enable in the Actions column.
In the Enable Backup panel, configure the parameters and click OK.
Parameter
Description
Instance Type
Software Key Management is selected by default. You cannot change the value.
Source Instance
The instance of the key management software type that you want to back up.
Data Type
The type of data that you want to back up. Key and Secret are selected by default. You cannot change the value.
Backup Alias
The alias of the backup instance.
The first time you enable a backup instance, a full backup is performed. Then, a full backup is performed at 00:00 every day. After a full backup is complete, an incremental backup is performed every 5 minutes.
(Optional) View backup data.
Find the backup instance that you want to view and click View Data in the Actions column. On the page that appears, select a date to view the backup data.
Backup data type
Description
Fully Backed up Keys
The keys that are fully backed up on the selected date.
Incrementally Backed up Keys
The keys that are created on the selected date.
Rotated Keys
The keys that are rotated on the selected date.
Fully Backed up Secrets
The secrets that are fully backed up on the selected date.
Incrementally Backed up Secrets
The secrets that are created on the selected date.
Rotated Secrets
The secrets that are rotated on the selected date.
Restore data
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Backups.
Find the backup instance whose data you want to restore and click View Data in the Actions column. On the page that appears, select the date to which you want to restore data.
ImportantIf the date you select is outside the queryable range, you can extend the queryable range and restore data again. You cannot restore data that is deleted before the backup instance is enabled by extending the queryable range. For more information about how to extend the queryable range, see Extend the queryable range.
For example, you enable a backup instance on May 1, 2023, and the queryable range is 10 days. On May 20, 2023, if you want to restore data that is generated on May 5, 2023, you can extend the queryable range to 16 days.
Restore data.
Data type
Procedure
Key
Click the required key tab such as Fully Backed up Keys, find the key that you want to restore, and then click Restore Data in the Actions column.
In the Restore Data panel, select the instance to which you want to restore the data and the region of the instance, and click OK.
Secret
Restore the key that is used to encrypt a secret.
NoteIf you want to restore a secret, the destination instance must have the key that is used to encrypt the secret. If the key exists in the destination instance, skip this step.
Click the required key tab such as Fully Backed up Keys, find the required key, and then click Restore Data in the Actions column.
In the Restore Data panel, select the instance to which you want to restore the data and the region of the instance, and click OK.
Restore the secret.
Click the required secret tab such as Fully Backed up Secrets, find the secret that you want to restore, and then click Restore Data in the Actions column.
In the Restore Data panel, select the instance to which you want to restore the data and the region of the instance, and click OK.
What to do next
Extend the queryable range
You can only increase the queryable range. You cannot decrease the queryable range.
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Backups.
Find the required backup instance and click View Data in the Actions column.
On the details page of the backup instance, click Extend Queryable Range, select the number of days that you want to increase, click Buy Now, and then complete the payment.
Reset a backup instance
You can reset a backup instance to delete the backup data and disassociate the backup instance from the source KMS instance.
Resetting deletes all data that is backed up by the backup instance. Proceed with caution.
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Backups.
Find the backup instance that you want to reset and click Reset in the Actions column.
In the Reset message, confirm the information and click OK.
After the backup instance is reset, the backup instance is in the Disabled state. You can associate the backup instance with a new KMS instance of the software key management type.
Renew a backup instance
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Backups.
Find the backup instance that you want to renew and click Renew in the Actions column.
On the Renew page, configure Subscription Period, read and select Terms of Service, click Buy Now, and then complete the payment.
Download backup data
After you download backup data, keep the data confidential. You can only use the backup data to restore data in the KMS console.
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Backups.
Find the backup instance whose backup data you want to download and click Download in the Actions column.
In the Export Backup Data panel, configure Backup Date and click OK.
NoteIf you want to download backup data that is outside the Queryable Range, you must extend the queryable range and download backup data again.
Save the backup data.
Click the
icon next to Encryption Key to copy the encryption key and save the key to your computer. Click Download next to Backup Data to download the backup data and save the data confidential.
ImportantEncryption keys are used to decrypt downloaded backup data. KMS does not store the encryption keys or backup data . We recommend that you keep encryption keys and backup data confidential.
Upload a backup data file
If you want to upload backup data files across borders, you must comply with the relevant laws and regulations on data.
On the Backups page, click Upload Backup.
In the Import Backup Data panel, configure Decryption Key and Backup Name, and then click OK.
In the dialog box that appears, select the backup data file that you want to upload and click Open.
After the file is uploaded, you can view the uploaded data on the Backups page. The Backup Type of the uploaded data is Upload.
FAQ
How do I view the queryable range?
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Backups.
On the Backups page, view the value of Queryable Range.
