This topic describes how to enable, view, upgrade, and renew a Key Management Service (KMS) instance. This topic also describes how to enable the security audit feature for a KMS instance.
Take note of the remaining subscription period of a KMS instance. We recommend that you renew a KMS instance before the instance expires to prevent negative impacts on your business. For more information, see Billing.
Enable a KMS instance
After you purchase a KMS instance, you must enable the instance to use the features of Key Management and Secrets Manager of KMS.
Enable a KMS instance of the software key management type
Prerequisites
A virtual private cloud (VPC) and a vSwitch are available in the region of the KMS instance.
Before you enable the KMS instance, we recommend that you log on to the VPC console and view the existing VPCs, vSwitches, and zones where the vSwitches reside. You can also create a VPC and a vSwitch. For more information, see Create a VPC and a vSwitch or Create a vSwitch.
Alibaba Cloud DNS PrivateZone is activated. If you use an account on the China site (aliyun.com) to purchase a KMS instance outside the Chinese mainland or use an account on the International site (alibabacloud.com) to purchase a KMS instance in the Chinese mainland, you must manually activate Alibaba Cloud DNS PrivateZone. For more information, see Activate Alibaba Cloud DNS PrivateZone.
NoteIf you use an account on the China site (aliyun.com) to purchase a KMS instance in the Chinese mainland or use an account on the International site (alibabacloud.com) to purchase a KMS instance outside the Chinese mainland, Alibaba Cloud DNS PrivateZone is automatically activated.
The fees for domain name resolution are billed to KMS. You do not need to complete payments on the Alibaba Cloud DNS PrivateZone side.
Procedure
Enable a KMS instance of the hardware key management type
Prerequisites
An HSM cluster to which the KMS instance is connected is available. For more information, see Configure an HSM cluster for a KMS instance of the hardware key management type.
Alibaba Cloud DNS PrivateZone is activated. If you use an account on the China site (aliyun.com) to purchase a KMS instance outside the Chinese mainland or use an account on the International site (alibabacloud.com) to purchase a KMS instance in the Chinese mainland, you must manually activate Alibaba Cloud DNS PrivateZone. For more information, see Activate Alibaba Cloud DNS PrivateZone.
NoteIf you use an account on the China site (aliyun.com) to purchase a KMS instance in the Chinese mainland or use an account on the International site (alibabacloud.com) to purchase a KMS instance outside the Chinese mainland, Alibaba Cloud DNS PrivateZone is automatically activated.
The fees for domain name resolution are billed to KMS. You do not need to complete payments on the Alibaba Cloud DNS PrivateZone side.
Two vSwitches are available in the VPC of the KMS instance.
(Recommended) Use the two vSwitches that are bound to your HSM: You do not need to create vSwitches. Make sure that four available IP addresses are reserved for each vSwitch.
Do not use the two vSwitches that are bound to your HSM: You need to create two vSwitches in different zones. Make sure that four available IP addresses are reserved for each vSwitch. For more information, see Create a vSwitch.
To view the number of available IP addresses on a vSwitch, you can perform the following operations: Log on to the VPC console. On the vSwitch page, click the ID of the vSwitch.
Procedure
You can use only the KMS console to enable a KMS instance of the hardware key management type. API operations and Terraform cannot be used to enable a KMS instance of the hardware key management type.
Log on to the Key Management Service console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
On the Hardware Key Management tab, find the KMS instance that you want to enable and click Enable in the Actions column.
In the Connect to HSM panel, specify an HSM cluster and click Connect to HSM. To specify an HSM cluster, you must configure the following parameters.
Parameter
Description
Configure HSM Cluster
Select the HSM cluster that you created in Cloud Hardware Security Module.
NoteYou can connect a KMS instance of the hardware key management type to only one HSM cluster.
Configure HSM Access Secret.
Username: the username of the crypto user. The value is fixed as
kmsuser
.Password: the password of the crypto user. Enter the password that you specified when you created the crypto user.
Security Domain Certificate: a root certification authority (CA) certificate in the PEM format. To obtain the certificate, perform the following operations: Log on to the Cloud Hardware Security Module console. Find the HSM cluster and the master HSM in the cluster. Click the icon to the right of the ID of the master HSM. In the Cluster Details dialog box, download the ClusterOwnerCertificate file.
Dual-zone Deployment
Select two zones. Dual-zone deployment improves service availability and disaster recovery capabilities.
VPC
Select the ID of the VPC of the KMS instance.
vSwitch
Select the ID of a vSwitch in one zone that you selected. Four available IP addresses must be reserved for the vSwitch.
vSwitch
Select the ID of a vSwitch in the other zone that you selected. Four available IP addresses must be reserved for the vSwitch.
If you configured the Number of Secrets parameter when you purchased the KMS instance, the system requires approximately 30 minutes to enable the KMS instance. Wait approximately 30 minutes and then refresh the page. If you did not configure the Number of Secrets parameter when you purchased the KMS instance, the system requires approximately 10 minutes to enable the KMS instance. Wait approximately 10 minutes and then refresh the page. If the status of the KMS instance changes to Enabled, the KMS instance is enabled.
Enable a KMS instance of the external key management type
Prerequisites
You have purchased an off-cloud hardware security module and configured an XKI Proxy external proxy. For specific operations, please consult your hardware security module service provider.
NoteFor more information about XKI Proxy servers, see XKI Proxy servers.
KMS supports connections to XKI Proxy external proxies through public or VPC endpoints. If you use a VPC endpoint to establish a connection, you must first create an endpoint service. For more information, see Create and manage endpoint services. Note the following points when you create an endpoint:
The two zones of the endpoint service must be the same as those selected for starting the KMS instance.
Add the current Alibaba Cloud account to the whitelist of the endpoint service.
Set Automatically Accept Connections to Yes.
Procedure
You can use only the KMS console to enable a KMS instance of the external key management type. API operations and Terraform cannot be used to enable a KMS instance of the external key management type.
Log on to the Key Management Service console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
Click the External Key Management tab, find the target instance, and click Enable in the Actions column.
In the Connect to HSM panel, specify an HSM cluster and click Connect to HSM. To specify an HSM cluster, you must configure the following parameters.
Parameter
Description
Dual-zone Deployment
Select two zones. Dual-zone deployment improves service availability and disaster recovery capabilities.
VPC
Select the ID of the VPC of the KMS instance.
vSwitch
Select a vSwitch ID. One available IP address must be reserved under the vSwitch.
External Proxy Connectivity
Public Endpoint Connectivity: The KMS instance is connected to the XKI Proxy external proxy over the Internet.
VPC Endpoint Service Connectivity : The KMS instance uses a VPC endpoint service to connect to the XKI Proxy external proxy.
Domain Name of External Proxy
If you set the External Proxy Connectivity parameter to Public Endpoint Connectivity, you must enter the domain name of the XKI Proxy external proxy.
Endpoint Service
You must select an endpoint service only if you select VPC Endpoint Service Connectivity for External Proxy Connectivity.
The zone that you select to start the KMS instance must be the same as that of the endpoint service.
External Proxy Configuration
Manual Configuration: Manually configure the External Proxy Path, Certificate Fingerprint, and AccessKey ID and AccessKey secret of the XKI proxy.
Configuration File Upload: You can upload a configuration file.
If you configured the Number of Secrets parameter when you purchased the KMS instance, the system requires approximately 30 minutes to enable the KMS instance. Wait approximately 30 minutes and then refresh the page. If you did not configure the Number of Secrets parameter when you purchased the KMS instance, the system requires approximately 10 minutes to enable the KMS instance. Wait approximately 10 minutes and then refresh the page. If the status changes to Enabled, the external KMS instance is enabled.
View the details of a KMS instance
After you create a KMS instance, you can view the details of the instance, such as the instance ID, virtual private cloud (VPC) address, and VPCs that are associated with the instance.
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Instances.
On the Instances page, click the Software Key Management tab or the Hardware Key Management tab based on the type of your KMS instance.
Find the KMS instance whose details you want to view and click Manage in the Actions column. On the instance details page, view the details of the instance.
Upgrade a KMS instance
If the specifications of your KMS instance do not meet your business requirements, you can upgrade the KMS instance. For example, you can upgrade the computing performance and increase the numbers of secrets and keys.
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Instances.
On the Instances page, click the Software Key Management tab or the Hardware Key Management tab based on the type of your KMS instance.
Find the KMS instance that you want to upgrade and click Upgrade in the Actions column. On the Upgrade/Downgrade page, specify new specifications.
Read and select Terms of Service, click Buy Now, and then complete the payment.
Enable the security audit feature for a KMS instance
Audit logs are generated when you access a KMS instance. The audit logs record the access information about the instance, including the request information, user information, accessed resource information, and access results. Sample log:
2021-10-19T212021-10-19T21:40:01 [INFO] - - 3dd60a7a-4587-4c57-8197-d749c3578974 CreateKey - TMP.3KfAHseF5DVULM2s8YUhdB8YvwM4nZA1wXr8AcAAhR7YhdyosXG2eSpsRFPMjYbvUArPRtsCWKzxEo88bC5w5LBfyp**** 111760096384**** 111760096384**** - kst-phzz6108e50c15333w**** - 37 - -40:01 [INFO] - - 3dd60a7a-4587-4c57-8197-d749c3578974 CreateKey - TMP.3KfAHseF5DVULM2s8YUhdB8YvwM4nZA1wXr8AcAAhR7YhdyosXG2eSpsRFPMjYbvUArPRtsCWKzxEo88bC5w5LBfyp**** 111760096384**** 111760096384**** - kst-phzz6108e50c15333w**** - 37 - -
After you enable the security audit feature, KMS delivers audit logs to the Object Storage Service (OSS) bucket that you specify on an hourly basis to meet regulatory requirements and business requirements. Before you enable the security audit feature, make sure that an OSS bucket is available. For more information, see Create buckets.
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Instances.
On the Instances page, click the Software Key Management tab or the Hardware Key Management tab based on the type of your KMS instance.
Find the KMS instance for which you want to enable the security audit feature and click Manage in the Actions column. On the instance details page, turn on Security Audit.
In the Configure Security Audit dialog box, configure Log Storage Bucket and click OK.
After you enable the security audit feature, audit logs are generated and delivered to OSS within 1 hour.
Renew a KMS instance
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Instances.
Click the Software Key Management tab or the Hardware Key Management tab, find the instance that you want to renew, and then click Renew in the Actions column.
On the KMS (International) | Renew page, configure the Duration parameter, and read and select Terms of Service.
Click Buy Now to complete the payment.
You can also renew a KMS instance in User Center. For more information, see Renewal guide for the international site (alibabacloud.com).
FAQ
Why is a KMS instance always in the Enabling state when I enable the instance?
What do I do if an error occurs when I enable an instance of the software key management type?
What do I do if an error occurs when I enable an instance of the hardware key management type?
How do I configure an HSM cluster for a KMS instance of the hardware key management type?