Key Management Service (KMS) allows you to manage key data backups and secret data backups. You can quickly restore data to avoid data loss in scenarios such as accidental deletion and disaster recovery. This topic describes how to back up and restore data.
If you do not back up your keys and secrets, or if the backup data expires, they will be permanently lost after expiration and deletion.
Supported instance types
Only Software Key Management instances support the backup and restoration feature.
Hardware Key Management instances do not support backup, but Hardware-protected key can be partially backed up using the backup feature provided by the Hardware Security Module (HSM). A hardware-protected key comprises two parts: key material and key metadata.
The key material refers to the hardware-protected keys mapped on the HSM, which can be backed up through the HSM backup feature. For more information, see Manage data backup and restoration.
The key metadata refers to information stored in KMS, such as key ID, the associated KMS instance, Alibaba Resource Name (ARN), and key policies, which does not support back up.
Scenarios
You want to restore a KMS instance of the software key management type after the instance is released.
You want to restore a key or a secret that is deleted.
Your services are distributed in multiple regions. You want to copy a key or a secret to other regions for disaster recovery or nearest calls.
Features
KMS uses backup instances to back up data. You can use each backup instance to back up the data of one KMS instance of the software key management type. KMS supports automatic backup and manual backup.
Automatic backup: If you enable a KMS instance of the software key management type that is created after 00:00 on April 26, 2024, KMS automatically creates a backup instance to back up the data of the KMS instance. For more information, see [Announcement] KMS instances of the software key management type support the automatic back feature.
Manual backup: Backup instances include default backup instances and purchased backup instances. KMS provides a default backup instance in each region free of charge. You must enable a backup instance to allow KMS to back up data.
Item | Description | Automatic backup | Manual backup | |
Default backup instance | Purchased backup instance | |||
Queryable range | The period of time during which you can query backup data. KMS does not delete data that is backed up before your backup instance expires. The period during which you can query backup data varies based on the value of the Queryable Range parameter. | 90 days. You cannot extend the queryable range. | 7 days. You cannot extend the queryable range. | You can select 7 to 600 days when you purchase a backup instance. You can extend the queryable range after you purchase a backup instance. You cannot reduce the queryable range. |
Expiration time | The time when the backup data is deleted. | 90 days after the KMS instance of the software key management type is released. | Permanently valid. | The expiration time of a backup instance varies based on the subscription duration of the backup instance. Important After a backup instance expires, you cannot perform operations on the instance. You can release a backup instance 15 days after the backup instance expires. Before you release a backup instance, you can renew the instance to continue using the instance. The renewal fee is the same as the fee for a new backup instance of the same specification. |
Fee | Specify whether you need to pay the fee. | Free of charge. | Free of charge. | Purchased. |
Backup point in time | The point in time at which data is backed up on a daily basis. | The first time you enable a backup instance, a full backup is performed. Subsequent full backups are performed on a daily basis at 00:00. After each full backup, incremental backups are performed every 5 minutes. |
On the Backups page, you can quickly identify the type of a backup instance based on the Backup Type parameter. System Created indicates that the backup instance is created by KMS. Default indicates the default backup instance. Paid indicates that the backup instance is purchased.
Back up data
Automatic backup
After you enable a KMS instance of the software key management type, KMS automatically backs up data of the instance. For more information about how to enable a KMS instance, see Purchase and enable a KMS instance.
After an instance is enabled, KMS automatically creates a backup instance. To view the backup instance, go to the Backups page, find an instance whose Backup Type is set to System Created and Backup Object is set to your KMS instance.
Manual backup
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
(Optional) Purchase a backup instance.
NoteIf you want to use the default backup instance, skip this step.
On the Backups page, click Create Backup, configure the parameters based on your business requirements, and then click Buy Now.
Parameter
Description
Instance Type
The type of instance that you want to purchase. Select Value-added Plan.
Value-added Plan
The plan that you want to purchase. Select instance backup.
Region
The region of the KMS instance of the key management software type that you want to back up.
Viewable days
The period of time during which you can query backup data. Unit: days.
purchase quantity
The number of backup instances that you want to purchase.
NoteYou can use each backup instance to back up the data of one KMS instance of the software key management type.
Duration
The subscription duration of the backup instance.
On the Confirm Order page, read and select Terms of Service, click Pay, and then complete the payment.
Enable the backup instance.
On the Backups page, find the backup instance that you want to enable and click Enable in the Actions column.
In the Enable Backup panel, configure the parameters and click OK.
Parameter
Description
Instance Type
Software Key Management is selected by default. You cannot change the value.
Source Instance
The KMS instance of the key management software type that you want to back up.
Data Type
The type of data that you want to back up. Key and Secret are selected by default. You cannot change the value.
Backup Alias
The alias of the backup instance.
The first time you enable a backup instance, a full backup is performed. Subsequent full backups are performed on a daily basis at 00:00. After each full backup, incremental backups are performed every 5 minutes.
Optional. View backup data.
Find the backup instance whose data you want to view and click View Data in the Actions column. On the page that appears, select a date to view the backup data.
Backup data type
Description
Fully Backed up Keys
The keys that are fully backed up at 00:00 on the selected date.
Incrementally Backed up Keys
The keys that are created on the selected date.
Rotated Keys
The keys that are rotated on the selected date.
Fully Backed up Secrets
The secrets that are fully backed up at 00:00 on the selected date.
Incrementally Backed up Secrets
The secrets that are created on the selected date.
Rotated Secrets
The secrets that are rotated on the selected date.
Restore data
KMS can restore the data of a source instance only to a destination instance of the software key management type within the Alibaba Cloud account of the source instance. The destination instance must meet the following requirements:
The destination instance has a sufficient key quota or secret quota.
The key or secret that you want to restore does not exist in the region where the destination instance resides. Otherwise, the restoration fails. If you want to restore a key or secret in this scenario, delete the existing key or secret.
If you want to restore a secret, the key that is used to encrypt the secret must exist in the destination instance.
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
Find the backup instance whose data you want to restore and click View Data in the Actions column. On the page that appears, select the date to which you want to restore data.
ImportantIf the backup instance is a purchased backup instance and the date that you want to select is not included in the queryable range, you can extend the queryable range and restore data again. If you want to restore data before the backup instance is enabled, an extension of the queryable period does not achieve this.
For example, you enable a backup instance on May 1, 2024 and the queryable range is 10 days. On May 20, 2024, you can extend the queryable range to 16 days if you want to restore the data that is generated on May 5, 2024.
Restore data.
Data type
Procedure
Key
Click the required key tab such as Fully Backed up Keys, find the key that you want to restore, and then click Restore Data in the Actions column.
In the Restore Data panel, select the destination instance to which you want to restore the data and the region of the instance, and click OK.
Secret
Restore the key that is used to encrypt a secret.
NoteIf you want to restore a secret, the key that is used to encrypt the secret must exist in the destination instance. If the key exists in the destination instance, skip this step.
Click the required key tab such as Fully Backed up Keys, find the required key, and then click Restore Data in the Actions column.
In the Restore Data panel, select the destination instance to which you want to restore the data and the region of the instance, and click OK.
Restore the secret.
Click the required secret tab such as Fully Backed up Secrets, find the secret that you want to restore, and then click Restore Data in the Actions column.
In the Restore Data panel, select the destination instance to which you want to restore the data and the region of the instance, and click OK.
More operations
Extend the queryable range
You can extend the queryable range only for purchased backup instances. You cannot reduce the queryable range.
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
Find the required backup instance and click View Data in the Actions column.
On the details page of the backup instance, click Extend Queryable Range, select the number of days to which you want to extend the queryable range, click Buy Now, and then complete the payment.
Reset a backup instance
You can reset only default backup instances and purchased backup instances. You can reset a backup instance to delete the backup data and disassociate the backup instance from the source KMS instance.
When you reset a backup instance, all data that is backed up by the instance is deleted. Proceed with caution.
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
Find the backup instance that you want to reset and click Reset in the Actions column.
In the Reset message, confirm the information and click OK.
After you reset the backup instance, the backup instance enters the Disabled state. You can associate the backup instance with a new KMS instance of the software key management type.
Renew a backup instance
You can renew only purchased backup instances.
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
Find the backup instance that you want to renew and click Renew in the Actions column.
On the Renew page, configure Subscription Period, read and select Terms of Service, click Buy Now, and then complete the payment.
Download backup data
After you download backup data, keep the data confidential. You can only use the backup data to restore data in the KMS console.
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
Find the backup instance whose backup data you want to download and click Download in the Actions column.
In the Download panel, configure Backup Date and click OK.
NoteIf you want to download backup data whose date is not included the Queryable Range, you must extend the queryable range and redownload the data.
Save the backup data.
Click the icon next to Encryption Key to copy and save the encryption key to your computer.
Click Download next to Backup Data to download the backup data. Keep the backup data confidential.
ImportantEncryption keys are used to decrypt downloaded backup data. KMS does not store the encryption keys or the backup data . We recommend that you keep encryption keys and backup data confidential.
Upload a backup data file
If you want to upload backup data files across borders, you must comply with the relevant laws and regulations on data.
On the Backups page, click Upload Backup.
In the Import Backup Data panel, configure Decryption Key and Backup Name, and then click OK.
In the dialog box that appears, select the backup data file that you want to upload and click Open.
After you upload the backup data file, you can view the uploaded data on the Backups page. The Backup Type of the uploaded data is set to Upload.
FAQ
How do I view the queryable range?
On the Backups page, you can view the value of Queryable Range.