Home PageKey Management ServiceKey Management Service (KMS)SupportPrevious Version of DocumentationGetting StartedManage and use keysCreate a CMK
Search for Help Content

Create a CMK

Updated at: 2025-03-24 10:01
Product
Community

This topic describes how to create a customer master key (CMK) in the Key Management Service (KMS) console. CMKs are used to encrypt data.

Procedure

  1. Log on to the KMS console.

  2. In the top navigation bar, select the region in which you want to create a CMK.

  3. In the left-side navigation pane, choose Resource > Keys.

  4. Click Create Key.

  5. In the Create Key dialog box, configure the parameters based on your business requirements.

    Parameter

    Description

    Parameter

    Description

    KMS Instance

    The KMS instance that you use.

    Key Spec

    The type of the CMK. Valid values:

    • Types of symmetric keys

      • Aliyun_AES_256

      • Aliyun_SM4

    • Types of asymmetric keys

      • RSA_2048

      • RSA_3072

      • EC_P256

      • EC_P256K

      • EC_SM2

    Note

    • Aliyun_SM4 and EC_SM2 types are supported only for regions in the Chinese mainland in which managed hardware security modules (HSMs) are used.

    • RSA_3072 is supported only by a dedicated KMS instance.

    Purpose

    The purpose of the CMK. Valid values:

    • Encrypt/Decrypt: encrypts or decrypts data.

    • Sign/Verify: generates or verifies a digital signature.

    Alias Name

    The alias of the CMK, which helps identify the CMK. Aliases are optional to CMKs.

    For more information, see Overview.

    Protection Level

    Valid values:

    • Software: The CMK is protected by using a software module.

    • Hsm: The CMK is managed in an HSM, and the HSM safeguards the CMK.

    Description

    The description of the CMK.

    Rotation Period

    The interval of automatic rotation of symmetric keys. Valid values:

    • 30 Days.

    • 90 Days.

    • 180 Days.

    • 365 Days.

    • Disable: Automatic rotation is disabled.

    • Customize: You can customize an interval that ranges from 7 days to 730 days.

    Note

    You can configure this parameter only if you set the Key Spec parameter to Aliyun_AES_256 or Aliyun_SM4.

  6. Click Advanced and configure the Key Material Source parameter.

    Note

    The Advanced option appears only when you set the Key Spec parameter to Aliyun_AES_256 or Aliyun_SM4.

    • Alibaba Cloud KMS: KMS generates key material.

    • External: You must import key material from an external source. For more information, see Import key material.

      Note

      If you select External, you must also select I understand the implications of using the external key materials key.

  7. Click OK.

    After the CMK is created, you can view its detailed information, such as the CMK ID, status, and protection level.

Previous: Manage and use keysNext: Use KMS to encrypt resources of cloud services
  • On this page (1, T)
  • Procedure
Feedback
phone Contact Us

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

alicare alicarealicarealicare