All Products
Search

This Product

    Key Management Service:Configure key rotation

    Document Center

    Key Management Service:Configure key rotation

    Last Updated:Dec 03, 2025

    Key Management Service (KMS) provides the key rotation feature. You can rotate keys on a regular basis to enhance key security and improve the protection of your business data. This topic describes how key rotation works and how to configure key rotation in KMS.

    Benefits of key rotation

    • Reduces the amount of data encrypted using each key, which mitigates the risks of cryptanalytic attacks

      The security of a key is inversely proportional to the amount of data encrypted using the key. In most cases, the amount refers to the total number of bytes encrypted using a key. Automatic rotation reduces the attack surface of each key and improves the security of key-based encryption solutions.

    • Helps you handle security events

      Incorporate the key rotation feature during system design and implementation, and treat key rotation as a routine security management transaction. This practice ensures that the system can perform key rotation in response to a security event.

    • Reduces the time window for a key to be compromised

      After key rotation is enabled, data encrypted using an existing key can be encrypted using a new key. The interval between key rotations is considered the time window during which a key can be cracked. An attacker can gain data access only if they crack a key in an interval between two rotation operations of the key. This greatly increases data security against cryptanalytic attacks.

    • Meets the requirements of regulatory compliance

      Automatic key rotation facilitates compliance with various regulations, including but not limited to the following:

      • Payment Card Industry Data Security Standard (PCI DSS)

      • Cryptography-related industrial standards issued by State Cryptography Administration, such as GM/T 0051-2016 Cryptography device management - Specifications of symmetric key management technology

      • Cryptography-related standards issued by the National Institute of Standards and Technology (NIST), such as NIST Special Publication 800-57 Recommendation for Key Management

    How key rotation works

    KMS supports multiple versions of keys. Different versions of a key are cryptographically unrelated. During key rotation, KMS generates a new key version and uses the latest key version for cryptographic operations. You cannot specify a key version.

    Note

    • Key rotation only adds key versions. Key rotation does not change the attributes of a key, such as the ID, Alibaba Cloud Resource Name (ARN), and alias.

    • KMS does not delete key versions. The key versions of a key are deleted only when the key itself is deleted.

    After a key is created, KMS generates an initial key version and sets it as the primary version. After the key is rotated, KMS generates a new key version and sets the new version as the primary version.

    image

    If automatic rotation is configured, the next rotation time is calculated using the following formula: Next rotation time = Last rotation time + Rotation period.

    Note

    • You can call the DescribeKey operation. In the response, LastRotationDate indicates the last rotation time, and NextRotationDate indicates the next rotation time, which is calculated by KMS.

    • If automatic rotation is configured and an immediate rotation operation is performed between two rotation operations, the last rotation time is the time of the immediate rotation.

    Scope

    • Key type and source:

      Key type

      Key material source

      Periodic automatic rotation

      Manual immediate rotation

      Software-protected key (Symmetric)

      Generated by KMS

      Supported

      Supported

      Imported (BYOK)

      Not supported

      Supported

      Software-protected key (Asymmetric)

      Generated by KMS, imported (BYOK)

      Not supported

      Hardware-protected key (Symmetric and asymmetric)

      Generated by KMS

      Imported (BYOK)

    • Key status: The key must be in the Enabled state.

      If a key is in the Disabled or Pending Deletion state, KMS suspends the key rotation feature that is enabled. If the key is re-enabled, the key rotation feature is also re-enabled.

    • Additional conditions for specific keys:

      For default keys, rotation is a value-added service that must be purchased separately.

    Configure rotation for default keys

    Billing description

    Default keys are used only for server-side encryption in Alibaba Cloud services and are provided by KMS free of charge. Default key rotation is available as a value-added feature.

    Fee: USD 9 per year-region. If you purchase the default key rotation feature in a region, you can rotate all default keys including service keys and customer master keys (CMKs) in the region.

    Rotation method and rotation date

    Default keys support only automatic rotation. Default keys do not support immediate manual rotation.

    The rotation period is 365 days and cannot be changed. After you enable automatic rotation for a default key, the first rotation occurs 365 days after the default key is created. Subsequently, the default key is rotated every 365 days.

    Note

    You can purchase the default key rotation feature on an annual basis. Make sure that your order remains valid until the next rotation. Otherwise, no rotation is performed.

    Enable rotation (automatic periodic rotation)

    1. Purchase the value-added plan of the default key rotation feature.

      1. Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Resource > Keys.

      2. On the Default Keys tab, click Buy Key Rotation and configure the parameters.

        1. Instance Type: Select Value-added Plan.

        2. Value-added Plan: Select Default Key Rotation.

        3. Region: Select the region where the default key is located.

        4. Purchase Quantity: Select 1. You need to purchase only one plan for a region.

      3. Click Buy Now, conform Term of Service, and then click Pay to complete the purchase.

    2. Enable automatic rotation.

      • Service key

        No configuration is required. KMS automatically enables rotation.

      • CMK

        Console

        1. On the Keys page, click the Default Keys tab and then click the ID of the CMK.

        2. In the lower part of the details page, click the Key Version tab, and then click Configure Rotation.

        3. In the Configure Rotation dialog box, turn on the Rotation Status switch, and click OK. On the key details page, the Rotation Status changes to Enabled, and the Rotation Period is 365 Days.

        API

        • Enable rotation when you create a key.

          Call the CreateKey operation and set the `EnableAutomaticRotation` and `RotationInterval` parameters. `EnableAutomaticRotation` specifies whether to enable automatic rotation, and `RotationInterval` specifies the automatic rotation period.

        • Enable rotation after you create a key.

          Call the UpdateRotationPolicy operation and set the `EnableAutomaticRotation` and `RotationInterval` parameters.

    Use rotated keys

    Default keys are used only for server-side encryption in Alibaba Cloud services. After you enable rotation, Alibaba Cloud services automatically manage the keys without requiring manual intervention. For more information, see Overview of KMS integration for server-side encryption.

    View rotation details

    Console

    1. On the Keys page, click the Default Keys tab and find the service key or CMK you want to view.

    2. Click the ID of the key. On the details page, view Rotation Status, Rotation Period, and Key Version.

    API

    • Call the DescribeKey operation to view the returned `AutomaticRotation` and `RotationInterval` parameters.

    • Call the ListKeyVersions operation to view the returned `KeyVersions` parameter.

    Configure rotation for keys in KMS instances

    Quota consumption

    Key rotation consumes the key quota of a KMS instance. Each key version consumes one key quota. For example, if a key has three versions (V1, V2, and V3), it consumes three key quotas. For more information about how to increase the quota, see Upgrade KMS instances.

    Rotation method and rotation date

    Keys can be rotated periodically and automatically or manually on demand.

    • Periodic automatic rotation: A new key version is generated periodically based on a custom rotation period of 7 to 365 days.

    • Manual rotation: A new key version is generated immediately on demand.

    Enable rotation

    • Enable periodic automatic rotation

      Console

      • You can enable automatic rotation when you create a key. For more information, see Manage keys.

        1. On the Keys page, on the Customer Master Keys tab, select an instance ID and click Create Key.

        2. In the Create Key panel, configure the parameters, enable Automatic Rotation, set Rotation Period, and click OK.

      • You can enable automatic rotation after you create a key.

        1. On the Keys page, click the Customer Master Keys tab, select an instance ID, and then click the target key ID.

        2. In the Key Version section of the key details page, click Configure Rotation. In the Configure Rotation dialog box, enable automatic periodic rotation, set the rotation period, and click OK.

      API

      • You can enable this feature when you create a key.

        Call the CreateKey operation and set the EnableAutomaticRotation and RotationInterval parameters. The EnableAutomaticRotation parameter specifies whether to enable automatic rotation. The RotationInterval parameter specifies the rotation period.

      • You can enable automatic rotation after you create a key.

        Call the UpdateRotationPolicy operation and set the EnableAutomaticRotation and RotationInterval parameters. The EnableAutomaticRotation parameter specifies whether to enable automatic rotation. The RotationInterval parameter specifies the rotation period.

    • Manually rotate a key

      • Keys with key material generated by KMS.

        Console

        1. On the Keys page, click the Customer Master Keys tab. Select an instance ID and then click the ID of the target key.

        2. In the Key Version section of the key details page, click Configure Rotation. In the Configure Rotation dialog box, select Rotate Now and then click OK.

        API

        Call the CreateKeyVersion operation.

      • Keys with externally imported key material (Bring-Your-Own-Key (BYOK)).

        1. Import new key material

          1. Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Resource > Keys.

          2. On the Keys tab, select an instance ID, and then in the Actions column for the target key, click Details.

          3. On the Key Material and Version tab, click Import New Key Material in the upper-left corner. For more information, see Import symmetric key material.

          4. After the new key material is imported, a new key version is generated. The new key version appears in the key version list with the Pending Rotation status.

            Important

            You cannot import another key version until the current new version is rotated.

        2. Perform the rotation.

          1. For the key version generated in Step i, click Rotate in the Actions column.

          2. In the Rotate Now dialog box, confirm that the key material ID is correct and then click OK.

    Use rotated keys

    After you enable key rotation for server-side encryption in Alibaba Cloud services, the rotation is automatically managed and no manual operations are required. For data encryption in self-managed applications, you must call the following API operations. By default, these operations use the latest key version after rotation.

    Using Alibaba Cloud SDK

    Alibaba Cloud SDK calls OpenAPI. Call the following operations for encryption and decryption.

    • GenerateDataKey: generates a data key. KMS uses the primary version of a key to encrypt the data key.

    • Encrypt: Encrypts data. KMS uses the primary version of a key to encrypt plaintext.

    • Decrypt: Decrypts ciphertext. KMS uses the key version that corresponds to the ciphertext to decrypt the ciphertext.

    Using KMS instance SDK (not recommended)

    We do not recommend that new users use this SDK. KMS instance SDK calls instance API operations. Call the following operations for encryption and decryption.

    • AdvanceGenerateDataKey: generates a data key. KMS uses the primary version of a key to encrypt the data key.

    • AdvanceEncrypt: encrypts data. KMS uses the primary version of a key to encrypt plaintext.

    • AdvanceDecrypt: decrypts ciphertext. KMS uses the key version that corresponds to the ciphertext to decrypt the ciphertext.

    Important

    If automatic rotation is enabled for a key, do not call the Encrypt, Decrypt, or GenerateDataKey operation. These operations use the initial version of the key and do not use the new key versions that are generated after rotation.

    View rotation details

    Console

    1. On the Keys page, click the Customer Master Keys tab, select an instance ID, and then click the target key ID.

    2. On the details page, view Rotation Status, Rotation Period, and Key Version.

    API

    • You can call the DescribeKey operation to view the values of the AutomaticRotation and RotationInterval parameters.

    • You can call the ListKeyVersions operation to view the value of the KeyVersions parameter.