All Products
Search
Document Center

Key Management Service:Manage KMS instances

Last Updated:Feb 26, 2025

This topic describes how to enable, view, upgrade, and renew a Key Management Service (KMS) instance. This topic also describes how to enable the security audit feature for a KMS instance.

Important

Take note of the remaining subscription period of a KMS instance. We recommend that you renew a KMS instance before the instance expires to prevent negative impacts on your business. For more information, see Billing.

Enable a KMS instance

After you purchase a KMS instance, you must enable the instance to use the key management and secret management features of KMS.

Enable a KMS instance of the software key management type

Prerequisites

  • A VPC and a vSwitch are available in the region of the KMS instance.

    Before you enable the KMS instance, we recommend that you log on to the VPC console and view the existing VPCs, vSwitches, and zones in which the vSwitches reside. You can also create a VPC and a vSwitch. For more information, see Create a VPC and a vSwitch or Create a vSwitch.

  • Alibaba Cloud DNS PrivateZone is activated. If you use an account on the China site (aliyun.com) to purchase a KMS instance outside the Chinese mainland or use an account on the International site (alibabacloud.com) to purchase a KMS instance in the Chinese mainland, you must manually activate Alibaba Cloud DNS PrivateZone. For more information, see Activate Alibaba Cloud DNS PrivateZone.

    Note
    • If you use an account on the China site (aliyun.com) to purchase a KMS instance in the Chinese mainland or use an account on the International site (alibabacloud.com) to purchase a KMS instance outside the Chinese mainland, Alibaba Cloud DNS PrivateZone is automatically activated.

    • The fees for domain name resolution are billed to KMS. You do not need to complete payments on the Alibaba Cloud DNS PrivateZone side.

Procedure

Use the KMS console to enable a KMS instance of the software key management type

  1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

  2. On the Software Key Management tab, find the KMS instance that you want to enable and click Enable in the Actions column.

  3. In the Enable KMS Instance panel, configure the parameters and click Enable Now.

    Parameter

    Description

    Instance Name

    The custom name of the KMS instance. The name can contain letters, digits, and the following special characters: _/+=.@-.

    VPC ID

    The VPC that is associated with the KMS instance.

    This association cannot be changed. Choose carefully.

    Zone Configuration

    The zone configurations. Set the dual-zone or multi-zone configurations based on the deployment mode that you select when you purchase the KMS instance. If you select the multi-zone deployment mode, you can configure up to three zones.

    • Zone and vSwitch Configuration: Configure a zone and vSwitch. Make sure that the vSwitch has at least one available IP address.

    • Other Zones: Select Randomly Assign or Manually Specify.

    Note

    Specific regions provide only a single zone. In this case, the KMS instance can only be deployed in a single zone.

    Wait for approximately 30 minutes and then refresh the page. If the status of the KMS instance changes to Enabled, the KMS instance is enabled.

Call an operation to enable a KMS instance of the software key management type

Call the ConnectKmsInstance operation.

Use Terraform to enable a KMS instance of the software key management type

Enable a KMS instance of the hardware key management type

Prerequisites

  • An HSM cluster to which the KMS instance is connected is available. For more information, see Configure an HSM cluster for a KMS instance of the hardware key management type.

    Warning

    If you want to increase the number of HSMs in the HSM cluster in subsequent operations, contact Alibaba Cloud technical support to change the cluster synchronization method to automatic synchronization. This prevents cluster synchronization failures.

  • One vSwitch is configured for each zone of the KMS instance. In the following example, the dual-zone deployment mode is used.

      • (Recommended) Use the two vSwitches that are bound to your HSM: You do not need to create vSwitches. Make sure that four available IP addresses are reserved for each vSwitch.

      • Do not use the two vSwitches that are bound to your HSM: You must create two vSwitches in different zones. Make sure that four available IP addresses are reserved for each vSwitch. For more information, see Create a vSwitch.

      To view the number of available IP addresses on a vSwitch, perform the following steps: Log on to the VPC console. On the vSwitch page, click the ID of the vSwitch.

  • Alibaba Cloud DNS PrivateZone is activated. If you use an account on the China site (aliyun.com) to purchase a KMS instance outside the Chinese mainland or use an account on the International site (alibabacloud.com) to purchase a KMS instance in the Chinese mainland, you must manually activate Alibaba Cloud DNS PrivateZone. For more information, see Activate Alibaba Cloud DNS PrivateZone.

    Note
    • If you use an account on the China site (aliyun.com) to purchase a KMS instance in the Chinese mainland or use an account on the International site (alibabacloud.com) to purchase a KMS instance outside the Chinese mainland, Alibaba Cloud DNS PrivateZone is automatically activated.

    • The fees for domain name resolution are billed to KMS. You do not need to complete payments on the Alibaba Cloud DNS PrivateZone side.

Procedure

Note

You can use only the KMS console to enable a KMS instance of the hardware key management type. API operations and Terraform cannot be used to enable a KMS instance of the hardware key management type.

  1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

  2. On the Hardware Key Management tab, find the KMS instance that you want to enable and click Enable in the Actions column.

  3. In the Connect to HSM panel, specify an HSM cluster and click Connect to HSM. To specify an HSM cluster, you must configure the following parameters.

    Parameter

    Description

    Instance Name

    Specify a custom name for the KMS instance. The name can contain letters, digits, and the following special characters: _/+=.@-.

    Configure HSM Cluster

    Select the HSM cluster that you created in Cloud Hardware Security Module.

    Note

    You can connect a KMS instance of the hardware key management type to only one HSM cluster.

    Configure HSM Access Secret.

    • Username: the username of the crypto user. The value is fixed as kmsuser.

    • Password: the password of the crypto user. Enter the password that you specified when you created the crypto user.

    • Security Domain Certificate: a root certification authority (CA) certificate in the PEM format. To obtain the certificate, perform the following operations: Log on to the Cloud Hardware Security Module console. Click one HSM ID in the cluster. On the Details page, find ClusterOwnerCertificate, which is the Security Domain Certificate. Copy the content of the Security Domain Certificate or save it in PEM format, then upload it.

    VPC ID

    By default, the ID of the VPC that is associated with the HSM is used. You cannot modify the default ID.

    Zone and vSwitch Configuration

    Set the configurations based on the deployment mode that you select when you purchase the KMS instance. The deployment modes are dual-zone and multi-zone. Make sure that at least four available IP addresses are reserved for each vSwitch in a zone.

    If you select the multi-zone deployment mode, you can configure up to three zones.

    If you configured the Number of Secrets parameter when you purchased the KMS instance, the system requires approximately 30 minutes to enable the KMS instance. Wait for approximately 30 minutes and then refresh the page. If you did not configure the Number of Secrets parameter when you purchased the KMS instance, the system requires approximately 10 minutes to enable the KMS instance. Wait for approximately 10 minutes and then refresh the page. If the status of the KMS instance changes to Enabled, the KMS instance is enabled.

Enable a KMS instance of the external key management type

Prerequisites

  • A hardware security module (HSM) outside the cloud is purchased, and an external key instance (XKI) proxy is configured. For more information, contact your HSM provider.

    Note

    For more information about XKI proxies, see XKI proxy servers.

  • KMS supports connections to the XKI proxy by using a public endpoint or a VPC endpoint service. If you want to use a VPC endpoint service to establish connections, you must first create a VPC endpoint service. For more information, see Create and manage endpoint services. Take note of the following items when you create a VPC endpoint service:

    • The two zones of the endpoint service must be the same as the zones that are selected when you enable the KMS instance.

    • The current Alibaba Cloud account is added to the whitelist of the endpoint service.

    • Automatically Accept Endpoint Connections is set to Yes.

  • Alibaba Cloud DNS PrivateZone is activated. If you use an account on the China site (aliyun.com) to purchase a KMS instance outside the Chinese mainland or use an account on the International site (alibabacloud.com) to purchase a KMS instance in the Chinese mainland, you must manually activate Alibaba Cloud DNS PrivateZone. For more information, see Activate Alibaba Cloud DNS PrivateZone.

    Note
    • If you use an account on the China site (aliyun.com) to purchase a KMS instance in the Chinese mainland or use an account on the International site (alibabacloud.com) to purchase a KMS instance outside the Chinese mainland, Alibaba Cloud DNS PrivateZone is automatically activated.

    • The fees for domain name resolution are billed to KMS. You do not need to complete payments on the Alibaba Cloud DNS PrivateZone side.

Procedure

Note

You can use only the KMS console to enable a KMS instance of the external key management type. API operations and Terraform cannot be used to enable a KMS instance of the external key management type.

  1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

  2. Click the External Key Management tab, find the instance that you want to enable, and then click Enable in the Actions column.

  3. In the Connect to HSM panel, configure parameters and click Connect to HSM.

    Parameter

    Description

    Instance Name

    The custom name of the KMS instance. The name can contain letters, digits, and the following special characters: _/+=.@-.

    VPC ID

    The VPC that is associated with the KMS instance.

    Zone Configuration

    The zone configurations. Set the dual-zone or multi-zone configurations based on the deployment mode that you select when you purchase the KMS instance. If you select the multi-zone deployment mode, you can configure up to three zones.

    • Zone and vSwitch Configuration: Configure a zone and vSwitch. Make sure that the vSwitch has at least one available IP address.

    • Other Zones: Select Randomly Assign or Manually Specify.

    Note

    Specific regions provide only a single zone. In this case, the KMS instance can only be deployed in a single zone.

    External Proxy Connectivity

    • Public Endpoint Connectivity: The KMS instance connects to the XKI proxy by using a public endpoint over the Internet.

    • VPC Endpoint Service Connectivity : The KMS instance connects to the XKI proxy by using a VPC endpoint service.

    Domain Name of External Proxy

    If you set External Proxy Connectivity to Public Endpoint Connectivity, enter the domain name of your XKI proxy.

    Endpoint Service

    If you set External Proxy Connectivity to VPC Endpoint Service Connectivity , select an endpoint service.

    The two zones of the endpoint service must be the same as the zones that are selected when you enable the KMS instance.

    External Proxy Configuration

    • Manual Configuration: You must configure External Proxy Path, Certificate Fingerprint, AccessKey ID, and AccessKey Secret. Enter the AccessKey ID and AccessKey secret of the XKI proxy.

    • Configuration File Upload: You can upload a configuration file.

    If you configured the Number of Secrets parameter when you purchased the KMS instance, the system requires approximately 30 minutes to enable the KMS instance. Wait for approximately 30 minutes and then refresh the page. If you did not configure the Number of Secrets parameter when you purchased the KMS instance, the system requires approximately 10 minutes to enable the KMS instance. Wait for approximately 10 minutes and then refresh the page. If the status of the KMS instance changes to Enabled, the KMS instance is enabled.

Set an alias for a KMS instance

An alias for a KMS instance must be 1 to 128 characters in length and can contain letters, digits, forward slashes (/), underscores (_), plus signs (+), equal signs (=), periods (.), at signs (@) and hyphens (-).

  1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

  2. Choose the tab including the target KMS instance, click image icon below the instance ID, and set an alias.

View the details of a KMS instance

After you create a KMS instance, you can view the details of the instance, such as the instance ID, virtual private cloud (VPC) address, and VPCs that are associated with the instance.

  1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

  2. On the Instances page, click the tab of the instance type based on your business requirements.

  3. Find the KMS instance whose details you want to view and click Manage in the Actions column. On the instance details page, view the details of the instance.

Upgrade a KMS instance

If the specifications of your KMS instance do not meet your business requirements, you can upgrade the KMS instance. For example, you can upgrade the computing performance and increase the numbers of secrets and keys.

  1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

  2. On the Instances page, click the tab of the instance type based on your business requirements.

  3. Find the KMS instance that you want to upgrade and click Upgrade in the Actions column. On the Upgrade/Downgrade page, specify new specifications.

  4. Read and select Terms of Service, click Buy Now, and then complete the payment.

Enable the security audit feature for a KMS instance

Audit logs are generated when you access a KMS instance. The audit logs record the access information about the instance, including the request information, user information, accessed resource information, and access results. Sample log:

2021-10-19T212021-10-19T21:40:01     [INFO]  - - 3dd60a7a-4587-4c57-8197-d749c3578974 CreateKey - TMP.3KfAHseF5DVULM2s8YUhdB8YvwM4nZA1wXr8AcAAhR7YhdyosXG2eSpsRFPMjYbvUArPRtsCWKzxEo88bC5w5LBfyp**** 111760096384**** 111760096384**** - kst-phzz6108e50c15333w**** - 37 - -40:01     [INFO]  - - 3dd60a7a-4587-4c57-8197-d749c3578974 CreateKey - TMP.3KfAHseF5DVULM2s8YUhdB8YvwM4nZA1wXr8AcAAhR7YhdyosXG2eSpsRFPMjYbvUArPRtsCWKzxEo88bC5w5LBfyp**** 111760096384**** 111760096384**** - kst-phzz6108e50c15333w**** - 37 - -

After you enable the security audit feature, KMS delivers audit logs to the Object Storage Service (OSS) bucket that you specify on an hourly basis to meet regulatory requirements and business requirements. Before you enable the security audit feature, make sure that an OSS bucket is available. For more information, see Create a bucket.

  1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

  2. On the Instances page, click the tab of the instance type based on your business requirements.

  3. Find the KMS instance for which you want to enable the security audit feature and click Manage in the Actions column. On the instance details page, turn on Security Audit.

  4. In the Configure Security Audit dialog box, configure Log Storage Bucket and click OK.

    After you enable the security audit feature, audit logs are generated and delivered to OSS within 1 hour.

Renew a KMS instance

  1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

  2. Select the Software Key Management or Hardware Key Management tab, locate the instance you want to renew, and click Actions in the Renew column.

  3. On the KMS (International) | Renew page, set the Duration, agree to the Terms of Service, and proceed.

  4. Click Buy Now and complete the payment.

You can also renew a KMS instance in the Expenses and Costs console. For more information, see Renewal guide.

FAQ