If you use the KMS (also called shared KMS or KMS 1.0) that provides storage and cryptographic resources shared among tenants, Alibaba Cloud recommends that you use the KMS instance for higher service quality and stability. This topic describes how to migrate resources from shared KMS to a KMS instance.
Resources can be migrated to a KMS instance only within the same region. In a region, keys are unique, and secrets are unique within the Alibaba Cloud account. After migration, the keys and secrets are stored only in the KMS instance.
After migration, self-managed applications can continue to use the original SDK without changing the code or application.
During the migration process, you cannot perform management operations on keys, secrets, and KMS instances, such as creating, modifying, or deleting resources.
After migration, keys and secrets are associated with a specific KMS instance. This means a KMS instance ID attribute will be added. If your shared KMS is Terraform-managed, Terraform configuration changes are required due to the instance ID attribute added. Otherwise, the migration fails. For more information, see Post-migration configuration changes for terraform-managed KMS.
Quickly check resources to migrate
Log on to the old KMS console and choose Migration Tool in the left-side navigation pane.
Use one of the following methods to check if there are resources that need migration:
NoteThe data is displayed by region, so review all regions to ensure all resources to migrate are noticed.
Method 1: If the data in the red box is greater than 0, it indicates there are keys or secrets to migrate in that region.
Method 2: If the Migrate in the Actions column is enabled, it indicates there are keys or secrets to migrate in that region.
Before you begin
Identify the resources to be migrated.
Type
Subkey
Need to migrate
Description
Key
Service key
Not Required
Service keys are automatically created by cloud products when configuring server-side encryption. The alias follows a fixed format:
alias/acs/<cloud product>.Customer master key
Required
Only keys of the following specifications whose protection level is software (Software) can be migrated:
Aliyun_AES_256 (single version)
Aliyun_AES_256 (multi-version)
RSA_2048 (single version)
EC_P256 (single version)
EC_P256K (single version)
For migrating other key specifications, contact Alibaba Cloud technical support.
The metadata and key material of the customer master key are supported for migration. Metadata includes: key ID, key status, deletion protection, alias, tags, etc. This data remains unchanged after migration.
Bring Your Own Key (BYOK) and multi-version keys are supported for migration. BYOK materials are directly migrated without manual uploading. All versions of multi-version keys can be migrated.
Secrets
Required
The secrets to be migrated include generic secrets, RAM secrets, ApsaraDB RDS secrets, and ECS secrets.
The metadata and all versions of the secrets are supported for migration. Metadata includes: secret name, secret status, tags, etc. This data remains unchanged after migration.
Secrets with automatic rotation enabled are supported for migration.
When you migrate secrets, you also need to migrate the master key that encrypts the secret. Otherwise the migration fails.
Determine the target KMS instance type and the number of keys and secrets to be migrated.
The following table describes the supported features of different types of KMS instance. You can choose the appropriate type of KMS instance according to your requirements. For more information about features of KMS instances, see Instance selection.
A √ indicates support for migration to that type of instance, while a × indicates that migration to this type of instance is not supported.
Key specifications to be migrated
Software key management instance
Hardware key management instance
Aliyun_AES_256 (single version)
√
√
Aliyun_AES_256 (multi-version)
√
×
RSA_2048 (single version)
√
×
EC_P256 (single version)
√
×
EC_P256K (single version)
√
×
For keys and secrets that have automatic rotation enabled, disable automatic rotation to ensure version consistency before and after migration.
To disable key rotation, see Automatic key rotation.
To disable secrets rotation, see Manage dynamic RDS credentials, Manage dynamic RAM credentials or Manage dynamic ECS credentials.
Procedure
Migrate resources within a single Alibaba Cloud account
If you don't have a target KMS instance, purchase and enable one.
For more information, see Purchase and enable a KMS instance.
We recommend that you enable auto-renewal for the KMS instance to avoid application data decryption failures due to instance expiration.
Log on to the old Key Management Console and choose Migration Tool in the left-side navigation pane.
Find the region where the resources to be migrated are located, click Migration in the Actions column, and configure the parameters on the Migrate Resources panel.
Parameter
Description
Instance Type
Select the target KMS instance type.
Examples
Select the target KMS instance.
Migration Method
Automated Migration: Set the migration time. The system automatically migrates the resources at the specified time.
Migrate manually now: The system migrates the resources immediately after you complete the configuration.
Migration Time
This parameter is required only when you set Migration Method to Automated Migration.
Migration Resources
Select migration resources manually: Manually select the keys and secrets to be migrated. You can select up to 50 keys and secrets.
Full migration of keys and credentials to be migrated: Migrate all keys and secrets.
Confirm the Migration Instructions, select all items and click OK.
Check the resources selected for migration and click Migration.
You can check the migration status in the task status column for the target region on the Migration Information page. When the migration is complete, the status becomes Migration Complete.
If keys and secrets have automatic rotation enabled before migration, enable rotation after migration.
To enable key rotation, see Automatic key rotation.
To enable secrets rotation, see Manage dynamic RDS credentials, Manage dynamic RAM credentials or Manage dynamic ECS credentials.
Migrate resources from multiple accounts to one KMS instance
If you don't have a target KMS instance, purchase and enable one.
For more information, see Purchase and enable a KMS instance.
We recommend that you enable auto-renewal for the KMS instance to avoid application data decryption failures due to instance expiration.
Share the KMS instance with other Alibaba Cloud accounts that include resources to be migrated. For more information, see Step 1 to Step 3 in Share KMS instances among multiple accounts.
ImportantKMS instances can be shared only within a resource directory. The principals must belong to the same enterprise entity as the resource owner of the KMS instance. The enterprise entity must pass real-name verification.
Migrate the resources of each account to the KMS instance.
Log on to one account.
Perform Step 2 to Step 5 in Migrate resources within a single Alibaba Cloud account.
Repeat Step a and Step b until all resources in the target accounts are migrated.
After migration
After migration, a default policy for the keys and the secrets is set. For more information, see Key policy overview and Credential policy overview.
Log on to new KMS console, check and confirm the migrated resources.
Confirm Service key.
In the left-side navigation pane, click Keys, and select the region in the top navigation bar.
Click the Default Key tab.
You can find the Service Key migrated in the Key Usage column.
Confirm Customer master key by switching to Keys tab.
You can find the detailed information about the customer master key migrated, such as alias, key specifications and purpose.
Confirm Secrets.
In the left-side navigation pane, click Secrets.
Select the KMS instance.
You can find the detailed information about the secrets migrated, such as name, secret type.
