DocsICP FilingConsole
官方文档
首页

Purchase and enable a KMS instance

更新时间:
复制 MD 格式
产品详情
我的收藏

A KMS instance provides features for managing keys and secrets. You can use keys to encrypt and decrypt sensitive data and use secrets to reduce the security risks of hardcoded credentials in your code, enhancing the security of your business data. This topic describes how to purchase and enable a KMS instance.

Step 1: Purchase a KMS instance

  1. Log on to the Key Management Service console. In the top navigation bar, select a region. In the left-side navigation pane, click Resource > Instances.

  2. On the Instances page, click Create Instance, select the specifications for the KMS instance that you want to purchase, and then click Buy Now.

    This topic describes how to purchase a Key Management Service (KMS) instance. To purchase a virtual HSM, see Purchase an HSM. To purchase a dedicated HSM, contact Alibaba Cloud technical support.

    Parameter

    Description

    Key management type

    KMS provides default keys, including service keys and customer master keys, for cloud product encryption in each region. You do not need to purchase a KMS instance to use default keys, but their features are limited. Default keys are provided by KMS at no cost. You are charged only if you purchase value-added services, such as the key rotation feature.

    Before you purchase a KMS instance, we recommend that you read Select a KMS instance type to learn more about default keys and KMS instances.

    • Purchase a KMS instance

      In most cases, a software key management instance is sufficient. If your business requires physical-level security or must meet strict compliance requirements, such as financial regulations, select a hardware key management instance.

      • Software Key Management: Keys are stored in a dedicated database for your instance.

      • Hardware Key Management: Key generation, storage, encryption, and decryption rely on a dedicated Hardware Security Module (HSM) that is compliant with Chinese national cryptographic standards or FIPS 140-2 Level 3. If you select this instance type, you must also purchase an HSM. For more information, see Configure an HSM cluster for a hardware key management instance.

      • External Key Management: Use keys from your external key management infrastructure to encrypt and decrypt data on Alibaba Cloud.

        Note

        Currently, only HSMs from the vendor Jiangnan Tianan are supported. If you need to manage HSMs from other vendors, contact us.

    • Purchase value-added services for keys

      • Expert service: Provides a series of exclusive one-on-one services, such as customized expert consultation, monitoring, and migration from KMS 1.0 to KMS 3.0. These services help ensure the stable operation of applications that call KMS.

      • Instance Backup: This value-added service is available only for software key management instances. After a software key management instance is enabled, KMS automatically provides free data backups with a 90-day retention period. We recommend that you first evaluate this free backup capability. If it does not meet your business requirements, you can purchase the Instance Backup service. For more information, see Backup management.

      • Default key rotation: Default keys do not support automatic rotation. To enable this feature, you must purchase this value-added service. For more information, see Default key rotation.

    Region

    We recommend that you select the same region where your services are deployed. For more information about supported regions, see Regions and availability zones.

    Deployment mode

    KMS instances support dual-zone or multi-zone configurations to provide high availability, disaster recovery, and load balancing.

    Note

    • In the Philippines (Manila) and Thailand (Bangkok) regions, only a single zone is available, so KMS instances are deployed in a single zone by default.

    • A multi-zone deployment can be configured with up to three zones.

    For information about the number of zones in each region, see Regions and zones.

    Compute performance

    The performance specifications of the KMS instance. For example, 2000 indicates a maximum throughput of 2,000 QPS for symmetric cryptographic operations and 300 QPS for asymmetric cryptographic operations when they are processed independently.

    Note

    If you need a software key management instance with a computing performance of 10,000 or 20,000, contact us.

    Key quota

    The quota for keys. The default is 1,000.

    The key quota is calculated based on the number of key versions, not the number of keys. For example, one key with five versions counts as five against your key quota.

    Secret quota

    The quota for secrets. The default is 0.

    The secret quota is calculated based on the number of secrets, regardless of the number of secret versions. One secret counts as one against your secret quota, no matter how many versions it has.

    Note

    If your business does not use secrets, you can skip purchasing this quota. You can purchase a secret quota later by upgrading your instance if needed.

    Access management count

    This quota applies to two features:

    For example, if your KMS instance needs to be associated with three VPCs and shared with two Alibaba Cloud accounts, you need an access management quota of at least 5.

    The default value is 1, which allows the VPC bound to the KMS instance to access KMS resources.

    Log analysis

    Specifies whether to enable the log analysis feature. For more information, see Log Service overview.

    Warning

    You cannot disable log analysis after it is enabled. For more information about billing, see Billing.

    Log storage capacity

    The minimum capacity is 1,000 GB. You can increase the capacity in 1,000 GB increments. For information about how to estimate the required capacity, see How do I calculate the required log storage capacity?

    Quantity

    The number of KMS instances to purchase.

    Important

    Typically, you need to purchase only one KMS instance. To purchase multiple instances, contact us.

    Duration

    Select the subscription duration.

    Note

    You can select Auto-renewal on expiration to have the KMS instance automatically renewed.

  3. Read and select Terms of Service, and then click Pay to complete the purchase.

    After the purchase is complete, it takes 1 to 5 minutes for the new KMS instance to appear on the Instances page.

Step 2: Enable a KMS instance

After you purchase a KMS instance, you must enable it before you can use its key management and secret management features.

Enable a software key management instance

Prerequisites

  • Network configuration requirements: You must have one VPC and one vSwitch. To create a VPC and a vSwitch, see Create a VPC and a vSwitch or Create a vSwitch.

    Note

    You can log on to the VPC console to view your existing VPCs, vSwitches, and the availability zones where the vSwitches reside.

  • PrivateZone configuration requirements: If you use an Alibaba Cloud account for the Chinese mainland site (aliyun.com) to purchase a KMS instance in a region outside the Chinese mainland, or if you use an Alibaba Cloud account for the international site (alibabacloud.com) to purchase a KMS instance in a region within the Chinese mainland, you must manually activate PrivateZone. For more information, see Activate PrivateZone.

    Note

    • If you use an Alibaba Cloud account for the Chinese mainland site (aliyun.com) to purchase a KMS instance in a region within the Chinese mainland, or if you use an Alibaba Cloud account for the international site (alibabacloud.com) to purchase a KMS instance in a region outside the Chinese mainland, PrivateZone is automatically activated. You do not need to manually activate it.

    • KMS covers the fees for DNS resolution of instance domain names, so you are not charged by PrivateZone for this service.

Procedure

  1. Log on to the Key Management Service console. In the top navigation bar, select a region. In the left-side navigation pane, click Resource > Instances.

  2. On the Software Key Management tab, find the target software key management instance and click Enable in the Actions column.

  3. In the Enable KMS Instance panel, configure the parameters and click Enable Now.

    Parameter

    Description

    Instance Name

    A custom name for the KMS instance. The name can contain letters, digits, and the following special characters: _/+=.@-.

    VPC ID

    Select a VPC to bind to the KMS instance.

    Zone Configuration

    This setting depends on the deployment mode that you select when you purchase the instance. Dual-availability zone and multi-availability zone deployments are supported. For a multi-availability zone deployment, you can configure up to three availability zones.

    • Zone and vSwitch: Configure an availability zone and a vSwitch. Make sure that the vSwitch has at least one available IP address.

    • Other Zones: You can have availability zones randomly assigned or you can manually specify them.

    Note

    • Some regions have only one availability zone. In these regions, a KMS instance can be deployed only in a single availability zone.

    • The latency and performance differences are negligible whether the KMS instance is in the same availability zone as your services or a different one. You can select availability zones based on your requirements.

  4. The enablement process takes about 30 minutes. Refresh the page to confirm that the instance status has changed to Enabled.

Enable a hardware key management instance

Prerequisites

  • HSM configuration requirements: You must have a configured HSM cluster that the KMS instance can connect to. For more information, see Configure an HSM cluster for a hardware key management instance.

    Warning

    If you need to add more HSMs to the cluster later, contact Alibaba Cloud technical support to change the cluster's synchronization method to automatic. This helps prevent synchronization failures.

  • Network configuration requirements: Ensure that a vSwitch is available in each availability zone that is configured for the KMS instance. The following description assumes a dual-availability zone deployment.

    Note

    You can log on to the VPC console, click the target vSwitch on the vSwitch page, and view the number of available IP addresses on the details page.

    • Use the two vSwitches that are bound to the HSM instance: You do not need to create new vSwitches. Ensure that each vSwitch has at least four available IP addresses reserved.

    • Do not use the two vSwitches that are bound to the HSM instance: You need to create two vSwitches in different availability zones. Each vSwitch must have at least four available IP addresses reserved. For more information, see Create a vSwitch.

  • PrivateZone configuration requirements: If you use an Alibaba Cloud account for the Chinese mainland site (aliyun.com) to purchase a KMS instance in a region outside the Chinese mainland, or if you use an Alibaba Cloud account for the international site (alibabacloud.com) to purchase a KMS instance in a region within the Chinese mainland, you must manually activate PrivateZone. For more information, see Activate PrivateZone.

    Note

    • If you use an Alibaba Cloud account for the Chinese mainland site (aliyun.com) to purchase a KMS instance in a region within the Chinese mainland, or if you use an Alibaba Cloud account for the international site (alibabacloud.com) to purchase a KMS instance in a region outside the Chinese mainland, PrivateZone is automatically activated. You do not need to manually activate it.

    • KMS covers the fees for DNS resolution of instance domain names, so you are not charged by PrivateZone for this service.

Procedure

  1. Log on to the Key Management Service console. In the top navigation bar, select a region. In the left-side navigation pane, click Resource > Instances.

  2. Click the Hardware Key Management tab, find the target hardware key management instance, and click Enable in the Actions column.

  3. In the Connect to HSM panel, configure the settings and then click Connect to HSM to specify the HSM cluster.

    1. Instance Name: A custom name for the KMS instance. The name can contain letters, digits, and the following special characters: _/+=.@-.

    2. Select Cluster: Select the HSM cluster that you configured in CloudHSM.

      Note

      A hardware key management instance can be bound to only one HSM cluster.

    3. Configure HSM Access Secret.:

      Chinese mainland HSM

      • Automatically generate certificates: If you select Automatically generate certificates when you purchase an HSM in the Chinese mainland, HSM automatically generates the required certificates. No manual configuration is needed.

      • Manually generate certificates: If you did not configure automatic certificate generation when you purchased the HSM, you must configure a client certificate (a PKCS#12 certificate with a protection password) and a security domain certificate (the PEM-formatted CA certificate that issues the TLS server certificate for the HSM cluster). For more information about how to generate certificates, see Generate certificates and configure mutual TLS authentication.

        • Client Protection Password: The protection password that you set when you generate the client.p12 client certificate. If you use the certificate generation tool (hsm_certificate_generate), the default password is 12345678.

        • Client Certificate: A PKCS#12 certificate. Click Select File and select the generated client.p12 file to upload.

        • Security Domain Certificate: A PEM-formatted CA certificate. Click Select File and select the generated rootca.pem file to upload.

      International HSM

      • Automatically generate certificates: If you select Automatically generate certificates when you purchase an HSM outside the Chinese mainland, HSM automatically generates the required certificates and deploys them to the server-side HSM. You only need to configure the corresponding certificates on the client SDK to complete the authentication configuration.

      • Manually generate certificates: If you did not configure automatic certificate generation, you must manually configure the client certificate. For more information about how to generate certificates, see Import a GVSM (NIST FIPS) cluster certificate.

        • Username: The username of the HSM operator. This is fixed to kmsuser.

        • Password: The password for the HSM operator. This is the password that you set when you create an HSM operator (CU user).

        • Security Domain Certificate: A PEM-formatted certificate. Log on to the CloudHSM console, click the ID of any HSM instance in the cluster, go to the Instance Details tab, and find the HSM Certificate section. Click ClusterOwnerCertificate and copy the content, or save it as a PEM file and then upload the file.

    4. VPC: This defaults to the VPC ID that is bound to the HSM and cannot be changed.

    5. Configure Zone and vSwitch: This setting depends on the deployment mode that you select when you purchase the instance. Dual-availability zone and multi-availability zone deployments are supported. Each vSwitch in each availability zone must have at least four available IP addresses reserved.

      For a multi-availability zone deployment, you can configure up to three availability zones.

      Note

      Dual-availability zone or multi-availability zone deployments provide high availability, disaster recovery, and load balancing for KMS. The latency and performance differences are negligible whether the KMS instance is in the same availability zone as your services or a different one. You can select availability zones based on your requirements.

  4. After you complete the configuration, wait for the system to process the request. The instance is enabled when its status changes to Enabled.

    Note

    If you purchased a secret quota for the instance, enablement takes about 30 minutes. If you did not purchase a secret quota, it takes about 10 minutes. You may need to refresh the page to see the updated status.

Enable an external key management instance

Prerequisites

  • HSM configuration requirements:

    • You have purchased an off-cloud HSM.

    • You have configured an XKI Proxy external proxy. The following connection methods are supported. For specific instructions, contact your HSM provider.

      Note

      For more information about the XKI Proxy server, see XKI Proxy Server.

      • Public network connection: A direct connection is established over the public internet.

      • VPC endpoint connection: You must first create an endpoint service as described below. For more information, see Create and manage endpoint services.

        • The two availability zones of the endpoint service must match the availability zones selected for the KMS instance.

        • You must add your current Alibaba Cloud account to the allowlist of the endpoint service.

        • The Automatically Accept Endpoint Connections setting for the endpoint service must be set to Yes.

  • PrivateZone configuration requirements: If you use an Alibaba Cloud account for the Chinese mainland site (aliyun.com) to purchase a KMS instance in a region outside the Chinese mainland, or if you use an Alibaba Cloud account for the international site (alibabacloud.com) to purchase a KMS instance in a region within the Chinese mainland, you must manually activate PrivateZone. For more information, see Activate PrivateZone.

    Note

    • If you use an Alibaba Cloud account for the Chinese mainland site (aliyun.com) to purchase a KMS instance in a region within the Chinese mainland, or if you use an Alibaba Cloud account for the international site (alibabacloud.com) to purchase a KMS instance in a region outside the Chinese mainland, PrivateZone is automatically activated. You do not need to manually activate it.

    • KMS covers the fees for DNS resolution of instance domain names, so you are not charged by PrivateZone for this service.

Procedure

  1. Log on to the Key Management Service console. In the top navigation bar, select a region. In the left-side navigation pane, click Resource > Instances.

  2. Click the External Key Management tab, find the target instance, and click Enable in the Actions column.

  3. In the Connect to HSM panel, configure the settings and then click Connect to HSM to specify the HSM cluster.

    Parameter

    Description

    Instance Name

    A custom name for the KMS instance. The name can contain letters, digits, and the following special characters: _/+=.@-.

    VPC

    Select a VPC to bind to the KMS instance.

    Zone Configuration

    This setting depends on the deployment mode that you select when you purchase the instance. Dual-availability zone and multi-availability zone deployments are supported. For a multi-availability zone deployment, you can configure up to three availability zones.

    • Zone and vSwitch: Configure an availability zone and a vSwitch. Make sure that the vSwitch has at least one available IP address.

    • Other Zones: You can have availability zones randomly assigned or you can manually specify them.

    Note

    • Some regions have only one availability zone. In these regions, a KMS instance can be deployed only in a single availability zone.

    • Dual-availability zone or multi-availability zone deployments provide high availability, disaster recovery, and load balancing for KMS. The latency and performance differences are negligible whether the KMS instance is in the same availability zone as your services or a different one. You can select availability zones based on your requirements.

    External Proxy Connectivity

    • Public Endpoint Connectivity: The KMS instance connects to the XKI Proxy external proxy over the public internet.

    • VPC Endpoint Service Connectivity : The KMS instance connects to the XKI Proxy external proxy by using a VPC endpoint service.

    Domain Name of External Proxy

    This parameter is required only if you set External Proxy Connectivity to Public Endpoint Connectivity. Enter the domain name of the XKI Proxy external proxy.

    Endpoint Service

    This parameter is required only if you set External Proxy Connectivity to VPC Endpoint Service Connectivity . Select an endpoint service.

    The availability zones selected for the KMS instance must be the same as the availability zones of the endpoint service.

    External Proxy Configuration

    • Manual Configuration: Manually configure the External Proxy Path, Certificate Fingerprint, AccessKey ID, and AccessKey secret of the XKI proxy.

    • Configuration File Upload: Configure the parameters by uploading a configuration file.

    If you purchased a secret quota for the instance, enablement takes about 30 minutes. If you did not purchase a secret quota, it takes about 10 minutes. You may need to refresh the page. The instance is enabled when its status changes to Enabled.

FAQ

Related topics

Previous:Getting StartedNext:Get started with key management