DocsICP FilingConsole
官方文档
首页

Release notes

更新时间:
复制 MD 格式
产品详情
我的收藏

This page tracks significant changes to Key Management Service (KMS), including new features, optimizations, and bug fixes.

Important

KMS 1.0 entered End of Full Support (EoFS) on March 30, 2025, and will reach End of Service (EOS) on September 30, 2025 (both at 00:00:00 GMT+8). Migrate your KMS 1.0 resources to KMS 3.0 instances before the EOS date to avoid service disruption. See Migrate KMS 1.0 resources to KMS 3.0 instances.

2026

VersionChange typeDescriptionDateRegionReferences
dkms-3.9.0New featureInstance Gateway OpenAPI now authenticates GenerateDataKey and Decrypt calls from Trusted Computing Environments (TCE), so workloads running in TCE can access KMS with policy-based access control.2026-01-13All regionsPolicy condition keys
dkms-3.9.0OptimizationInstance SDK now supports asymmetric key rotation, aligning SDK capabilities with OpenAPI.2026-01-13All regionsNone
dkms-3.8.0New featureHardware instances now support manual backup, giving you control over when backups are created in addition to automatic backups.2026-01-06All regionsBackup management

2025

VersionChange typeDescriptionDateRegionReferences
dkms-3.7.0New featureInternational hardware instances now support asymmetric Bring Your Own Key (BYOK) import. International single-version keys can also be migrated to hardware instances.2025-12-09International regionsMigration steps
dkms-3.6.2OptimizationResource policy authentication now supports Strict Mode, allowing you to enforce stricter access control when evaluating policy conditions.2025-10-28All regionsPolicy condition keys
dkms-3.6.1OptimizationResolved a backup failure that occurred in single-owner instance scenarios.2025-10-09All regionsNone
dkms-3.6.0New featureInstance sharing now supports Independent Ownership mode, enabling the instance owner to retain control over shared resources. Software instances now also support multi-version BYOK key import.2025-09-12All regionsShare KMS instances across multiple accounts
dkms-3.5.0New featureMulti-version symmetric keys in Chinese mainland regions can now be migrated to hardware instances.2025-08-13US regionsMigration steps
dkms-3.4.0New featureNew instances in US regions exclusively use TLSv1.2, enforcing a minimum TLS version for data in transit.2025-08-06All regionsN/A
dkms-3.3.0New featureHardware instances in China now support key rotation, bringing this capability in line with software instances.2025-08-12All regionsMigration steps
dkms-3.3.0OptimizationResolved session handling issues for international hardware instances.None
dkms-3.2.2New featureSoftware key management instances now support creating asymmetric keys with the RSA-4096 specification.2025-06-18All regionsUnderstanding KMS keys
dkms-3.2.0OptimizationSecret retrieval performance is improved by caching secrets in ciphertext in Redis, reducing latency for high-frequency secret reads.2025-02-19All regionsNone
dkms-3.1.0OptimizationKMS instances now dynamically detect Hardware Security Module (HSM) cluster changes after scale-out, keeping data synchronized without manual intervention.2025-01-07All regionsPurchase and enable a KMS instance

2024

VersionChange typeDescriptionDateRegionReferences
dkms-3.0.0New featureCryptographic operations can now be performed by calling OpenAPI through a dedicated gateway using the Alibaba Cloud SDK.2024-12-23All regionsAlibaba Cloud SDK
dkms-2.9.0OptimizationKMS security hardening.2024-10-31All regionsNone
dkms-2.8.0New featureKMS 1.0 reached End of Full Support (EoFS) on March 30, 2025, and reaches End of Service (EOS) on September 30, 2025 (both at 00:00:00 GMT+8). Migrate KMS 1.0 resources to KMS 3.0 instances before the EOS date.2024-09-25All regionsMigrate KMS 1.0 resources to KMS 3.0 instances
dkms-2.7.0New featureSecret rotation events, scheduled deletion events, and actual deletion events are now delivered to Cloud Monitor, enabling you to set alerts on secret lifecycle changes.2024-06-03All regionsAlert events
New featureData Management (DMS) supports logging on to databases using KMS secrets, so database credentials can be managed centrally in Secrets Manager.2024-06-03All regionsIntegrate ApsaraDB RDS secrets into DMS
New featureSoftware key management instances now support free automatic backup.2024-05-10All regionsBackup management
New featureSoftware key management instances now support BYOK keys, letting you import your own symmetric or asymmetric key material.2024-05-09All regionsImport symmetric key material · Import asymmetric key material
New featureExternal key management instances now support Hold Your Own Key (HYOK), giving you full control over your key material stored outside Alibaba Cloud.2024-04-29All regionsManage external keys
New featureKeys in KMS instances can now be synchronized across regions, supporting disaster recovery and multi-region workloads.2024-04-11All regionsCross-region synchronization
New featureResource-based access control policies are now supported for keys and secrets. Attach policies directly to a key or secret to control which Alibaba Cloud accounts, RAM users, and RAM roles can access it.2024-03-20All regionsKey policies · Secret policies

2023

VersionChange typeDescriptionDateRegionReferences
New featureListSecrets now returns the SecretType parameter, making it easier to filter secrets by type programmatically.2023-12-27All regionsListSecrets
New featureKMS is now available in Thailand (Bangkok).Thailand (Bangkok)Regions and zones
New featureCloud Monitor integration now supports alert settings for KMS system events, enabling proactive monitoring.2023-11-24All regionsAlert events
New featureSimple Log Service (SLS) integration now stores and enables query analysis of KMS instance data plane access logs for up to 180 days.2023-10-30All regionsOverview of Simple Log Service · Use Simple Log Service · Log field details
New featureKMS instances now support generating asymmetric data key pairs via GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, AdvanceGenerateDataKeyPair, and AdvanceGenerateDataKeyPairWithoutPlaintext.2023-09-25All regionsGenerateDataKeyPair · GenerateDataKeyPairWithoutPlaintext · AdvanceGenerateDataKeyPair · AdvanceGenerateDataKeyPairWithoutPlaintext
New featureKMS instances now support dual-zone deployment, improving service availability and disaster recovery.2023-08-11All regionsPurchase and activate KMS instances
New featureSoftware key management instances now support 10,000 and 20,000 queries per second (QPS) performance tiers.2023-07-28All regionsPerformance data
New featureKMS is now available in China (Chengdu).China (Chengdu)Regions and zones
New featureKMS integrates with Alibaba Cloud Tag Service, supporting bulk tagging of multiple keys or secrets at once via TagResources, UntagResources, and ListTagResources.2023-06-20China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Chengdu), China (Hong Kong), Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Germany (Frankfurt), UK (London), US (Silicon Valley), US (Virginia), Philippines (Manila), and Thailand (Bangkok)TagResources · UntagResources · ListTagResources
New featureSymmetric key rotation is now supported for software key management instances.Key rotation
New featureKeys and secrets in software key management instances can now be backed up and restored.Backup management
New featureA KMS instance can be shared across multiple Alibaba Cloud accounts for server-side encryption in Alibaba Cloud services.2023-04-20China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Chengdu), China (Hong Kong), Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Germany (Frankfurt), UK (London), US (Silicon Valley), US (Virginia), Philippines (Manila), and Thailand (Bangkok)Share KMS instances across multiple accounts
New featureA new KMS console is released, supporting unified management of software-protected keys, hardware-protected keys, default keys, and secrets.2023-03-16All regionsWhat is Key Management Service · Overview of Key Management Service · Overview of Secrets Manager

2022

No feature releases.

November 2022

Feature overview

Release date

Region

References

Dedicated KMS Secrets Manager supports managed RAM secrets, RDS secrets, and ECS secrets

Nov 30, 2022

China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen)

May 2022

Feature overview

Release date

Region

References

KMS supports Dedicated KMS Basic Edition

May 20, 2022

China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen)

July 2022

Feature overview

Release date

Region

References

Dedicated KMS supports Secrets Manager

Jul 20, 2022

China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen)

2021

VersionChange typeDescriptionDateRegionReferences
New featureKMS is now available in Philippines (Manila).2021-10-01Philippines (Manila)None
New featureKMS supports Dedicated KMS Standard Edition, providing dedicated HSM-backed key management for regulated workloads.2021-09-05China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong), Malaysia (Kuala Lumpur), and SingaporeOverview of Dedicated KMS Standard Edition · Manage Dedicated KMS Standard Edition instances · Manage application endpoints · Dedicated KMS SDK
New featureKMS now supports dynamic RAM secrets, enabling automatic rotation of RAM user access keys managed through Secrets Manager.2021-08-13All regionsOverview of dynamic RAM secrets · Managed secret plug-in for Alibaba Cloud SDKs
New featureKMS now supports dynamic ApsaraDB RDS secrets. New APIs: RotateSecret and UpdateSecretRotationPolicy.2021-01-04All regionsOverview of dynamic ApsaraDB RDS secrets · Secrets Manager JDBC client · RotateSecret · UpdateSecretRotationPolicy

2020

VersionChange typeDescriptionDateRegionReferences
New featureAn API operation to activate KMS is now supported. New APIs: OpenKmsService and DescribeAccountKmsStatus.2020-10-20All regionsOpenKmsService · DescribeAccountKmsStatus
New featureKMS now supports cross-system exchange, re-encryption, and cross-region import and export of data keys. New APIs: GenerateDataKeyWithoutPlaintext, GenerateAndExportDataKey, ExportDataKey, and ReEncrypt. KMS is now available in China (Guangzhou).2020-07-07All regionsGenerateDataKeyWithoutPlaintext · GenerateAndExportDataKey · ExportDataKey · ReEncrypt
New featureSecrets Manager is released. KMS is now available in China (Ulanqab) and China (Heyuan).2020-02-24All regionsOverview of Secrets Manager · Overview of generic secrets · Manage generic secrets · Rotate a generic secret

2019

VersionChange typeDescriptionDateRegionReferences
New featureKMS now supports asymmetric keys for encryption, decryption, and digital signature operations. New APIs: AsymmetricEncrypt, AsymmetricDecrypt, AsymmetricSign, AsymmetricVerify, and GetPublicKey.2019-12-13All regionsOverview of asymmetric keys · Asymmetric data encryption and decryption · Asymmetric digital signatures
New featureHardware key management instances can now use an HSM cluster to store keys, meeting the regulatory requirements of State Cryptography Administration (SCA).2019-11-18China (Beijing) and China (Shanghai)KMS hardware key management instances support HSMs
New featureEach customer master key (CMK) now supports multiple versions and automatic rotation. New APIs: UpdateKeyDescription and GenerateDataKeyWithoutPlaintext.2019-09-24All regionsAutomatic rotation of keys
New featureHardware key management instances can now use an HSM cluster to store keys.2019-07-31Singapore and China (Hong Kong)KMS hardware key management instances support HSMs
New featureKey tags and tag-based authentication are now supported.2019-05-01All regionsTagResource · Use RAM to implement access control on resources

2018

VersionChange typeDescriptionDateRegionReferences
New featureActionTrail integration is now supported for auditing KMS operations.2018-07-24All regionsUse ActionTrail to query the operations of Key Management Service
New featureBYOK support added via new API operations for importing key material. CMK aliases are now supported. KMS is now available in Indonesia (Jakarta), US (Virginia), and US (Silicon Valley).2018-08-30All regionsImport key material

2017

VersionChange typeDescriptionDateRegionReferences
New featureKMS is now available in China (Qingdao), China (Hohhot), and Malaysia (Kuala Lumpur).2017-11-15China (Qingdao), China (Hohhot), and Malaysia (Kuala Lumpur)None
New featureNew API: DescribeRegions. KMS SDK updated to V2.4.0.2017-06-05All regionsDescribeRegions
New featureKMS is now available for commercial use (launched April 25, 2017). KMS is now available in China (Zhangjiakou).2017-05-10All regionsNone
OptimizationPerformance optimization.2017-03-01All regionsNone
New featureKMS is now available in China (Hong Kong).2017-01-22China (Hong Kong)None

2016

VersionChange typeDescriptionDateRegionReferences
New featureKMS is now available in Japan (Tokyo), Germany (Frankfurt), and UAE (Dubai).2016-11-29Japan (Tokyo), Germany (Frankfurt), and UAE (Dubai)None
New featureNew APIs for key deletion scheduling: ScheduleKeyDeletion and CancelKeyDeletion.2016-09-20All regionsScheduleKeyDeletion · CancelKeyDeletion
New featureThe EncryptionContext parameter is now supported in the Encrypt and Decrypt API operations.2016-08-10All regionsDescription of EncryptionContext
New featureCMKs can now be enabled or disabled.2016-06-22All regionsCreate a CMK
New featureKMS is now available in China (Beijing), China (Shanghai), and China (Shenzhen).2016-05-19China (Beijing), China (Shanghai), and China (Shenzhen)None
New featureKMS is released.2016-04-06All regionsWhat is Key Management Service
Previous:Announcements and updatesNext:[Announcement] KMS Shared Edition Service Termination (EOS) Date Extended