KMS Backup Management protects your keys and secrets against accidental deletion and disaster scenarios, helping you meet compliance retention requirements and minimize recovery time. This topic describes how to enable automatic and manual backups, and how to restore, extend, reset, and download backup data.
Scope
Supported instance types
Both software key management instances and hardware key management instances support backup. For more information, see Manage keys.
Software key management instances: Support backup of key metadata, key material, and secret data.
Hardware key management instances:
Backup scope: Only the metadata of hardware keys is backed up. Key material is not included and is instead backed up by the associated HSM cluster. For more information, see Data backup and restoration.
ImportantTo fully protect key data in a hardware instance, you must enable both KMS backup and HSM backup.
Image version requirement: Hardware key management instances require image version 3.9.1 or later to use the backup feature. To upgrade, see Upgrade the image version of a KMS instance.
Recovery target scope
Single account: Restore to any software key management instance within your account.
Multi-account sharing: Backup and restore operations can only be performed by the resource owner.
Resources created by the resource owner: Can be restored to any software key management instance owned by the resource owner.
Resources created by a resource consumer: Can only be restored to the original shared KMS instance. After restoration, both parties can use the resource.
Hardware key management instances: Data restoration to the original instance is not currently supported. Data can only be restored to a new instance.
Use cases
Recover a software key management instance or hardware key management instance after it has been released.
Restore keys or secrets that were accidentally deleted.
Copy keys or secrets to other regions for disaster recovery or low-latency access when your business spans multiple regions.
Features
Each backup can back up the data of one KMS instance. KMS provides two backup modes: automatic backup and manual backup.
Automatic backup:
Enabled by default for software key management instances created after April 26, 2024. KMS automatically creates the backup. For more information, see [Announcement] KMS instances of the software key management type support the automatic back feature.
Hardware key management instances created after April 1, 2026 have automatic backup enabled by default.
Manual backup: Includes default backups and purchased backups. You must manually enable this mode.
Item | Description | Automatic Backup | Manual Backup | |
Default Backup | Purchased Backup | |||
Cost | Whether additional charges apply. | Free. | Free. | Paid. Charges are based on the purchase duration and the configured number of viewable days. |
Backup deletion policy | The default time when backup data is deleted. | The backup lifecycle depends on the associated KMS instance. Backup data is deleted 90 days after the KMS instance is released. Manual deletion of backup data is not supported. | Remains valid indefinitely. Supports manual deletion through the reset operation. | The backup lifecycle depends on the purchase duration. Backups are released and deleted 15 days after expiration. Manual deletion through the reset operation is also supported. Important No operations are supported after the backup expires. However, you can renew an expired backup to reactivate and use it before it is released. Renewal charges are the same as purchasing a new backup of the same specification. |
Viewable days | The number of days of backup data you can view. For example, if you set the viewable days to 50 for a purchased backup, and the backup data is 80 days old, only the most recent 50 days of backup data are visible. To view earlier data, you need to extend the viewable days. Note Configure the viewable days based on your key rotation schedule and disaster recovery requirements. | 90 days. Cannot be extended. | 7 days. Cannot be extended. | Select 7 to 600 days at purchase. You can also extend the viewable days after purchase, but downgrading is not supported. |
Backup schedule | The time of day when backups are performed. | A full backup is performed on the first run. After that, a full backup runs daily at 00:00, and incremental backups run every 5 minutes after each full backup completes. | ||
Backup type | Distinguishes backup sources for quick identification. | System Created | Default | Paid |
Back up data
Before you begin
The target instance must meet the following conditions before you can restore a backup.
The target instance has sufficient quota for keys or secrets.
No key or secret with the same name exists in the target region. To overwrite during restore, delete the existing key or secret in the target region first.
When restoring a secret, the key used to encrypt that secret must already exist in the target instance.
Automatic backup
After you enable a software key management instance or hardware key management instance, KMS automatically creates a backup for that instance. For more information about how to enable an instance, see Purchase and enable a KMS instance.
After the instance is enabled, KMS automatically generates a backup. View it on the Backups page. KMS-created backups have the Backup Type set to System Created and the Backup Object matching your key management instance.
Manual backup
Log on to the KMS console.
(Optional) Purchase a backup.
NoteSkip this step if you are using the default backup.
On the Backups page, click Create Backup, configure the parameters as needed, and then click Buy Now.
Parameter
Description
Key Management Type
Select Key Value-Added Service.
Key Value-Added Service
Select Instance Backup.
Region
Must be the same region as the software key management instance you want to back up.
Viewable Days
The number of days of backup data you can view.
Quantity
The number of backups to purchase.
NoteEach backup can back up the data of one KMS instance.
Duration
The purchase duration for the backup.
On the Confirm Order page, review the service agreement and complete the payment.
Enable the backup.
ImportantA full backup is performed when you first enable a backup. After that, a full backup runs daily at 00:00, and incremental backups run every 5 minutes after each full backup completes.
On the Backups page, find the target backup and click Enable in the Actions column.
In the Enable Backup dialog box, configure the parameters and then click OK.
Parameter
Description
Backup Type
Select Software Key Management or Hardware Key Management. When you switch the type, the backup target field is reset.
Backup Object
Select the key management instance to back up. The list shows only enabled instances whose specifications match the selected backup data specification.
Backup Data
Default value: Keys and Secrets. This parameter cannot be modified.
Backup Alias
A custom alias for the backup.
(Optional) View backup data.
In the Actions column of the target backup, click View Data, select a date, and then view the backup data for that day.
Data Type
Description
Fully Backed up Keys
All keys backed up at 00:00 on the selected day.
Incrementally Backed up Keys
Keys that were newly added on the selected day.
Rotated Keys
Keys that were rotated on the selected day.
Fully Backed up Secrets
All secrets backed up at 00:00 on the selected day.
Incrementally Backed up Secrets
Secrets that were newly added on the selected day.
Rotated Secrets
Secrets that were rotated on the selected day.
Restore data
Restore a software instance
Log on to the KMS console.
In the Actions column of the target backup, click Extend Queryable Range to select the date to which you want to restore data.
ImportantFor purchased backups, if the data to restore is outside the current viewable days range, extend the viewable days first and then restore. You cannot restore data from before the backup was enabled, even by extending viewable days.
For example: backup enabled on May 1, 2024 with 10 viewable days. To restore data from May 5 on May 20, 2024, extend the viewable days to 16.
Data Type
Procedure
Keys
Select Data Type (for example, Fully Backed up Keys), locate the target key, and click Upload Backup in the Actions column.
In the Upload Backup dialog box, select the target region and instance information, and then click OK.
Secrets
Restore the key that encrypts the secret.
NoteThe target instance must have the key that encrypts the secret. If you are sure the key already exists in the target instance, skip this step and go directly to restoring the secret.
Select Data Type (for example, Fully Backed up Keys), locate the key associated with the secret, and click Upload Backup in the Actions column.
In the Upload Backup dialog box, select the target region and instance information, and then click OK.
Restore the secret.
Select Data Type (for example, Fully Backed up Secrets), locate the target secret, and click Upload Backup in the Actions column.
In the Upload Backup dialog box, select the target region and instance information, and then click OK.
Restore a hardware instance
Operation notes
Data restoration to the original instance is not currently supported. Data can only be restored to a new instance.
To ensure eventual data consistency, set the HSM backup time one day later than the KMS backup time.
Step 1: Back up HSM data
If you enabled data backup and recovery for the associated HSM instance when purchasing the hardware instance, skip this step.
In the VSMs page, find the target HSM and click .
On the configuration change page, enable data backup and recovery and select the number of mirror images. Review the service agreement, select the check box, and then click Buy Now to complete the purchase.
ImportantKeep the number of mirror images consistent with the Viewable Days configured for the KMS instance backup. Otherwise, the backup may be incomplete. For example, if the viewable days is set to 30, you need to purchase 30 mirror images.
After the purchase succeeds, backups are automatically created based on the schedule. You can view the generated backup names on the Backups page.
Step 2: Create a hardware key management instance and restore data
Restore data: After the HSM backup data is generated, follow the instructions below to restore data.
Prepare the HSM instance:
Purchase an HSM instance in the same region where you want to restore the hardware key management instance.
Backup management only supports HSMs deployed in cluster mode. When purchasing, you must select at least two HSMs across dual availability zones. For more information, see Purchase an HSM instance.
WarningAfter the purchase, do not enable the HSM instance. If the target HSM is already in use, contact Alibaba Cloud technical support to disable and reset the HSM instance first.
Restore HSM data:
Log on to the Encryption Service Management console.
On the Backups page, select the backup data for the HSM associated with the hardware key management instance (Backup Type is Auto Create).
NoteSelect the most recent backup.
Click View Image in the Actions column of the target backup.
On the image backup details page, click Upload Backup in the Actions column of the target image.
In the Upload Backup dialog box, select Restore Instance (the HSM instance purchased in the previous step), and then click OK.
Purchase and enable the hardware key management instance:
Log on to the KMS console.
On the Hardware Key Management tab, click Create Instance, select the specification for the hardware key management instance, and click Buy Now.
Return to the Hardware Key Management tab, find the newly purchased hardware key management instance, and click Enable in the Actions column.
In the Connect to HSM panel, in the Select Cluster section, select the HSM instance purchased in step 1, and then click Connect to HSM.
Restore the hardware key management instance data:
Log on to the KMS console.
In the Actions column of the target backup, click Extend Queryable Range to select the date to which you want to restore data.
ImportantFor purchased backups, if the data to restore is outside the current viewable days range, extend the viewable days first and then restore. You cannot restore data from before the backup was enabled, even by extending viewable days.
For example: backup enabled on May 1, 2024 with 10 viewable days. To restore data from May 5 on May 20, 2024, extend the viewable days to 16.
Data Type
Procedure
Keys
Select Data Type (for example, Fully Backed up Keys), locate the target key, and click Upload Backup in the Actions column.
In the Upload Backup dialog box, select the target region and instance information, and then click OK.
Secrets
Restore the key that encrypts the secret.
NoteThe target instance must have the key that encrypts the secret. If you are sure the key already exists in the target instance, skip this step and go directly to restoring the secret.
Select Data Type (for example, Fully Backed up Keys), locate the key associated with the secret, and click Upload Backup in the Actions column.
In the Upload Backup dialog box, select the target region and instance information, and then click OK.
Restore the secret.
Select Data Type (for example, Fully Backed up Secrets), locate the target secret, and click Upload Backup in the Actions column.
In the Upload Backup dialog box, select the target region and instance information, and then click OK.
More operations
Extend viewable days
Only purchased backups support extending viewable days, and only upgrades (not downgrades) are supported.
Log on to the KMS console.
In the Actions column of the target backup, click View Data.
On the backup details page, click Upgrade, select the extended number of viewable days, click Buy Now, and complete the payment.
Reset backup
Only default backups and purchased backups support the reset operation. Resetting deletes all backed-up data and unbinds the backup from the software key management instance.
Reset permanently deletes all data that has been backed up by this backup. Proceed with caution.
Log on to the KMS console.
In the Actions column of the target backup, click Reset.
Read the prompts in the Reset dialog box carefully, and then click OK.
After the reset, the backup status changes to Disabled. You can then rebind it to a software key management instance.
Renew backup
Only purchased backups support renewal.
Log on to the KMS console.
In the Actions column of the target backup, click Renew.
On the renewal page, select the purchase duration, review the service agreement, and complete the payment.
Download backup data files
After downloading the backup data file, store it securely. The backup data file can only be used to restore data in the KMS console.
Log on to the KMS console.
In the Actions column of the target backup, click Download.
In the Download dialog box, select Backup Date, and then click OK.
NoteIf the backup data is outside the Viewable Days range, you must extend the viewable days before downloading.
Save the backup data.
Click the
icon next to Decryption Key to copy the key, and then save it locally.Click Download next to Backup Data to download the backup data file and save it securely.
ImportantThe data encryption key is used to decrypt the downloaded backup data file. KMS does not store the Data Encryption Key or the Backup Data File. Keep them secure to prevent data leakage.
Upload backup data files
If you are uploading backup data files across borders, ensure that you comply with the relevant laws and regulations regarding data export.
Log on to the KMS console.
On the Backups page, click Import Backup Data.
In the Import Backup Data dialog box, enter the Decryption Key and Backup Name, and then click OK.
In the file selection dialog, select the backup data file and click Open.
After the upload succeeds, you can view the uploaded data on the Backups page. The Backup Type is displayed as Upload.
View associated HSM information
This information helps you identify the HSM cluster that needs to be backed up. Set the HSM backup time one day later than the KMS backup time to ensure data consistency.
Log on to the KMS console.
On the Backups page, click Extend Queryable Range in the Actions column of the target backup.
In the basic information panel of the backup details page, you can view the following HSM-related fields:
Cluster ID: The HSM cluster ID associated with the hardware instance.
Primary HSM: The primary HSM ID in the HSM cluster.
FAQ
How do I view the viewable days of a backup?
On the Backups page, view the Queryable Range field.
What should I do if the restore fails due to insufficient quota?
If the restore fails because the target instance has reached its quota limit for keys or secrets, delete unused keys or secrets from the target instance to free up space, or upgrade the target instance to a higher specification. After resolving the quota issue, retry the restore.
What should I do if a name conflict occurs during restore?
Restore requires that no key or secret with the same name exists in the target instance. If a conflict occurs, delete the conflicting resource in the target instance first, then retry. To preserve the existing resource, rename it before deleting, or restore to a different target instance.
How do I handle an expired backup?
For purchased backups, no operations are supported after expiration. If the backup has not yet been released (within 15 days after expiration), you can renew it to reactivate it. Renewal charges are the same as purchasing a new backup of the same specification. Automatic backups cannot be renewed and depend on the associated KMS instance lifecycle.