https://www.alibabacloud.com/help/en/kms/getting-started/getting-started-with-key-management

https://www.alibabacloud.com/help/en/kms/developer-reference/api-createkey

 

-- 前提

(1) KMS instance作成済、有効化済
 Billing Method:  Pay-as-you-go 3.0
 Instance Type:  Software Key Management

(2) コンソールよりkmsアクセス権限をロールに付与済み

Role:
AliyunECSDiskEncryptionDefaultRole
Description:
By default, ECS uses this role to access KMS.
Permission Description:
The role has the permissions required to use the disk encryption feature, including the permissions to access KMS.

 

 

-- 1. Create a software-protected key

 

aliyun kms ListKmsInstances

aliyun kms GetKmsInstance \
--KmsInstanceId kst-111111111111111111111 

 

aliyun kms CreateKey \
--Description key01 \
--KeyUsage ENCRYPT/DECRYPT \
--Origin Aliyun_KMS \
--ProtectionLevel SOFTWARE \
--EnableAutomaticRotation false \
--KeySpec Aliyun_AES_256 \
--DKMSInstanceId kst-111111111111111111111 

aliyun kms ListKeys 

aliyun kms DescribeKey \
--KeyId key-111111111111111111111 

 

-- 2. Use the software-protected key

aliyun ecs DescribeInstances 

 

aliyun ecs CreateInstance \
--InstanceType ecs.t5-lc2m1.nano \
--CreditSpecification Standard \
--DeletionProtection false \
--Description instance01 \
--ImageId aliyun_2_1903_x64_20G_alibase_20231221.vhd \
--InstanceChargeType PostPaid \
--InstanceName instance01 \
--KeyPairName alibabakey01 \
--SecurityGroupId sg-11111111111111111111 \
--SystemDisk.Category cloud_ssd \
--SystemDisk.Size 20 \
--VSwitchId vsw-111111111111111111111 \
--ZoneId ap-northeast-1a \
--DataDisk.1.Category cloud_ssd \
--DataDisk.1.DeleteWithInstance true \
--DataDisk.1.Encrypted true \
--DataDisk.1.KMSKeyId key-111111111111111111111 \
--DataDisk.1.Size 20 

aliyun ecs DescribeDisks \
--InstanceId i-11111111111111111111 \

 

 

-- 3. クリーンアップ

aliyun ecs DeleteInstance \
--InstanceId i-11111111111111111111 \
--Force true 

 

aliyun kms ScheduleKeyDeletion \
--KeyId key-111111111111111111111 \
--PendingWindowInDays 7