KMS FAQ and limits

Frequently asked questions

How do I check if KMS is available in my region?

Call GET /v1/kms/summary. The response includes featureEnabled for your organisation and kmsAvailable per region. See Getting started.

Can I rename a key or update its description?

No. Name, description, labels, and annotations are set at creation and cannot be changed. Create a new key and migrate workloads if you need different metadata.

Can I enable export after creating a key?

No. exportAllowed must be set at create time. You cannot enable key material export on an existing key.

Do I need to re-encrypt data after rotation?

No. Ciphertext embeds the key version. KMS decrypts with the correct version automatically after rotation.

Can I use a key across regions?

No. Keys are regional. Crypto operations must call the API path for the key’s region.

Why do I get 404 when I know the key exists?

Insufficient IAM permissions return 404 Not Found instead of 403 Forbidden to avoid revealing key existence. Verify your role bindings and project scope.

Can I import HMAC keys?

No. HMAC key types cannot be imported via BYOK.

Limits

Troubleshooting

Ciphertext format

KMS returns ciphertext as:

thalassa:v{version}:{payload}

Related documentation

• Overview — Product summary and concepts
• API reference — Endpoint listing
• Best practices — Production security guidance