To create, view, manage, use, and schedule deletion of the KMS keys in an external key store, you use procedures that are very similar to those you use for other KMS keys. However, when you create a KMS key in an external key store, you specify an external key store and an external key. When you use a KMS key in an external key store, encryption and decryption operations are performed by your external key manager using the specified external key.
AWS KMS cannot create, view, update, or delete any cryptographic keys in your external key manager. AWS KMS never directly accesses your external key manager or any external key. All requests for cryptographic operations are mediated by your external key store proxy. To use a KMS key in an external key store, the external key store that hosts the KMS key must be connected to its external key store proxy.
In addition to the procedures discussed in this section, you can do the following with KMS keys in an external key store:
When you use your KMS key in a request, identify the KMS key by its key ID, key ARN, alias, or alias ARN. You do not need to specify the external key store. The response includes the same fields that are returned for any symmetric encryption KMS key. However, when you use a KMS key in an external key store, encryption and decryption operations are performed by your external key manager using the external key that is associated with the KMS key.
To ensure that ciphertext encrypted by a KMS key in an external key store is at least as secure as any ciphertext encrypted by a standard KMS key, AWS KMS uses double encryption. Data is first encrypted in AWS KMS using AWS KMS key material. Then it is encrypted by your external key manager using the external key for the KMS key. To decrypt double-encrypted ciphertext, the ciphertext is first decrypted by your external key manager using the external key for the KMS key. Then it is decrypted in AWS KMS using the AWS KMS key material for the KMS key.
To make this possible, the following conditions are required.
The key state of the KMS key must be Enabled. To find the key state, see the Status field for customer managed keys the AWS KMS console or the KeyState field in the DescribeKey response.
The external key store that hosts the KMS key must be connected to its external key store proxy, that is, the connection state of the external key store must be CONNECTED.
You can view the connection state on the External key stores page in the AWS KMS console or in the DescribeCustomKeyStores response. The connection state of the external key store is also displayed on the detail page for the KMS key in the AWS KMS console. On the detail page, choose the Cryptographic configuration tab and see the Connection state field in the Custom key store section.
If the connection state is DISCONNECTED, you must first connect it. If the connection state is FAILED, you must resolve the problem, disconnect the external key store, and then connect it. For instructions, see Connect and disconnect external key stores.
The external key store proxy must be able to find the external key.
The external key must be enabled and it must perform encryption and decryption.
The status of the external key is independent of and not affected by changes in the key state of the KMS key, including enabling and disabling the KMS key. Similarly, disabling or deleting the external key doesn't change the key state of the KMS key, but cryptographic operations using the associated KMS key will fail.
If these conditions are not met, the cryptographic operation fails, and AWS KMS returns a KMSInvalidStateException exception. You might need to reconnect the external key store or use your external key manager tools to reconfigure or repair your external key. For additional help, see Troubleshooting external key stores.
When using the KMS keys in an external key store, be aware that the KMS keys in each external key store share a custom key store request quota for cryptographic operations. If you exceed the quota, AWS KMS returns a ThrottlingException. For details about the custom key store request quota, see Custom key store request quotas.
KMS keys in a CloudHSM key store
AWS KMS cryptography essentials
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4