You can create an AWS KMS keys (KMS key) with key material that you supply.
A KMS key is a logical representation of a data key. The metadata for a KMS key includes the ID of the key material used to perform cryptographic operations. When you create a KMS key, by default, AWS KMS generates the key material for that KMS key. But you can create a KMS key without key material and then import your own key material into that KMS key, a feature often known as "bring your own key" (BYOK).
NoteAWS KMS does not support decrypting any AWS KMS ciphertext encrypted by a symmetric encryption KMS key outside of AWS KMS, even if the ciphertext was encrypted under a KMS key with imported key material. AWS KMS does not publish the ciphertext format this task requires, and the format might change without notice.
When you use imported key material, you remain responsible for the key material while allowing AWS KMS to use a copy of it. You might choose to do this for one or more of the following reasons:
To prove the key material was generated using a source of entropy that meets your requirements.
To use key material from your own infrastructure with AWS services, and to use AWS KMS to manage the lifecycle of that key material within AWS.
To use existing, well-established keys in AWS KMS, such as keys for code signing, PKI certificate signing, and certificate pinned applications
To set an expiration time for the key material in AWS and to manually delete it, but to also make it available again in the future. In contrast, scheduling key deletion requires a waiting period of 7 to 30 days, after which you cannot recover the deleted KMS key.
To own the original copy of the key material, and to keep it outside of AWS for additional durability and disaster recovery during the complete lifecycle of the key material.
For asymmetric keys and HMAC keys, importing creates compatible and interoperable keys that operate within and outside of AWS.
Supported KMS key types
AWS KMS supports imported key material for the following types of KMS keys. You cannot import key material into KMS keys in custom key stores.
Regions
Imported key material is supported in all AWS Regions that AWS KMS supports.
In China Regions, the key material requirements for symmetric encryption KMS keys differ from other Regions. For details, see Step 3: Encrypt the key material.
Learn more
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4