Downloading public keys - Amazon Key Management Service
Special considerations for downloading public keysDownloading a public key (console)Downloading a public key (Amazon KMS API)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Downloading public keys

You can view, copy, and download the public key from an asymmetric KMS key pair by using the Amazon Web Services Management Console or the Amazon KMS API. You must have kms:GetPublicKey permission on the asymmetric KMS key.

Each asymmetric KMS key pair consists of a private key that never leaves Amazon KMS unencrypted and a public key that you can download and share.

You might share a public key to let others encrypt data outside of Amazon KMS that you can decrypt only with your private key. Or, to allow others to verify a digital signature outside of Amazon KMS that you have generated with your private key.

When you use the public key in your asymmetric KMS key within Amazon KMS, you benefit from the authentication, authorization, and logging that are part of every Amazon KMS operation. You also reduce of risk of encrypting data that cannot be decrypted. These features are not effective outside of Amazon KMS. For details, see Special considerations for downloading public keys.

Tip

Looking for data keys or SSH keys? This topic explains how to manage asymmetric keys in Amazon Key Management Service, where the private key is not exportable. For exportable data key pairs where the private key is protected by a symmetric encryption KMS key, see GenerateDataKeyPair. For help with downloading the public key associated with an Amazon EC2 instance, see Retrieving the public key in the Amazon EC2 User Guide for Linux Instances and Amazon EC2 User Guide for Windows Instances.

Special considerations for downloading public keys

To protect your KMS keys, Amazon KMS provides access controls, authenticated encryption, and detailed logs of every operation. Amazon KMS also allows you to prevent the use of KMS keys, temporarily or permanently. Finally, Amazon KMS operations are designed to minimize of risk of encrypting data that cannot be decrypted. These features are not available when you use downloaded public keys outside of Amazon KMS.

Authorization

Key policies and IAM policies that control access to the KMS key within Amazon KMS have no effect on operations performed outside of Amazon. Any user who can get the public key can use it outside of Amazon KMS even if they don't have permission to encrypt data or verify signatures with the KMS key.

Key usage restrictions

Key usage restrictions are not effective outside of Amazon KMS. If you call the Encrypt operation with a KMS key that has a KeyUsage of SIGN_VERIFY, the Amazon KMS operation fails. But if you encrypt data outside of Amazon KMS with a public key from a KMS key with a KeyUsage of SIGN_VERIFY, the data cannot be decrypted.

Algorithm restrictions

Restrictions on the encryption and signing algorithms that Amazon KMS supports are not effective outside of Amazon KMS. If you encrypt data with the public key from a KMS key outside of Amazon KMS, and use an encryption algorithm that Amazon KMS does not support, the data cannot be decrypted.

Disabling and deleting KMS keys

Actions that you can take to prevent the use of KMS key in a cryptographic operation within Amazon KMS do not prevent anyone from using the public key outside of Amazon KMS. For example, disabling a KMS key, scheduling deletion of a KMS key, deleting a KMS key, or deleting the key material from a KMS key have no effect on a public key outside of Amazon KMS. If you delete an asymmetric KMS key or delete or lose its key material, data that you encrypt with a public key outside of Amazon KMS is unrecoverable.

Logging

Amazon CloudTrail logs that record every Amazon KMS operation, including the request, response, date, time, and authorized user, do not record the use of the public key outside of Amazon KMS.

Offline verification with SM2 key pairs (China Regions only)

To verify a signature outside of Amazon KMS with an SM2 public key, you must specify the distinguishing ID. By default, Amazon KMS uses 1234567812345678 as the distinguishing ID. For more information, see Offline verification with SM2 key pairs (China Regions only).

Downloading a public key (console)

You can use the Amazon Web Services Management Console to view, copy, and download the public key from an asymmetric KMS key in your Amazon Web Services account. To download the public key from an asymmetric KMS key in different Amazon Web Services account, use the Amazon KMS API.

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys.

  4. Choose the alias or key ID of an asymmetric KMS key.

  5. Choose the Cryptographic configuration tab. Record the values of the Key spec, Key usage, and Encryption algorithms or Signing Algorithms fields. You'll need to use these values to use the public key outside of Amazon KMS. Be sure to share this information when you share the public key.

  6. Choose the Public key tab.

  7. To copy the public key to your clipboard, choose Copy. To download the public key to a file, choose Download.

Downloading a public key (Amazon KMS API)

The GetPublicKey operation returns the public key in an asymmetric KMS key. It also returns critical information that you need to use the public key correctly outside of Amazon KMS, including the key usage and encryption algorithms. Be sure to save these values and share them whenever you share the public key.

The examples in this section use the Amazon Command Line Interface (Amazon CLI), but you can use any supported programming language.

To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with alias/. To specify a KMS key in a different Amazon Web Services account, you must use its key ARN or alias ARN.

Before running this command, replace the example alias name with a valid identifier for the KMS key. To run this command, you must have kms:GetPublicKey permissions on the KMS key.

$ aws kms get-public-key --key-id alias/example_RSA_3072

{
    "KeySpec": "RSA_3072",
    "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
    "KeyUsage": "ENCRYPT_DECRYPT",
    "EncryptionAlgorithms": [
        "RSAES_OAEP_SHA_1",
        "RSAES_OAEP_SHA_256"
    ],
    "PublicKey": "MIIBojANBgkqhkiG..."
}