Download public key
You can download the public key from an asymmetric KMS key pair in the Amazon KMS console or
by using the GetPublicKey operation.
To download the public key, you must have kms:GetPublicKey
permission on the
asymmetric KMS key.
The public key that Amazon KMS returns is a DER-encoded X.509 public key, also known as
SubjectPublicKeyInfo
(SPKI), as defined in RFC 5280
To download the public key from an asymmetric KMS key pair, you need
kms:GetPublicKey
permissions. For more information about Amazon KMS permissions, see
the Permissions reference.
You can use the Amazon Web Services Management Console to view, copy, and download the public key from an asymmetric KMS key in your Amazon Web Services account. To download the public key from an asymmetric KMS key in different Amazon Web Services account, use the Amazon KMS API.
-
Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms
. -
To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.
-
In the navigation pane, choose Customer managed keys.
-
Choose the alias or key ID of an asymmetric KMS key.
-
Choose the Cryptographic configuration tab. Record the values of the Key spec, Key usage, and Encryption algorithms or Signing Algorithms fields. You'll need to use these values to use the public key outside of Amazon KMS. Be sure to share this information when you share the public key.
-
Choose the Public key tab.
-
To copy the public key to your clipboard, choose Copy. To download the public key to a file, choose Download.
The GetPublicKey operation returns the public key in an asymmetric KMS key. It also returns critical information that you need to use the public key correctly outside of Amazon KMS, including the key usage and encryption algorithms. Be sure to save these values and share them whenever you share the public key.
The examples in this section use the Amazon Command Line Interface
(Amazon CLI)
To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with alias/. To specify a KMS key in a different Amazon Web Services account, you must use its key ARN or alias ARN.
Before running this command, replace the example alias name with a valid identifier
for the KMS key. To run this command, you must have kms:GetPublicKey
permissions on the KMS key.
$
aws kms get-public-key --key-id
alias/example_RSA_3072
{ "KeySpec": "RSA_3072", "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "KeyUsage": "ENCRYPT_DECRYPT", "EncryptionAlgorithms": [ "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256" ], "PublicKey": "MIIBojANBgkqhkiG..." }