Identifying symmetric and asymmetric KMS keys - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Identifying symmetric and asymmetric KMS keys

To determine if a particular KMS key is symmetric or asymmetric, find the key type or key spec. You can use the Amazon KMS console or Amazon KMS API.

Some of these methods also show you other aspects of the cryptographic configuration of a KMS key, including the key usage and the encryption or signing algorithms that the KMS key supports. You can view the cryptographic configuration of an existing KMS key, but you cannot change it.

For general information about viewing KMS keys, including sorting, filtering, and choosing columns for your console display, see Viewing KMS keys in the console.

Finding the key type in the KMS key table

In the Amazon KMS console, the Key type column shows whether each KMS key is symmetric or asymmetric. You can add a Key type column to the KMS key table on the Customer managed keys or Amazon managed keys pages in the console.

To identify symmetric and asymmetric KMS keys in your KMS key table, use the following procedure.

  1. Open the Amazon KMS console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Region, use the Region selector in the upper-right corner of the page.

  3. To view the keys in your account that you create and manage, in the navigation pane choose Customer managed keys. To view the keys in your account that Amazon creates and manages for you, in the navigation pane, choose Amazon managed keys.

  4. The Key type columns shows whether each KMS key is symmetric or asymmetric. You can also sort and filter by the Key type value.

    If the Key type column does not appear in your KMS key table, choose the gear icon in the upper right corner of the page, choose Key type, and then choose Confirm. You can also add the Key spec and Key usage columns.

    
                        The Key type column in a KMS key table

Finding the key type on the details page

In the Amazon KMS console, the details page for each KMS key includes a Cryptographic Configuration tab that displays the key type (symmetric or asymmetric) and other cryptographic details about the KMS key.

To identify symmetric and asymmetric KMS keys on the details page for a KMS key, use the following procedure.

  1. Open the Amazon KMS console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Region, use the Region selector in the upper-right corner of the page.

  3. To view the keys in your account that you create and manage, in the navigation pane choose Customer managed keys. To view the keys in your account that Amazon creates and manages for you, in the navigation pane, choose Amazon managed keys.

  4. Choose the alias or key ID of a KMS key.

  5. Choose the Cryptographic configuration tab. The tabs are below the General configuration section.

    The Cryptographic configuration tab displays the Key Type, which indicates whether it is symmetric or asymmetric. It also displays other details about the KMS key, including the Key Usage, which tells whether a KMS key can be used for encryption and decryption or signing and verification. For asymmetric KMS keys, it displays the encryption algorithms or signing algorithms that the KMS key supports.

    For example, the following is an example Cryptographic configuration tab for a symmetric KMS key.

    
                        The Cryptographic configuration tab for a
                            symmetric KMS key

    The following is an example Cryptographic configuration tab for an asymmetric RSA KMS key that's used for signing and verification.

    
                        The Cryptographic configuration tab for an
                            asymmetric KMS key

Finding the key spec using the Amazon KMS API

To determine whether a KMS key is symmetric or asymmetric, use the DescribeKey operation. The KeySpec field in the response contains the key spec of the KMS key. For a symmetric KMS key, the value of KeySpec is SYMMETRIC_DEFAULT. Other values indicate an asymmetric key.

Note

The CustomerMasterKeySpec member is deprecated. Instead, use KeySpec. To prevent breaking changes, the DescribeKey response includes KeySpec and CustomerMasterKeySpec members with the same value.

For example, DescribeKey returns the following response for a symmetric KMS key. The KeySpec value is SYMMETRIC_DEFAULT.

{ "KeyMetadata": { "AWSAccountId": "111122223333", "KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "Arn": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", "CreationDate": 1496966810.831, "Enabled": true, "Description": "", "KeyState": "Enabled", "Origin": "AWS_KMS", "KeyManager": "CUSTOMER", "MultiRegion": false, "KeySpec": "SYMMETRIC_DEFAULT", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "KeyUsage": "ENCRYPT_DECRYPT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ] } }

The DescribeKey response for an asymmetric RSA KMS key used in signing and verification looks similar to this example. The KeySpec value is RSA_2048 and the KeyUsage is SIGN_VERIFY. The SigningAlgorithms element lists the valid signing algorithms for the KMS key.

{ "KeyMetadata": { "AWSAccountId": "111122223333", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1571767572.317, "CustomerMasterKeySpec": "RSA_2048", "Enabled": false, "Description": "", "KeyState": "Disabled", "Origin": "AWS_KMS", "MultiRegion": false, "KeyManager": "CUSTOMER", "KeySpec": "RSA_2048", "KeyUsage": "SIGN_VERIFY", "SigningAlgorithms": [ "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512" ] } }