Protecting imported key material
The key material that you import is protected in transit and at rest. Before importing the
key material, you encrypt (or "wrap") the key material with the public key of an RSA key pair
generated in Amazon KMS hardware security modules (HSMs) validated under the FIPS 140-3 Cryptographic Module Validation Program
Upon receipt, Amazon KMS decrypts the key material with the corresponding private key in a Amazon KMS HSM and re-encrypts it under an AES symmetric key that exists only in the volatile memory of the HSM. Your key material never leaves the HSM in plain text. It is decrypted only while it is in use and only within Amazon KMS HSMs.
Use of your KMS key with imported key material is determined solely by the access control policies that you set on the KMS key. In addition, you can use aliases and tags to identify and control access to the KMS key. You can enable and disable the key, view, and monitor it using services like Amazon CloudTrail.
However, you maintain the only failsafe copy of your key material. In return for this extra measure of control, you are responsible for durability and overall availability of the imported key material. Amazon KMS is designed to keep imported key material highly available. But Amazon KMS does not maintain the durability of imported key material at the same level as key material that Amazon KMS generates.
This difference in durability is meaningful in the following cases:
-
When you set an expiration time for your imported key material, Amazon KMS deletes the key material after it expires. Amazon KMS does not delete the KMS key or its metadata. You can create a Amazon CloudWatch alarm that notifies you when imported key material is approaching its expiration date.
You cannot delete key material that Amazon KMS generates for a KMS key and you cannot set Amazon KMS key material to expire, although you can rotate it.
-
When you manually delete imported key material, Amazon KMS deletes the key material but does not delete the KMS key or its metadata. In contrast, scheduling key deletion requires a waiting period of 7 to 30 days, after which Amazon KMS permanently deletes the KMS key, its metadata, and its key material.
-
In the unlikely event of certain region-wide failures that affect Amazon KMS (such as a total loss of power), Amazon KMS cannot automatically restore your imported key material. However, Amazon KMS can restore the KMS key and its metadata.
You must retain a copy of the imported key material outside of Amazon in a system that you control. We recommend that you store an exportable copy of the imported key material in a key management system, such as an HSM. If your imported key material is deleted or expires, its associated KMS key becomes unusable until you reimport the same key material. If your imported key material is permanently lost, any ciphertext encrypted under the KMS key is unrecoverable.