Special considerations for imported key material - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Special considerations for imported key material

Before you decide to import key material into Amazon KMS, you should understand the following characteristics of imported key material.

You generate the key material

You are responsible for generating the key material using a source of randomness that meets your security requirements.

You're responsible for availability and durability

Amazon KMS is designed to keep imported key material highly available. But Amazon KMS does not maintain the durability of imported key material at the same level as key material that Amazon KMS generates. For details, see Protecting imported key material.

You can delete the key material

You can delete imported key material from a KMS key, immediately rendering the KMS key unusable. Also, when you import key material into a KMS key, you can determine whether the key expires and set its expiration time. When the expiration time arrives, Amazon KMS deletes the key material. Without key material, the KMS key cannot be used in any cryptographic operation. To restore the key, you must reimport the same key material into the key.

You cannot change the key material for asymmetric, HMAC, and multi-Region keys

When you import key material into a KMS key, the KMS key is permanently associated with that key material. You can reimport the same key material, but you cannot import different key material into that KMS key. Also, you cannot enable automatic key rotation for a KMS key with imported key material. However, you can manually rotate a KMS key with imported key material.

You can perform on-demand rotation on single-Region, symmetric encryption keys

Single-Region symmetric encryption keys with imported key material support on-demand rotation. You can import multiple key materials into these keys and use on-demand rotation to update the current key material. The current key material is used for both encryption and decryption but other (non-current) key materials can only be used for decryption.

You cannot change the key material origin

KMS keys designed for imported key material have an origin value of EXTERNAL that cannot be changed. You cannot convert a KMS key for imported key material to use key material from any other source, including Amazon KMS. Similarly, you cannot convert a KMS key with Amazon KMS key material into one designed for imported key material.

You cannot export key material

You cannot export any key material that you imported. Amazon KMS cannot return the imported key material to you in any form. You must maintain a copy of your imported key material outside of Amazon, preferably in a key manager, such as a hardware security module (HSM), so you can reimport the key material if you delete it or it expires.

You can create multi-Region keys with imported key material

Multi-Region with imported key material have the features of KMS keys with imported key material, and can interoperate between Amazon Web Services Regions. To create a multi-Region key with imported key material, you must import the same key material into the primary KMS key and into each replica key. Multi-Region symmetric encryption keys do not support on-demand rotation.

Asymmetric keys and HMAC keys are portable and interoperable

You can use your asymmetric key material and HMAC key material outside of Amazon to interoperate with Amazon KMS keys with the same imported key material.

Unlike the Amazon KMS symmetric ciphertext, which is inextricably bound to the KMS key used in the algorithm, Amazon KMS uses standard HMAC and asymmetric formats for encryption, signing, and MAC generation. As a result, the keys are portable and support traditional escrow key scenarios.

When your KMS key has imported key material, you can use the imported key material outside of Amazon to perform the following operations.

  • HMAC keys — You can verify a HMAC tag that was generated by the HMAC KMS key with imported key material. You can also use the HMAC KMS key with the imported key material to verify an HMAC tag that was generated by the key material outside of Amazon.

  • Asymmetric encryption keys — You can use your private asymmetric encryption key outside of Amazon to decrypt a ciphertext encrypted by the KMS key with the corresponding public key. You can also use your asymmetric KMS key to decrypt an asymmetric ciphertext that was generated outside of Amazon.

  • Asymmetric signing keys — You can use your asymmetric signing KMS key with imported key material to verify digital signatures generated by your private signing key outside of Amazon. You can also use your asymmetric public signing key outside of Amazon to verify signatures generated by your asymmetric KMS key.

  • Asymmetric key agreement keys — You can use your asymmetric key agreement KMS key with imported key material to derive shared secrets with a peer outside of Amazon.

If you import the same key material into different KMS keys in the same Amazon Web Services Region, those keys are also interoperable. To create interoperable KMS keys in different Amazon Web Services Regions, create a multi-Region key with imported key material.

Symmetric encryption keys are not portable or interoperable

The symmetric ciphertexts that Amazon KMS produces are not portable or interoperable. Amazon KMS does not publish the symmetric ciphertext format that portability requires, and the format might change without notice.

  • Amazon KMS cannot decrypt symmetric ciphertexts that you encrypt outside of Amazon, even if you use key material that you have imported.

  • Amazon KMS does not support decrypting any Amazon KMS symmetric ciphertext outside of Amazon KMS, even if the ciphertext was encrypted under a KMS key with imported key material.

  • KMS keys with the same imported key material are not interoperable. The symmetric ciphertext that Amazon KMS generates ciphertext that is specific to each KMS key. This ciphertext format guarantees that only the KMS key that encrypted data can decrypt it.

Also, you cannot use any Amazon tools, such as the Amazon Encryption SDK or Amazon S3 client-side encryption, to decrypt Amazon KMS symmetric ciphertexts.

As a result, you cannot use keys with imported key material to support key escrow arrangements where an authorized third party with conditional access to key material can decrypt certain ciphertexts outside of Amazon KMS. To support key escrow, use the Amazon Encryption SDK to encrypt your message under a key that is independent of Amazon KMS.