Importing key material step 1: Create an Amazon KMS key without key material - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Importing key material step 1: Create an Amazon KMS key without key material

By default, Amazon KMS creates key material for you when you create an Amazon KMS key. To instead import your own key material, start by creating a KMS key with no key material. You distinguish between these two types of KMS keys by the KMS key's origin. When Amazon KMS creates the key material for you, the KMS key's origin is AWS_KMS. When you create a KMS key with no key material, the KMS key's origin is EXTERNAL, which indicates that the key material was generated outside of Amazon KMS.

A KMS key with no key material is in the pending import state and is not available for use. To use it, you must import key material as explained later. When you import key material, the KMS key's key state changes to enabled. For more information about key state, see Key states of Amazon KMS keys.

To create a KMS key with no key material, you can use the Amazon Web Services Management Console or the Amazon KMS API. You can use the API directly by making HTTP requests, or by using an Amazon SDK, Amazon Command Line Interface or Amazon Tools for PowerShell.

Amazon KMS records an entry in your Amazon CloudTrail log when you create the KMS key, download the public key and import token, and import the key material. Amazon KMS also records an entry when you delete imported key material or when Amazon KMS deletes expired key material.

For information about creating multi-Region keys with imported key material, see Importing key material into multi-Region keys.

Creating a KMS key with no key material (console)

You can use the Amazon Web Services Management Console to create a KMS key with no key material. Before you do this, you can configure the console to show the Origin column in the list of KMS keys. Imported keys have an Origin value of External.

You need to create a KMS key for the imported key material only once. To reimport the same key material into an existing KMS key, see Step 2: Download the public key and import token.

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys.

  4. Choose Create key.

  5. Choose Symmetric. You cannot import key material into an asymmetric KMS key.

  6. Expand Advanced options.

  7. For Key material origin, choose External.

    Then select the check box next to I understand the security, availability, and durability implications of using an imported key to indicate that you understand the implications of using imported key material. To read about these implications, see About imported key material.

  8. Use the Multi-Region replication section only to create a multi-Region primary key with no key material. For details, see Importing key material into multi-Region keys.

  9. Choose Next.

  10. Type an alias and (optionally) a description for the KMS key.

    Choose Next.

  11. (Optional). On the Add tags page, add tags that identify or categorize your KMS key.

    Choose Next.

  12. In the Key administrators section, select the IAM users and roles who can manage the KMS key. For more information, see Allows key administrators to administer the KMS key.

    Note

    IAM policies can give other IAM users and roles permission to manage the KMS key.

  13. (Optional) To prevent the selected IAM users and roles from deleting this KMS key, in the Key deletion section at the bottom of the page, clear the Allow key administrators to delete this key check box.

    Choose Next.

  14. In the This account section, select the IAM users and roles in this Amazon Web Services account who can use the KMS key in cryptographic operations. For more information, see Allows key users to use the KMS key.

    Note

    IAM policies can give other IAM users and roles permission to use the KMS key.

  15. (Optional) You can allow other Amazon Web Services accounts to use this KMS key for cryptographic operations. To do so, in the Other Amazon Web Services accounts section at the bottom of the page, choose Add another Amazon Web Services account and enter the Amazon Web Services account ID of an external account. To add multiple external accounts, repeat this step.

    Note

    To allow principals in the external accounts to use the KMS key, Administrators of the external account must create IAM policies that provide these permissions. For more information, see Allowing users in other accounts to use a KMS key.

    Choose Next.

  16. Review the key settings that you chose. You can still go back and change all settings.

  17. When you're done, choose Finish to create the key.

    If the operation succeeds, you have created a KMS key with no key material. Its status is Pending import. To continue the process now, see Downloading the public key and import token (console). To continue the process later, choose Cancel.

Next: Step 2: Download the public key and import token.

Creating a KMS key with no key material (Amazon KMS API)

To use the Amazon KMS API to create a symmetric KMS key with no key material, send a CreateKey request with the Origin parameter set to EXTERNAL. The following example shows how to do this with the Amazon Command Line Interface (Amazon CLI).

$ aws kms create-key --origin EXTERNAL

When the command is successful, you see output similar to the following. The Amazon KMS key's Origin is EXTERNAL and its KeyState is PendingImport.

{ "KeyMetadata": { "Origin": "EXTERNAL", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Description": "", "Enabled": false, "MultiRegion": false, "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "PendingImport", "CreationDate": 1568289600.0, "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "KeyManager": "CUSTOMER", "KeySpec": "SYMMETRIC_DEFAULT", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ] } }

Copy the KMS key key ID from your command output to use in later steps, and then proceed to Step 2: Download the public key and import token.