Importing key material step 3: Encrypt the key material - Amazon Key Management Service
Example: Encrypt key material with OpenSSL
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Importing key material step 3: Encrypt the key material

After you download the public key and import token, you use the public key to encrypt your key material. The key material must be in binary format.

Typically, you encrypt your key material when you export it from your hardware security module (HSM) or key management system. For information about how to export key material in binary format, see the documentation for your HSM or key management system. You can also refer to the following section that provides a proof of concept demonstration using OpenSSL.

When you encrypt your key material, use the same wrapping algorithm that you specified when you downloaded the public key and import token (RSAES_OAEP_SHA_256, RSAES_OAEP_SHA_1, or RSAES_PKCS1_V1_5).

Example: Encrypt key material with OpenSSL

The following example demonstrates how to use OpenSSL to generate a 256-bit symmetric encryption key and then encrypt this key material for import into a KMS key.

In China Regions, generate a 128-bit symmetric encryption key.

Important

This example is a proof of concept demonstration only. For production systems, use a more secure method (such as a commercial HSM or key management system) to generate and store your key material.

The RSAES_OAEP_SHA_1 encryption algorithm works best with this example. Before running the example, make sure that you used RSAES_OAEP_SHA_1 for the wrapping algorithm in Step 2. If necessary, repeat the step to download and import the public key and token.

To use OpenSSL to generate binary key material and encrypt it for import into Amazon KMS

  1. Use the following command to generate a 256-bit symmetric key and save it in a file named PlaintextKeyMaterial.bin.

    (China Regions only) To generate a 128-bit symmetric key, change the 32 in the following command to 16.

    $ openssl rand -out PlaintextKeyMaterial.bin 32

  2. Use the following command to encrypt the key material with the public key that you downloaded and save it in a file named EncryptedKeyMaterial.bin. Replace PublicKey.bin with the name of the file that contains the public key. If you downloaded the public key from the console, this file is named wrappingKey_KMS key_key_ID_timestamp (for example, wrappingKey_f44c4e20-f83c-48f4-adc6-a1ef38829760_0809092909).

    $ openssl pkeyutl \
    -in PlaintextKeyMaterial.bin \
    -out EncryptedKeyMaterial.bin \
    -inkey PublicKey.bin \
    -keyform DER -pubin \
    -encrypt \
    -pkeyopt rsa_padding_mode:oaep \
    -pkeyopt rsa_oaep_md:sha1

Proceed to Step 4: Import the key material.