Step 4: Import the key material - Amazon Key Management Service
Setting an expiration time (optional)Set key material descriptionImport new key materialReimport key materialImport key material (console)Import key material (Amazon KMS API)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 4: Import the key material

After you encrypt your key material, you can import the key material to use with an Amazon KMS key. To import key material, you upload the encrypted key material from Step 3: Encrypt the key material and the import token that you downloaded at Step 2: Download the wrapping public key and import token. You must import key material into the same KMS key that you specified when you downloaded the public key and import token. When key material is successfully imported, the key state of the KMS key changes to Enabled, and you can use the KMS key in cryptographic operations.

When you import key material, you can set an optional expiration time for the key material. When the key material expires, Amazon KMS deletes the key material and the KMS key becomes unusable. After you import your key material, you cannot set, change, or cancel the expiration date for the current import. To change these values, you must reimport the same key material.

For all KMS keys with EXTERNAL origin, the first key material imported into it becomes current and permanently associated with it. Symmetric encryption keys with EXTERNAL origin support on-demand rotation. You can associate multiple key materials with imported keys that support on-demand rotation. The process for importing new key material differs for single-Region and multi-Region keys as described in the section Import new key material. You must set the importType parameter to NEW_KEY_MATERIAL with the ImportKeyMaterial action to associate new key material with a KMS key. The default value of the optional ImportType parameter is EXISTING_KEY_MATERIAL. When you omit the ImportType parameter or specify it as EXISTING_KEY_MATERIAL, you must import a key material that is previously associated with the KMS key.

For asymmetric, or HMAC KMS keys with EXTERNAL origin, only one key material can ever be associated with the key. Amazon KMS will reject ImportKeyMaterial API requests with the ImportType parameter.

When all key materials permanently associated with a KMS key are imported, the KMS key is available for use in cryptographic operations. If any one of these key materials is deleted or allowed to expire, the KMS key state changes to PendingImport and the key is unusable for cryptographic operations.

To import key material, you can use the Amazon KMS console or the ImportKeyMaterial API. You can use the API directly by making HTTP requests, or by using an Amazon SDKs, Amazon Command Line Interface or Amazon Tools for PowerShell.

When you import the key material, an ImportKeyMaterial entry is added to your Amazon CloudTrail log to record the ImportKeyMaterial operation. The CloudTrail entry is the same whether you use the Amazon KMS console or the Amazon KMS API.

Setting an expiration time (optional)

When you import the key material for your KMS key, you can set an optional expiration date and time for the key material of up to 365 days from the import date. When imported key material expires, Amazon KMS deletes it. This action changes the key state of the KMS key to PendingImport, which prevents it from being used in any cryptographic operation. To use the KMS key, you must reimport a copy of the original key material.

Ensuring that imported key material expires frequently can help you to satisfy regulatory requirements, but it introduces an additional a risk to data encrypted under the KMS key. Until you reimport a copy of the original key material, a KMS key with expired key material is unusable, and any data encrypted under the KMS key is inaccessible. If you fail to reimport the key material for any reason, including losing your copy of the original key material, the KMS key is permanently unusable, and data encrypted under the KMS key is unrecoverable.

To mitigate this risk, make sure that your copy of the imported key material is accessible, and design a system to delete and reimport the key material before it expires and interrupts your Amazon workload. We recommend that you set an alarm for the expiration of your imported key material that gives you plenty of time to reimport the key material before it expires. You can also use your CloudTrail logs to audit operations that import (and reimport) key material and delete imported key material, and the Amazon KMS operation to delete expired key material.

Amazon KMS cannot restore, recover, or reproduce the deleted key material. Instead of setting an expiration time, you can programmatically delete and reimport the imported key material periodically, but the requirements for retaining a copy of the original key material are the same.

You determine whether and when imported key material expires when you import the key material. However you can turn expiration on and off, or set a new expiration time by reimporting the key material. Use the ExpirationModel parameter of ImportKeyMaterial to turn expiration on (KEY_MATERIAL_EXPIRES) and off (KEY_MATERIAL_DOES_NOT_EXPIRE) and the ValidTo parameter to set the expiration time. The maximum time is 365 days from the import data; there is no minimum, but the time must be in the future.

Set key material description

Symmetric encryption keys with EXTERNAL origin can have multiple key materials associated with them. You can specify an optional key material description when importing key material into such keys. The description can be used to keep track of where the corresponding key material is durably maintained outside Amazon KMS.

For multi-Region keys, you can set or change the key material description only on the primary Region key. Amazon KMS automatically propagates the key material description to replica Region keys.

Import new key material

To perform on-demand rotation on a symmetric encryption KMS key with imported key material, you'll first need to import new key material, not previously associated with the key.

  • Single Region keys

    • Use the ImportKeyMaterial operation with the ImportType parameter set to NEW_KEY_MATERIAL to accomplish this task. This key material is not permanently associated with the key until you perform the RotateKeyOnDemand operation or rotate the key in the Amazon Web Services Management Console. Until then, this key material is in PENDING_ROTATION state. A KMS key can have at most one key material in PENDING_ROTATION state at any time. A key material in PENDING_ROTATION state can be deleted without impacting the key's usability in cryptographic operations.

  • Multi-Region keys

    • To import key material into a multi-Region key, you must first import the new key material to the primary Region key. You cannot directly import new key materials to replica Region keys. After importing new key material to the primary Region key, you can import the same key materials into the replica Region keys.

    • Use the ImportKeyMaterial operation with the ImportType parameter set to NEW_KEY_MATERIAL for the primary Region key to accomplish this task. For the replica Region key, use the EXISTING_KEY_MATERIAL parameter for ImportType for the ImportKeyMaterial operation.

    • The key material for symmetric-encryption multi-Region keys must be imported into all the replica Region keys and primary Region keys before the key material state changes to PENDING_ROTATION state. Until then, the state of the new key material is PENDING_MULTI_REGION_IMPORT_AND_ROTATION. A KMS key can have at most one key material in PENDING_ROTATION or PENDING_MULTI_REGION_IMPORT_AND_ROTATIONstate at any time (see the KeyMaterialState description in RotationsListEntry). A key material in PENDING_MULTI_REGION_IMPORT_AND_ROTATION or PENDING_ROTATION state is not permanently associated with the key and can be deleted without impacting the key's usability in cryptographic operations.

Reimport key material

If you manage a KMS key with imported key material, you might need to reimport the key material. You might reimport key material to replace expiring or deleted key material, or to change the expiration model or expiration date of the key material.

You can reimport key material at any time, on any schedule that meets your security requirements. You do not have to wait until the key material is at or close to its expiration time.

The procedure to reimport key material is the same procedure that you use to import the key material the first time, with the following exceptions.

  • Use an existing KMS key, instead of creating a new KMS key. You can skip Step 1 of the import procedure.

  • When you reimport key material, you can change the expiration model and expiration date. For symmetric encryption keys, you can also change the key material description.

    For multi-Region keys, you can set or change the key material description only on the primary Region key. Amazon KMS automatically propagates the key material description to replica Region keys.

Each time you import key material to a KMS key, you need to download and use a new wrapping key and import token for the KMS key. The wrapping procedure does not affect the content of the key material, so you can use different wrapping public keys and different wrapping algorithms to import the same key material.

Import key material (console)

You can use the Amazon Web Services Management Console to import key material.

  1. If you are on the Upload your wrapped key material page, skip to Step 10.

  2. Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms.

  3. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

  4. In the navigation pane, choose Customer managed keys.

  5. Choose the key ID or alias of the KMS key for which you downloaded the public key and import token.

  6. Choose the Cryptographic configuration tab and view its values. The tabs are on the detail page for a KMS key below the General configuration section.

    You can only import key material into KMS keys with an Origin of External (Import key material). For information about creating KMS keys with imported key material, see Importing key material for Amazon KMS keys.

  7. Choose the appropriate tab based on your key type.

    • For asymmetric and HMAC keys, choose the Key material tab.

    • For symmetric encryption keys, choose the Key material and rotations tab.

  8. Choose the import action.

    • For asymmetric and HMAC keys, choose Import key material.

    • For symmetric encryption keys, choose one of the following:

      • Import initial key material (if no key material has been imported yet)

      • Import new key material (to add new material for rotation)

      • Reimport key material (available from the Actions menu in the key materials table)

    Note

    For Multi-Region keys, you must first import the new key material into the primary Region key. Then, import the same key material into each replica Region key.

    For primary multi-Region keys, the Key materials table includes a Replica import state column that displays the import status across all replica regions (for example, "0 of 3 imported"). Choose the replica import state value to open a modal that shows the import status for each replica region. The modal provides Import key material links for replica regions where the new key material has not been imported.

  9. If you downloaded the key material, import token, and encrypted the key material, choose Next.

    Note

    For Multi-Region keys, you must first import the new key material into the primary Region key. Then you can import the same key material into the replica Region keys.

  10. In the Encrypted key material and import token section, do the following.

    1. Under Wrapped key material, choose Choose file. Then upload the file that contains your wrapped (encrypted) key material.

    2. Under Import token, choose Choose file. Upload the file that contains the import token that you downloaded.

  11. In the Expiration option section, you determine whether the key material expires. To set an expiration date and time, choose Key material expires, and use the calendar to select a date and time. You can specify a date up to 365 days from the current date and time.

  12. For symmetric encryption keys, you can optionally specify a description for the key material being imported.

  13. Choose Import key material.

Import key material (Amazon KMS API)

To import key material, use the ImportKeyMaterial operation. The following example uses the Amazon CLI, but you can use any supported programming language.

To use this example:

For multi-Region keys, you can set or change the key material description only on the primary Region key. Amazon KMS automatically propagates the key material description to replica Region keys.

  1. Replace 1234abcd-12ab-34cd-56ef-1234567890ab with a key ID of the KMS key that you specified when you downloaded the public key and import token. To identify the KMS key, use its key ID or key ARN. You cannot use an alias name or alias ARN for this operation.

  2. Replace EncryptedKeyMaterial.bin with the name of the file that contains the encrypted key material.

  3. Replace ImportToken.bin with the name of the file that contains the import token.

  4. If you want the imported key material to expire, set the value of the expiration-model parameter to its default value, KEY_MATERIAL_EXPIRES, or omit the expiration-model parameter. Then, replace the value of the valid-to parameter with the date and time that you want the key material to expire. The date and time can be up to 365 days from the time of the request. 

    $ aws kms import-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --encrypted-key-material fileb://EncryptedKeyMaterial.bin \
    --import-token fileb://ImportToken.bin \
    --expiration-model KEY_MATERIAL_EXPIRES \
    --valid-to 2023-06-17T12:00:00-08:00

    If you do not want the imported key material to expire, set the value of the expiration-model parameter to KEY_MATERIAL_DOES_NOT_EXPIRE and omit the valid-to parameter from the command.

    $ aws kms import-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --encrypted-key-material fileb://EncryptedKeyMaterial.bin \
    --import-token fileb://ImportToken.bin \
    --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE

  5. If you want to import new key material, not previously associated with the KMS key, set the ImportType parameter to NEW_KEY_MATERIAL. This option can only be used with symmetric encryption keys. For these keys, you can also use the optional KeyMaterialDescription parameter to set a description for the imported key material in the following command line example: 

    $ aws kms import-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --encrypted-key-material fileb://EncryptedKeyMaterial.bin \
    --import-token fileb://ImportToken.bin \
    --expiration-model KEY_MATERIAL_EXPIRES \
    --valid-to 2023-06-17T12:00:00-08:00 \
    --import-type NEW_KEY_MATERIAL \
    --key-material-description "Q2 2025 Rotation"
Tip

If the command does not succeed, you might see a KMSInvalidStateException or a NotFoundException. You can retry the request.