Importing key material step 4: Import the key material
After you encrypt your key
material, you can import the key material to use with an Amazon KMS key. To import key
material, you upload the encrypted key material from Step 3: Encrypt the key
material and the import token that you
downloaded at Step 2: Download the
wrapping public key and import token. You must import key material
into the same KMS key that you specified when you downloaded the public key and import
token. When key material is successfully imported, the key
state of the KMS key changes to Enabled, and you can use the KMS key
in cryptographic operations.
When you import key material, you can set an optional expiration time for the key material. When the key material expires, Amazon KMS deletes the key material and the KMS key becomes unusable. To use the KMS key in cryptographic operations, you must reimport the same key material. After you import your key material, you cannot set, change, or cancel the expiration date for the current import. To change these values, you must delete and reimport the same key material.
To import key material, you can use the Amazon KMS console or the ImportKeyMaterial API. You can use the
API directly by making HTTP requests, or by using an Amazon SDKs
When you import the key material, an ImportKeyMaterial
entry is added to your Amazon CloudTrail log to record the ImportKeyMaterial
operation. The CloudTrail entry is the same whether you use the Amazon KMS console or the Amazon KMS API.
Setting an expiration time (optional)
When you import the key material for your KMS key, you can set an optional expiration
date and time for the key material of up to 365 days from the import date. When imported key
material expires, Amazon KMS deletes it. This action changes the key state of the KMS key to PendingImport, which prevents it from
being used in any cryptographic operation. To use the KMS key, you must reimport a copy of the original key material.
Ensuring that imported key material expires frequently can help you to satisfy regulatory requirements, but it introduces an additional a risk to data encrypted under the KMS key. Until you reimport a copy of the original key material, a KMS key with expired key material is unusable, and any data encrypted under the KMS key is inaccessible. If you fail to reimport the key material for any reason, including losing your copy of the original key material, the KMS key is permanently unusable, and data encrypted under the KMS key is unrecoverable.
To mitigate this risk, make sure that your copy of the imported key material is accessible, and design a system to delete and reimport the key material before it expires and interrupts your Amazon workload. We recommend that you set an alarm for the expiration of your imported key material that gives you plenty of time to reimport the key material before it expires. You can also use your CloudTrail logs to audit operations that import (and reimport) key material and delete imported key material, and the Amazon KMS operation to delete expired key material.
You cannot import different key material into the KMS key, and Amazon KMS cannot restore, recover, or reproduce the deleted key material. Instead of setting an expiration time, you can programmatically delete and reimport the imported key material periodically, but the requirements for retaining a copy of the original key material are the same.
You determine whether and when imported key material expires when you import the key
material. But you can turn expiration on and off, or set a new expiration time by deleting and
reimporting the key material. Use the ExpirationModel parameter of ImportKeyMaterial to turn expiration
on (KEY_MATERIAL_EXPIRES) and off (KEY_MATERIAL_DOES_NOT_EXPIRE) and
the ValidTo parameter to set the expiration time. The maximum time is 365 days
from the import data; there is no minimum, but the time must be in the future.
Import key material (console)
You can use the Amazon Web Services Management Console to import key material.
-
If you are on the Upload your wrapped key material page, skip to Step 8.
-
Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms
. -
To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.
-
In the navigation pane, choose Customer managed keys.
-
Choose the key ID or alias of the KMS key for which you downloaded the public key and import token.
-
Choose the Cryptographic configuration tab and view its values. The tabs are on the detail page for a KMS key below the General configuration section.
You can only import key material into KMS keys with an Origin of External (Import key material). For information about creating KMS keys with imported key material, see Importing key material for Amazon KMS keys.
-
Choose the Key material tab and then choose Import key material. The Key material tab appears only for KMS keys with an Origin value of External (Import key material).
If you downloaded the key material, import token, and encrypted the key material, choose Next.
-
In the Encrypted key material and import token section, do the following.
-
Under Wrapped key material, choose Choose file. Then upload the file that contains your wrapped (encrypted) key material.
-
Under Import token, choose Choose file. Upload the file that contains the import token that you downloaded.
-
-
In the Expiration option section, you determine whether the key material expires. To set an expiration date and time, choose Key material expires, and use the calendar to select a date and time. You can specify a date up to 365 days from the current date and time.
-
Choose Upload key material.
Import key material (Amazon KMS API)
To import key material, use the ImportKeyMaterial operation. The following example uses the Amazon CLI
To use this example:
-
Replace
1234abcd-12ab-34cd-56ef-1234567890ab -
Replace
EncryptedKeyMaterial.bin -
Replace
ImportToken.bin -
If you want the imported key material to expire, set the value of the
expiration-modelparameter to its default value,KEY_MATERIAL_EXPIRES, or omit theexpiration-modelparameter. Then, replace the value of thevalid-toparameter with the date and time that you want the key material to expire. The date and time can be up to 365 days from the time of the request.$aws kms import-key-material --key-id1234abcd-12ab-34cd-56ef-1234567890ab\ --encrypted-key-material fileb://EncryptedKeyMaterial.bin\ --import-token fileb://ImportToken.bin\ --expiration-modelKEY_MATERIAL_EXPIRES\ --valid-to2023-06-17T12:00:00-08:00If you do not want the imported key material to expire, set the value of the
expiration-modelparameter toKEY_MATERIAL_DOES_NOT_EXPIREand omit thevalid-toparameter from the command.$aws kms import-key-material --key-id1234abcd-12ab-34cd-56ef-1234567890ab\ --encrypted-key-material fileb://EncryptedKeyMaterial.bin\ --import-token fileb://ImportToken.bin\ --expiration-modelKEY_MATERIAL_DOES_NOT_EXPIRE
Tip
If the command does not succeed, you might see a KMSInvalidStateException
or a NotFoundException. You can retry the request.