Importing key material for Amazon KMS keys - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Importing key material for Amazon KMS keys

You can create an Amazon KMS keys (KMS key) with key material that you supply.

A KMS key is a logical representation of an encryption key. The metadata for a KMS key includes the ID of key material used to encrypt and decrypt data. When you create a KMS key, by default, Amazon KMS generates the key material for that KMS key. But you can create a KMS key without key material and then import your own key material into that KMS key, a feature often known as "bring your own key" (BYOK).

Note

Amazon KMS does not support decrypting any Amazon KMS ciphertext outside of Amazon KMS, even if the ciphertext was encrypted under a KMS key with imported key material. Amazon KMS does not publish the ciphertext format this task requires, and the format might change without notice.

Imported key material is supported on all types of KMS keys except for KMS keys in custom key stores. However, in China Regions you can only import symmetric encryption key material into KMS keys.

When you use imported key material, you remain responsible for the key material while allowing Amazon KMS to use a copy of it. You might choose to do this for one or more of the following reasons:

  • To prove the key material was generated using a source of entropy that meets your requirements.

  • To use key material from your own infrastructure with Amazon services, and to use Amazon KMS to manage the lifecycle of that key material within Amazon.

  • To use existing, well-established keys in Amazon KMS, such as keys for code signing, PKI certificate signing, and certificate pinned applications

  • To set an expiration time for the key material in Amazon and to manually delete it, but to also make it available again in the future. In contrast, scheduling key deletion requires a waiting period of 7 to 30 days, after which you cannot recover the deleted KMS key.

  • To own the original copy of the key material, and to keep it outside of Amazon for additional durability and disaster recovery during the complete lifecycle of the key material.

  • For asymmetric keys and HMAC keys, importing creates compatible and interoperable keys that operate within and outside of Amazon.

You can audit and monitor the use and management of a KMS key with imported key material. Amazon KMS records an event in your Amazon CloudTrail log when you create the KMS key, download the wrapping public key and import token, and import the key material. Amazon KMS also records an event when you manually delete imported key material or when Amazon KMS deletes expired key material.

For information about important differences between KMS keys with imported key material and those with key material generated by Amazon KMS, see About imported key material.

Supported KMS keys

Amazon KMS supports imported key material for the following types of KMS keys. You cannot import key material into KMS keys in custom key stores. In China Regions, you can import key material only into symmetric encryption keys.

Regions

Imported key material is supported in all Amazon Web Services Regions that Amazon KMS supports.

In China Regions, you can import key material only into symmetric encryption KMS keys. Also, the key material requirements differ from other Regions. For details, see Importing key material step 3: Encrypt the key material.

Topics