Importing key material for Amazon KMS keys
You can create an Amazon KMS keys (KMS key) with key material that you supply.
A KMS key is a logical representation of a data key. The metadata for a KMS key includes the ID of the key material used to perform cryptographic operations. When you create a KMS key, by default, Amazon KMS generates the key material for that KMS key. But you can create a KMS key without key material and then import your own key material into that KMS key, a feature often known as "bring your own key" (BYOK).

Note
Amazon KMS does not support decrypting any Amazon KMS ciphertext encrypted by a symmetric encryption KMS key outside of Amazon KMS, even if the ciphertext was encrypted under a KMS key with imported key material. Amazon KMS does not publish the ciphertext format this task requires, and the format might change without notice.
When you use imported key material, you remain responsible for the key material while allowing Amazon KMS to use a copy of it. You might choose to do this for one or more of the following reasons:
-
To prove the key material was generated using a source of entropy that meets your requirements.
-
To use key material from your own infrastructure with Amazon services, and to use Amazon KMS to manage the lifecycle of that key material within Amazon.
-
To use existing, well-established keys in Amazon KMS, such as keys for code signing, PKI certificate signing, and certificate pinned applications
-
To set an expiration time for the key material in Amazon and to manually delete it, but to also make it available again in the future. In contrast, scheduling key deletion requires a waiting period of 7 to 30 days, after which you cannot recover the deleted KMS key.
-
To own the original copy of the key material, and to keep it outside of Amazon for additional durability and disaster recovery during the complete lifecycle of the key material.
-
For asymmetric keys and HMAC keys, importing creates compatible and interoperable keys that operate within and outside of Amazon.
Supported KMS key types
Amazon KMS supports imported key material for the following types of KMS keys. You cannot import key material into KMS keys in custom key stores.
-
Multi-Region keys of all supported types.
Regions
Imported key material is supported in all Amazon Web Services Regions that Amazon KMS supports.
In China Regions, the key material requirements for symmetric encryption KMS keys differ from other Regions. For details, see Step 3: Encrypt the key material.
Learn more
-
To create KMS keys with imported key material, see Create a KMS key with imported key material.
-
To create an alarm that notifies you when the imported key material in a KMS key is approaching its expiration time, see Create a CloudWatch alarm for expiration of imported key material.
-
To reimport key material into a KMS key, see Reimport key material.
-
To identify and view KMS keys with imported key material, see Identify KMS keys with imported key material.
-
To learn about special considerations for deleting KMS keys with imported key material, see Deleting KMS keys with imported key material.