Managing KMS keys in a CloudHSM key store - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Managing KMS keys in a CloudHSM key store

You can create, view, manage, use, and schedule deletion of the Amazon KMS keys in an Amazon CloudHSM key store. The procedures that you use are very similar to those you use for other KMS keys. The only difference is that you specify an Amazon CloudHSM key store when you create the KMS key. Then, Amazon KMS creates non-extractable key material for the KMS key in the Amazon CloudHSM cluster that is associated with the Amazon CloudHSM key store. When you use a KMS key in an Amazon CloudHSM key store, the cryptographic operations are performed in the HSMs in the cluster.

Supported features

In addition to the procedures discussed in this section, you can do the following with KMS keys in an Amazon CloudHSM key store:

Unsupported features

  • Amazon CloudHSM key stores support only symmetric encryption KMS keys. You cannot create HMAC KMS keys, asymmetric KMS keys, or asymmetric data key pairs in an Amazon CloudHSM key store.

  • You cannot import key material into a KMS key in an Amazon CloudHSM key store. Amazon KMS generates the key material for the KMS key in the Amazon CloudHSM cluster.

  • You cannot enable or disable automatic rotation of the key material for a KMS key in an Amazon CloudHSM key store.