Asymmetric keys in Amazon KMS - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Asymmetric keys in Amazon KMS

Amazon KMS supports asymmetric KMS keys that represent a mathematically related RSA or elliptice curve (ECC) public and private key pair. These key pairs are generated in Amazon KMS hardware security modules certified under the FIPS 140-2 Cryptographic Module Validation Program, except in the China (Beijing) and China (Ningxia) Regions.. The private key never leaves the HSMs unencrypted. You can download the public key for distribution and use outside of Amazon. You can create asymmetric KMS keys for encryption and decryption, or signing and verification, but not both.

You can create and manage the asymmetric KMS keys in your Amazon Web Services account, including setting the key policies, IAM policies, and grants that control access to the keys, enabling and disabling the KMS keys, creating tags and aliases, and deleting the KMS keys. You can audit all operations that use or manage your asymmetric KMS keys within Amazon in Amazon CloudTrail logs.

Amazon KMS also provides asymmetric data key pairs that are designed to be used for client-side cryptography outside of Amazon KMS. The symmetric data key and the private key in an asymmetric data key pair are protected by a symmetric KMS key in Amazon KMS.

This topic explains how asymmetric KMS keys work, how they differ from symmetric KMS keys, and how to decide which type of KMS key you need to protect your data. It also explains how asymmetric data key pairs work and how to use them outside of Amazon KMS.

Regions

Asymmetric KMS keys and asymmetric data key pairs are supported in all Amazon Web Services Regions that Amazon KMS supports.

Learn more

Asymmetric KMS keys

You can create an asymmetric KMS key in Amazon KMS. An asymmetric KMS key represents a mathematically related public key and private key pair. You can give the public key to anyone, even if they're not trusted, but the private key must be kept secret.

In an asymmetric KMS key, the private key is created in Amazon KMS and never leaves Amazon KMS unencrypted. To use the private key, you must call Amazon KMS. You can use the public key within Amazon KMS by calling the Amazon KMS API operations. Or, you can download the public key and use it outside of Amazon KMS.

If your use case requires encryption outside of Amazon by users who cannot call Amazon KMS, asymmetric KMS keys are a good choice. However, if you are creating a KMS key to encrypt the data that you store or manage in an Amazon service, use a symmetric KMS key. Amazon services that are integrated with Amazon KMS use symmetric KMS keys to encrypt your data. These services do not support encryption with asymmetric KMS keys.

Amazon KMS supports two types of asymmetric KMS keys.

  • RSA KMS keys: A KMS key with an RSA key pair for encryption and decryption or signing and verification (but not both). Amazon KMS supports several key lengths for different security requirements.

  • Elliptic Curve (ECC) KMS keys: A KMS key with an elliptic curve key pair for signing and verification. Amazon KMS supports several commonly-used curves.

For technical details about the encryption and signing algorithms that Amazon KMS supports for RSA KMS keys, see RSA Key Specs. For technical details about the signing algorithms that Amazon KMS supports for ECC KMS keys, see Elliptic Curve Key Specs.

For a table comparing the operations that you can perform on symmetric and asymmetric KMS keys, see Comparing Symmetric and Asymmetric KMS keys. For help determining whether a KMS key is symmetric or asymmetric, see Identifying symmetric and asymmetric KMS keys.

Regions

Asymmetric KMS keys and asymmetric data key pairs are supported in all Amazon Web Services Regions that Amazon KMS supports.