Asymmetric keys in Amazon KMS
An asymmetric KMS key represents a mathematically related public key and private key pair. You can give the public key to anyone, even if they're not trusted, but the private key must be kept secret.
In an asymmetric KMS key, the private key is created in Amazon KMS and never leaves Amazon KMS unencrypted. To use the private key, you must call Amazon KMS. You can use the public key within Amazon KMS by calling the Amazon KMS API operations. Or, you can download the public key and use it outside of Amazon KMS.
If your use case requires encryption outside of Amazon by users who cannot call Amazon KMS,
asymmetric KMS keys are a good choice. However, if you are creating a KMS key to encrypt the
data that you store or manage in an Amazon service, use a symmetric encryption KMS key.
Amazon services that
are integrated with Amazon KMS
Amazon KMS supports three types of asymmetric KMS keys.
- RSA KMS keys
-
A KMS key with an RSA key pair for encryption and decryption or signing and verification (but not both). Amazon KMS supports several key lengths for different security requirements.
For technical details about the encryption and signing algorithms that Amazon KMS supports for RSA KMS keys, see RSA key specs.
- Elliptic Curve (ECC) KMS keys
-
A KMS key with an elliptic curve key pair for signing and verification or deriving shared secrets (but not both). Amazon KMS supports several commonly-used curves.
For technical details about the signing algorithms that Amazon KMS supports for ECC KMS keys, see Elliptic curve key specs.
- SM2 KMS keys (China Regions only)
-
A KMS key with an SM2 key pair for encryption and decryption, signing and verification, or deriving shared secrets (you must choose one key usage type).
For technical details about the encryption and signing algorithms that Amazon KMS supports for SM2 KMS keys (China Regions only), see SM2 key spec.
For help choosing your asymmetric key configuration, see Choosing what type of KMS key to create.
Regions
Asymmetric KMS keys and asymmetric data key pairs are supported in all Amazon Web Services Regions that Amazon KMS supports.
Learn more
-
To create asymmetric KMS keys, see Create an asymmetric KMS key.
-
To create multi-Region asymmetric KMS keys, see Create multi-Region primary keys.
-
To learn how to sign messages and verify signatures with asymmetric KMS keys, see Digital signing with the new asymmetric keys feature of Amazon KMS
in the Amazon Security Blog. -
To learn about special considerations for deleting asymmetric KMS keys, see Deleting asymmetric KMS keys.
-
To identify and view asymmetric KMS keys, see Identify asymmetric KMS keys.