Asymmetric keys in Amazon KMS - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Asymmetric keys in Amazon KMS

An asymmetric KMS key represents a mathematically related public key and private key pair. You can give the public key to anyone, even if they're not trusted, but the private key must be kept secret.

In an asymmetric KMS key, the private key is created in Amazon KMS and never leaves Amazon KMS unencrypted. To use the private key, you must call Amazon KMS. You can use the public key within Amazon KMS by calling the Amazon KMS API operations. Or, you can download the public key and use it outside of Amazon KMS.

If your use case requires encryption outside of Amazon by users who cannot call Amazon KMS, asymmetric KMS keys are a good choice. However, if you are creating a KMS key to encrypt the data that you store or manage in an Amazon service, use a symmetric encryption KMS key. Amazon services that are integrated with Amazon KMS use only symmetric encryption KMS keys to encrypt your data. These services do not support encryption with asymmetric KMS keys.

Amazon KMS supports three types of asymmetric KMS keys.

RSA KMS keys

A KMS key with an RSA key pair for encryption and decryption or signing and verification (but not both). Amazon KMS supports several key lengths for different security requirements.

For technical details about the encryption and signing algorithms that Amazon KMS supports for RSA KMS keys, see RSA key specs.

Elliptic Curve (ECC) KMS keys

A KMS key with an elliptic curve key pair for signing and verification or deriving shared secrets (but not both). Amazon KMS supports several commonly-used curves.

For technical details about the signing algorithms that Amazon KMS supports for ECC KMS keys, see Elliptic curve key specs.

SM2 KMS keys (China Regions only)

A KMS key with an SM2 key pair for encryption and decryption, signing and verification, or deriving shared secrets (you must choose one key usage type).

For technical details about the encryption and signing algorithms that Amazon KMS supports for SM2 KMS keys (China Regions only), see SM2 key spec.

For help choosing your asymmetric key configuration, see Choosing what type of KMS key to create.

Regions

Asymmetric KMS keys and asymmetric data key pairs are supported in all Amazon Web Services Regions that Amazon KMS supports.

Learn more