Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Asymmetric keys in Amazon KMS

Amazon KMS supports asymmetric KMS keys that represent a mathematically related RSA, elliptic curve (ECC), or SM2 (China Regions only) public and private key pair. These key pairs are generated in Amazon KMS hardware security modules certified under the FIPS 140-2 Cryptographic Module Validation Program, except in the China (Beijing) and China (Ningxia) Regions. The private key never leaves the Amazon KMS HSMs unencrypted. You can download the public key for distribution and use outside of Amazon. You can create asymmetric KMS keys for encryption and decryption, or signing and verification, but not both.

You can create and manage the asymmetric KMS keys in your Amazon Web Services account, including setting the key policies, IAM policies, and grants that control access to the keys, enabling and disabling the KMS keys, creating tags and aliases, and deleting the KMS keys. You can audit all operations that use or manage your asymmetric KMS keys within Amazon in Amazon CloudTrail logs.

Amazon KMS also provides asymmetric data key pairs that are designed to be used for client-side cryptography outside of Amazon KMS. The private key in an asymmetric data key pair is protected by a symmetric encryption KMS key in Amazon KMS.

This topic explains how asymmetric KMS keys work, how they differ from other KMS keys and, and how to decide which type of KMS key you need to protect your data. It also explains how asymmetric data key pairs work and how to use them outside of Amazon KMS.

Regions

Asymmetric KMS keys and asymmetric data key pairs are supported in all Amazon Web Services Regions that Amazon KMS supports.

Learn more

Asymmetric KMS keys

You can create an asymmetric KMS key in Amazon KMS. An asymmetric KMS key represents a mathematically related public key and private key pair. You can give the public key to anyone, even if they're not trusted, but the private key must be kept secret.

In an asymmetric KMS key, the private key is created in Amazon KMS and never leaves Amazon KMS unencrypted. To use the private key, you must call Amazon KMS. You can use the public key within Amazon KMS by calling the Amazon KMS API operations. Or, you can download the public key and use it outside of Amazon KMS.

If your use case requires encryption outside of Amazon by users who cannot call Amazon KMS, asymmetric KMS keys are a good choice. However, if you are creating a KMS key to encrypt the data that you store or manage in an Amazon service, use a symmetric encryption KMS key. Amazon services that are integrated with Amazon KMS use only symmetric encryption KMS keys to encrypt your data. These services do not support encryption with asymmetric KMS keys.

Amazon KMS supports three types of asymmetric KMS keys.

For help choosing your asymmetric key configuration, see Choosing a KMS key type. For technical details about the encryption and signing algorithms that Amazon KMS supports for RSA KMS keys, see RSA key specs. For technical details about the signing algorithms that Amazon KMS supports for ECC KMS keys, see Elliptic curve key specs. For technical details about the encryption and signing algorithms that Amazon KMS supports for SM2 KMS keys (China Regions only), see SM2 key spec.

For a table comparing the operations that you can perform on symmetric and asymmetric KMS keys, see Comparing Symmetric and Asymmetric KMS keys. For help determining whether a KMS key is symmetric or asymmetric, see Identifying asymmetric KMS keys.

Regions

Asymmetric KMS keys and asymmetric data key pairs are supported in all Amazon Web Services Regions that Amazon KMS supports.