AWS KMS now supports Elliptic Curve Diffie-Hellman (ECDH) key agreement
The Elliptic Curve Diffie-Hellman (ECDH) key agreement enables two parties to establish a shared secret over a public channel. With this new feature, you can take another party’s public key and your own elliptic-curve KMS key that’s inside AWS Key Management Service (KMS) to derive a shared secret within the security boundary of FIPS 140-2 validated KMS hardware security module (HSM). This shared secret can then be used to derive a symmetric key to encrypt and decrypt data between the two parties using a symmetric encryption algorithm within your application.
You can use this feature directly within your own applications by calling DeriveSharedSecret KMS API, or using the latest version of the AWS Encryption SDK that supports ECDH keyring. The AWS Encryption SDK provides a simple interface for encrypting and decrypting data using a shared secret, automatically handling the key derivation and encryption process for you. In addition, ECDH key agreement can be an important building block for hybrid encryption schemes, or seeding a secret inside remote devices and isolated compute environments like AWS Nitro Enclaves.
This new feature is available in all AWS Regions, including the AWS GovCloud (US) Regions. To learn more about this new capability, see DeriveSharedSecret KMS API in the AWS KMS API Reference.