How do I import my keys into AWS Key Management Service?

Last updated: 2019-07-09

I want to use my 256-bit symmetric keys with AWS services. How can I import my key material in AWS Key Management Service (AWS KMS)?

Resolution

AWS KMS allows you to import your key material into a customer master key (CMK) for use with AWS services integrated with AWS KMS.

Follow these steps to import your key material in AWS KMS:

1.    Create a CMK with no key material. Note your CMK's key ID.

Note: For Define Key Administrative Permissions and Define Key Usage Permissions, it's a best practice that you separate the key administrator and key roles to limit the impact if either credential is exposed.

2.    Open a terminal on your local machine or Amazon Elastic Compute Cloud (Amazon EC2) instance with OpenSSL installed.

3.    Run this command to generate a 256-bit symmetric key:

openssl rand -out PlaintextKeyMaterial.bin 32

4.    Run these AWS Command Line Interface (AWS CLI) commands to describe the key and get the parameters for the import:

Note: The commands store the public key and import token parameters into a variable.  

export KEY=`aws kms --region eu-west-2 get-parameters-for-import --key-id example1-2345-67ab-9123-456789abcdef --wrapping-algorithm RSAES_OAEP_SHA_256 --wrapping-key-spec RSA_2048 --query '{Key:PublicKey,Token:ImportToken}' --output text`

5.    Run these commands to place the public key and import token into separate base64-encoded files:

echo $KEY | awk '{print $1}' > PublicKey.b64
echo $KEY | awk '{print $2}' > ImportToken.b64

6.    Run these commands to convert the base64-encoded file into binary files for import:  

openssl enc -d -base64 -A -in PublicKey.b64 -out PublicKey.bin
openssl enc -d -base64 -A -in ImportToken.b64 -out ImportToken.bin

7.    Run these commands to encrypt the key material with the public key that was converted to a binary file:

openssl pkeyutl -in PlaintextKeyMaterial.bin -out EncryptedKeyMaterial.bin -inkey PublicKey.bin -keyform DER -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256

8.    Run these commands to import the encrypted key material in AWS KMS:

Note: This example specifies that the key material doesn't expire, but you can choose to set an expiration date for your key material. For more information, see ExpirationModel.

aws kms --region eu-west-2 import-key-material --key-id example1-2345-67ab-9123-456789abcdef --encrypted-key-material fileb://EncryptedKeyMaterial.bin --import-token fileb://ImportToken.bin --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE

9.    Verify that the imported key status is set to Enabled by reviewing the key in the IAM console, or by running the DescribeKey API action.

If you can't import your key, do one of the following:

  • You waited longer than 24 hours and the import token is expired. Resolve this by downloading the wrapping key and import token again to re-encrypt the key material.
  • Your key material is not a 256-bit symmetric key. Verify that the file size of the encrypted key material is 32 bytes. Run one of the following commands to check the file size:

Linux

wc -c <filename>.bin

Windows

dir <filename>.bin

Did this article help you?

Anything we could improve?


Need more help?