Patrick shows you how to
import key material into
AWS Key Management Service


I want to use my 256-bit symmetric keys with AWS services. How can I import my key material in AWS Key Management Service (KMS)?

AWS KMS allows you to import your key material into a customer master key (CMK) for use with AWS services that are integrated with AWS KMS.

Follow these steps to import your key material in AWS KMS:

1.    Create a CMK for external key material. Be sure to note your CMK's key ID for reference in later steps.

Note: For Define Key Administrative Permissions and Define Key Usage Permissions, we recommend that you separate the key administrator and key roles to limit the impact if either credential is exposed.

2.    Open a terminal with OpenSSL installed.

3.    Run this command to generate a 256-bit symmetric key:  

openssl rand -out PlaintextKeyMaterial.bin 32

4.    Run these AWS Command Line Interface (AWS CLI) commands to describe the key and get the parameters for the import:

Note: The commands store the public key and import token parameters into a variable.  

export KEY=`aws kms --region eu-west-2 get-parameters-for-import --key-id example1-2345-67ab-9123-456789abcdef --wrapping-algorithm RSAES_OAEP_SHA_256 --wrapping-key-spec RSA_2048 --query '{Key:PublicKey,Token:ImportToken}' --output text`

5. Run these commands to place the public key and import token into separate Base64-encoded files:  

echo $KEY | awk '{print $1}' > PublicKey.b64
echo $KEY | awk '{print $2}' > ImportToken.b64

6. Run these commands to convert the base64-encoded file into binary files for import:  

openssl enc -d -base64 -A -in PublicKey.b64 -out PublicKey.bin
openssl enc -d -base64 -A -in ImportToken.b64 -out ImportToken.bin

7.    Run these commands to encrypt the key material with the public key that was converted to a binary file:  

openssl pkeyutl -in PlaintextKeyMaterial.bin -out EncryptedKeyMaterial.bin -inkey PublicKey.bin -keyform DER -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256

8.    Run these commands to import the encrypted key material in AWS KMS:

Note: This example specifies that the key material doesn't expire, but you can choose to set an expiration date for your key material. For more information, see ExpirationModel.

aws kms --region eu-west-2 import-key-material --key-id example1-2345-67ab-9123-456789abcdef --encrypted-key-material fileb://EncryptedKeyMaterial.bin --import-token fileb://ImportToken.bin --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE

After you import the key, you can check whether its status is set to Enabled by reviewing the key in the IAM console, or by running the DescribeKey API action.

If you can't import your key, check for the following potential causes:

  • You might have waited longer than 24 hours and the import token is expired. Resolve this by downloading the wrapping key and import token again to re-encrypt the key material.
  • Your key material might not be a 256-bit symmetric key. Check the file size of the encrypted key material—it should be 32 bytes. Run one of the following commands to check the file size:


wc -c <filename>.bin


dir <filename>.bin

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-05-31