Menu
AWS Key Management Service
Developer Guide

Importing Key Material Step 3: Encrypt the Key Material

After you download the public key and import token, you use the public key to encrypt your key material. Typically, you encrypt your key material when exporting it from your hardware security module (HSM) or key management system. For information about how to do this, see the documentation for your HSM or key management system. You can also refer to the following section that provides a proof of concept demonstration using OpenSSL. When you encrypt your key material, use the RSA PKCS #1 encryption scheme with the padding option that you specified when you downloaded the public key and import token (RSAES_OAEP_SHA_256, RSAES_OAEP_SHA_1, or RSAES_PKCS1_V1_5).

Encrypt Key Material with OpenSSL

The following example demonstrates how to use OpenSSL to generate a 256-bit symmetric key and then encrypt this key material for import into a KMS customer master key (CMK).

Important

This example is a proof of concept demonstration only. For production systems, use a more secure method (such as a commercial HSM or key management system) to generate and store your key material.

To use OpenSSL to generate key material and encrypt it for import into AWS KMS

  1. Use the following command to generate a 256-bit symmetric key and save it in a file named PlaintextKeyMaterial.bin.

    Copy
    $ openssl rand -out PlaintextKeyMaterial.bin 32
  2. Use the following command to encrypt the key material with the public key that you downloaded previously (see Download the Public Key and Import Token (AWS KMS API)) and save it in a file named EncryptedKeyMaterial.bin. Replace PublicKey.bin with the name of the file that contains the public key. If you downloaded the public key from the console, this file is named wrappingKey_CMK_key_ID_timestamp (for example, wrappingKey_f44c4e20-f83c-48f4-adc6-a1ef38829760_0809092909).

    Copy
    $ openssl rsautl -encrypt \ -in PlaintextKeyMaterial.bin \ -oaep \ -inkey PublicKey.bin \ -keyform DER \ -pubin \ -out EncryptedKeyMaterial.bin

Proceed to Step 4: Import the Key Material.