Asymmetric keys in AWS KMS
AWS KMS supports asymmetric KMS keys that represent a mathematically related RSA, elliptic
curve (ECC), or SM2 (China Regions only) public and private key pair. These key pairs are
generated in AWS KMS hardware security modules certified under the FIPS 140-2 Cryptographic Module Validation Program
You can create and manage the asymmetric KMS keys in your AWS account, including setting the key policies, IAM policies, and grants that control access to the keys, enabling and disabling the KMS keys, creating tags and aliases, and deleting the KMS keys. You can audit all operations that use or manage your asymmetric KMS keys within AWS in AWS CloudTrail logs.
AWS KMS also provides asymmetric data key pairs that are designed to be used for client-side cryptography outside of AWS KMS. The private key in an asymmetric data key pair is protected by a symmetric encryption KMS key in AWS KMS.
This topic explains how asymmetric KMS keys work, how they differ from other KMS keys and how to decide which type of KMS key you need to protect your data. It also explains how asymmetric data key pairs work and how to use them outside of AWS KMS.
Regions
Asymmetric KMS keys and asymmetric data key pairs are supported in all AWS Regions that AWS KMS supports.
Learn more
-
To create asymmetric KMS keys, see Creating asymmetric KMS keys. To create symmetric encryption KMS keys, see Creating keys.
-
To create multi-Region asymmetric KMS keys, see Creating multi-Region keys.
-
To find out whether a KMS key is symmetric or asymmetric, see Identifying asymmetric KMS keys.
-
For a table that compares the AWS KMS API operations that apply to each type of KMS key, see Key type reference.
-
To control access to the key specs, key usage, encryption algorithms, and signing algorithms that principals in your account can use for KMS keys and data keys, see AWS KMS condition keys.
-
To learn about the request quotas that apply to different types of KMS keys, see Request quotas.
-
To learn how to sign messages and verify signatures with asymmetric KMS keys, see Digital signing with the new asymmetric keys feature of AWS KMS
in the AWS Security Blog.
Topics
Asymmetric KMS keys
You can create an asymmetric KMS key in AWS KMS. An asymmetric KMS key represents a mathematically related public key and private key pair. You can give the public key to anyone, even if they're not trusted, but the private key must be kept secret.
In an asymmetric KMS key, the private key is created in AWS KMS and never leaves AWS KMS unencrypted. To use the private key, you must call AWS KMS. You can use the public key within AWS KMS by calling the AWS KMS API operations. Or, you can download the public key and use it outside of AWS KMS.
If your use case requires encryption outside of AWS by users who cannot call AWS KMS,
asymmetric KMS keys are a good choice. However, if you are creating a KMS key to encrypt
the data that you store or manage in an AWS service, use a symmetric encryption KMS key.
AWS services that
are integrated with AWS KMS
AWS KMS supports three types of asymmetric KMS keys.
-
RSA KMS keys: A KMS key with an RSA key pair for encryption and decryption or signing and verification (but not both). AWS KMS supports several key lengths for different security requirements.
-
Elliptic Curve (ECC) KMS keys: A KMS key with an elliptic curve key pair for signing and verification or deriving shared secrets (but not both). AWS KMS supports several commonly-used curves.
-
SM2 KMS keys (China Regions only): A KMS key with an SM2 key pair for encryption and decryption, signing and verification, or deriving shared secrets (you must choose one key usage type).
For help choosing your asymmetric key configuration, see Choosing a KMS key type. For technical details about the encryption and signing algorithms that AWS KMS supports for RSA KMS keys, see RSA key specs. For technical details about the signing algorithms that AWS KMS supports for ECC KMS keys, see Elliptic curve key specs. For technical details about the encryption and signing algorithms that AWS KMS supports for SM2 KMS keys (China Regions only), see SM2 key spec.
For a table comparing the operations that you can perform on symmetric and asymmetric KMS keys, see Comparing Symmetric and Asymmetric KMS keys. For help determining whether a KMS key is symmetric or asymmetric, see Identifying asymmetric KMS keys.
Regions
Asymmetric KMS keys and asymmetric data key pairs are supported in all AWS Regions that AWS KMS supports.