Key

Metadata about an AWS Payment Cryptography key.

Contents

CreateTimestamp

The date and time when the key was created.

Type: Timestamp

Required: Yes

Enabled

Specifies whether the key is enabled.

Type: Boolean

Required: Yes

Exportable

Specifies whether the key is exportable. This data is immutable after the key is created.

Type: Boolean

Required: Yes

KeyArn

The Amazon Resource Name (ARN) of the key.

Type: String

Length Constraints: Minimum length of 70. Maximum length of 150.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:key/[0-9a-zA-Z]{16,64}

Required: Yes

KeyAttributes

The role of the key, the algorithm it supports, and the cryptographic operations allowed with the key. This data is immutable after the key is created.

Type: KeyAttributes object

Required: Yes

KeyCheckValue

The key check value (KCV) is used to check if all parties holding a given key have the same key or to detect that a key has changed.

Type: String

Length Constraints: Minimum length of 4. Maximum length of 16.

Pattern: [0-9a-fA-F]+

Required: Yes

KeyCheckValueAlgorithm

The algorithm that AWS Payment Cryptography uses to calculate the key check value (KCV). It is used to validate the key integrity.

For TDES keys, the KCV is computed by encrypting 8 bytes, each with value of zero, with the key to be checked and retaining the 3 highest order bytes of the encrypted result. For AES keys, the KCV is computed using a CMAC algorithm where the input data is 16 bytes of zero and retaining the 3 highest order bytes of the encrypted result.

Type: String

Valid Values: CMAC | ANSI_X9_24 | HMAC | SHA_1

Required: Yes

KeyOrigin

The source of the key material. For keys created within AWS Payment Cryptography, the value is AWS_PAYMENT_CRYPTOGRAPHY. For keys imported into AWS Payment Cryptography, the value is EXTERNAL.

Type: String

Valid Values: EXTERNAL | AWS_PAYMENT_CRYPTOGRAPHY

Required: Yes

KeyState

The state of key that is being created or deleted.

Type: String

Valid Values: CREATE_IN_PROGRESS | CREATE_COMPLETE | DELETE_PENDING | DELETE_COMPLETE

Required: Yes

DeletePendingTimestamp

The date and time after which AWS Payment Cryptography will delete the key. This value is present only when KeyState is DELETE_PENDING and the key is scheduled for deletion.

Type: Timestamp

Required: No

DeleteTimestamp

The date and time after which AWS Payment Cryptography will delete the key. This value is present only when when the KeyState is DELETE_COMPLETE and the AWS Payment Cryptography key is deleted.

Type: Timestamp

Required: No

DeriveKeyUsage

The cryptographic usage of an ECDH derived key as defined in section A.5.2 of the TR-31 spec.

Type: String

Valid Values: TR31_B0_BASE_DERIVATION_KEY | TR31_C0_CARD_VERIFICATION_KEY | TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY | TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS | TR31_E1_EMV_MKEY_CONFIDENTIALITY | TR31_E2_EMV_MKEY_INTEGRITY | TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS | TR31_E5_EMV_MKEY_CARD_PERSONALIZATION | TR31_E6_EMV_MKEY_OTHER | TR31_K0_KEY_ENCRYPTION_KEY | TR31_K1_KEY_BLOCK_PROTECTION_KEY | TR31_M3_ISO_9797_3_MAC_KEY | TR31_M1_ISO_9797_1_MAC_KEY | TR31_M6_ISO_9797_5_CMAC_KEY | TR31_M7_HMAC_KEY | TR31_P0_PIN_ENCRYPTION_KEY | TR31_P1_PIN_GENERATION_KEY | TR31_V1_IBM3624_PIN_VERIFICATION_KEY | TR31_V2_VISA_PIN_VERIFICATION_KEY

Required: No

MultiRegionKeyType

Indicates whether this key is a Multi-Region key and its role in the Multi-Region key hierarchy.

Multi-Region replication keys allow the same key material to be used across multiple AWS Regions. This field specifies whether the key is a Primary Region key (PRK) (which can be replicated to other AWS Regions) or a Replica Region key (RRK) (which is a copy of a PRK in another Region). For more information, see Multi-Region key replication.

Type: String

Valid Values: PRIMARY | REPLICA

Required: No

PrimaryRegion

An AWS Region identifier in the standard format (e.g., us-east-1, eu-west-1).

Used to specify regions for key replication operations. The region must be a valid AWS Region where AWS Payment Cryptography is available.

Type: String

Pattern: [a-z]{2}-[a-z]{1,16}-[0-9]+

Required: No

ReplicationStatus

Information about the replication status of the key across different AWS Regions.

This field provides details about the current state of key replication, including any status messages or operational information. It helps track the progress and health of key replication operations.

Type: String to ReplicationStatusType object map

Key Pattern: [a-z]{2}-[a-z]{1,16}-[0-9]+

Required: No

UsageStartTimestamp

The date and time after which AWS Payment Cryptography will start using the key material for cryptographic operations.

Type: Timestamp

Required: No

UsageStopTimestamp

The date and time after which AWS Payment Cryptography will stop using the key material for cryptographic operations.

Type: Timestamp

Required: No

UsingDefaultReplicationRegions

Indicates whether this key is using the account's default replication regions configuration for Multi-Region key replication.

When set to true, the key automatically replicates to the regions specified in the account's default replication settings. When set to false, the key has a custom replication configuration that overrides the account defaults.

Type: Boolean

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++

• AWS SDK for Java V2

• AWS SDK for Ruby V3