Asymmetric keys in AWS KMS - AWS Key Management Service
Asymmetric KMS keys

Asymmetric keys in AWS KMS

AWS KMS supports asymmetric KMS keys that represent a mathematically related RSA, elliptic curve (ECC), or SM2 (China Regions only) public and private key pair. These key pairs are generated in AWS KMS hardware security modules certified under the FIPS 140-2 Cryptographic Module Validation Program, except in the China (Beijing) and China (Ningxia) Regions. The private key never leaves the AWS KMS HSMs unencrypted. You can download the public key for distribution and use outside of AWS. You can create asymmetric KMS keys for encryption and decryption, or signing and verification, but not both.

You can create and manage the asymmetric KMS keys in your AWS account, including setting the key policies, IAM policies, and grants that control access to the keys, enabling and disabling the KMS keys, creating tags and aliases, and deleting the KMS keys. You can audit all operations that use or manage your asymmetric KMS keys within AWS in AWS CloudTrail logs.

AWS KMS also provides asymmetric data key pairs that are designed to be used for client-side cryptography outside of AWS KMS. The private key in an asymmetric data key pair is protected by a symmetric encryption KMS key in AWS KMS.

This topic explains how asymmetric KMS keys work, how they differ from other KMS keys and how to decide which type of KMS key you need to protect your data. It also explains how asymmetric data key pairs work and how to use them outside of AWS KMS.

Regions

Asymmetric KMS keys and asymmetric data key pairs are supported in all AWS Regions that AWS KMS supports.

Learn more

Topics

Asymmetric KMS keys

You can create an asymmetric KMS key in AWS KMS. An asymmetric KMS key represents a mathematically related public key and private key pair. You can give the public key to anyone, even if they're not trusted, but the private key must be kept secret.

In an asymmetric KMS key, the private key is created in AWS KMS and never leaves AWS KMS unencrypted. To use the private key, you must call AWS KMS. You can use the public key within AWS KMS by calling the AWS KMS API operations. Or, you can download the public key and use it outside of AWS KMS.

If your use case requires encryption outside of AWS by users who cannot call AWS KMS, asymmetric KMS keys are a good choice. However, if you are creating a KMS key to encrypt the data that you store or manage in an AWS service, use a symmetric encryption KMS key. AWS services that are integrated with AWS KMS use only symmetric encryption KMS keys to encrypt your data. These services do not support encryption with asymmetric KMS keys.

AWS KMS supports three types of asymmetric KMS keys.

  • RSA KMS keys: A KMS key with an RSA key pair for encryption and decryption or signing and verification (but not both). AWS KMS supports several key lengths for different security requirements.

  • Elliptic Curve (ECC) KMS keys: A KMS key with an elliptic curve key pair for signing and verification. AWS KMS supports several commonly-used curves.

  • SM2 KMS keys (China Regions only): A KMS key with an SM2 key pair for encryption and decryption or signing and verification (but not both).

For help choosing your asymmetric key configuration, see Choosing a KMS key type. For technical details about the encryption and signing algorithms that AWS KMS supports for RSA KMS keys, see RSA key specs. For technical details about the signing algorithms that AWS KMS supports for ECC KMS keys, see Elliptic curve key specs. For technical details about the encryption and signing algorithms that AWS KMS supports for SM2 KMS keys (China Regions only), see SM2 key spec.

For a table comparing the operations that you can perform on symmetric and asymmetric KMS keys, see Comparing Symmetric and Asymmetric KMS keys. For help determining whether a KMS key is symmetric or asymmetric, see Identifying asymmetric KMS keys.

Regions

Asymmetric KMS keys and asymmetric data key pairs are supported in all AWS Regions that AWS KMS supports.