AWS Key Management Service
Developer Guide

Importing Key Material Step 3: Encrypt the Key Material

After you download the public key and import token, you use the public key to encrypt your key material. The key material must be in binary format.

Typically, you encrypt your key material when you export it from your hardware security module (HSM) or key management system. For information about how to export key material in binary format, see the documentation for your HSM or key management system. You can also refer to the following section that provides a proof of concept demonstration using OpenSSL.

When you encrypt your key material, use the encryption scheme with the padding option that you specified when you downloaded the public key and import token (RSAES_OAEP_SHA_256, RSAES_OAEP_SHA_1, or RSAES_PKCS1_V1_5).

Example: Encrypt Key Material with OpenSSL

The following example demonstrates how to use OpenSSL to generate a 256-bit symmetric key and then encrypt this key material for import into a KMS customer master key (CMK).


This example is a proof of concept demonstration only. For production systems, use a more secure method (such as a commercial HSM or key management system) to generate and store your key material.

The RSAES_OAEP_SHA_1 encryption algorithm works best with this example. Before running the example, make sure that you used RSAES_OAEP_SHA_1 for the wrapping algorithm in Step 2. If necessary, repeat the step to download and import the public key and token.

To use OpenSSL to generate binary key material and encrypt it for import into AWS KMS

  1. Use the following command to generate a 256-bit symmetric key and save it in a file named PlaintextKeyMaterial.bin.

    $ openssl rand -out PlaintextKeyMaterial.bin 32
  2. Use the following command to encrypt the key material with the public key that you downloaded previously (see Downloading the Public Key and Import Token (KMS API)) and save it in a file named EncryptedKeyMaterial.bin. Replace PublicKey.bin> with the name of the file that contains the public key. If you downloaded the public key from the console, this file is named wrappingKey_CMK_key_ID_timestamp (for example, wrappingKey_f44c4e20-f83c-48f4-adc6-a1ef38829760_0809092909).

    $ openssl rsautl -encrypt \ -in PlaintextKeyMaterial.bin \ -oaep \ -inkey PublicKey.bin \ -keyform DER \ -pubin \ -out EncryptedKeyMaterial.bin

Proceed to Step 4: Import the Key Material.