AWS Key Management Service
Developer Guide

Importing Key Material Step 4: Import the Key Material

After you encrypt your key material, you can import the key material to use with an AWS KMS customer master key (CMK). To import key material, you upload the encrypted key material from Step 3: Encrypt the Key Material and the import token that you downloaded at Step 2: Download the Public Key and Import Token. You must import key material into the same CMK that you specified when you downloaded the public key and import token.

When you import key material, you can optionally specify a time at which the key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. To use the CMK again, you must reimport key material.

After you successfully import key material, the CMK's key state changes to enabled, and you can use the CMK.

To import key material, you can use the AWS Management Console or the AWS KMS API. You can use the API directly by making HTTP requests, or through one of the AWS SDKs or command line tools.

Import Key Material (Console)

You can use the AWS Management Console to import key material.

Note

AWS KMS recently introduced a new console that makes it easier for you to organize and manage your KMS resources. It is available in all AWS Regions that AWS KMS supports except for AWS GovCloud (US-East) and AWS GovCloud (US-West). We encourage you to try the new AWS KMS console at https://console.aws.amazon.com/kms.

The original console will remain available for a brief period to give you time to familiarize yourself with the new one. To use the original console, choose Encryption Keys in the IAM console or go to https://console.aws.amazon.com/iam/home?#/encryptionKeys. Please share your feedback by choosing Feedback in either console or in the lower-right corner of this page.

To import key material (new console)
  1. If you are on the Download wrapping key and import token page, skip to Step 7.

  2. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.

  3. To change the AWS Region, use the Region selector in the upper-right corner of the page.

  4. In the navigation pane, choose Customer managed keys.

  5. Choose the key ID or alias of the CMK for which you downloaded the public key and import token.

  6. In the Key Material section, choose Upload key material.

    The Key material section appears only when the CMK was created with no key material. These CMKs have an Origin value of EXTERNAL. You cannot import key material into a CMK with any other Origin value. For information about creating CMKs with imported key material, see Importing Key Material in AWS Key Management Service (AWS KMS).

  7. Under Encrypted key material, choose Upload file. Then upload the file that contains your wrapped (encrypted) key material.

  8. Under Import token, choose Upload file. Upload the file that contains the import token that you downloaded.

  9. Under Choose an expiration option, you determine whether the key material expires. To set an expiration date and time, choose Key material expires, and use the calendar to select a date and time.

  10. Choose Finish or Upload key material.

To import key material (original console)
  1. If you just completed the optional final step of downloading the public key and import token with the console, skip to Step 6.

  2. Sign in to the AWS Management Console and go to https://console.aws.amazon.com/iam/home?#/encryptionKeys.

  3. For Region, choose the appropriate AWS Region. Do not use the region selector in the navigation bar (top right corner).

  4. Choose the alias of the CMK for which you downloaded the public key and import token.

  5. In the Key Material section, choose Upload key material.

    The Key material section appears only when the CMK was created with no key material. These CMKs have an Origin value of EXTERNAL. You cannot import key material into a CMK with any other Origin value. For information about creating CMKs with imported key material, see Importing Key Material in AWS Key Management Service (AWS KMS).

  6. In the Specify key material details section, for Encrypted key material, choose the file that contains your encrypted key material. For Import token, choose the file that contains the import token that you downloaded previously.

  7. In the Choose an expiration option section, choose whether the key material expires. If you choose expiration, type a date and a time in the corresponding boxes.

  8. Choose Upload key material.

    To close the window, choose Cancel.

Import Key Material (KMS API)

To use the AWS KMS API to import key material, send an ImportKeyMaterial request. The following example shows how to do this with the AWS CLI.

This example specifies an expiration time for the key material. To import key material with no expiration, replace KEY_MATERIAL_EXPIRES with KEY_MATERIAL_DOES_NOT_EXPIRE and omit the --valid-to parameter.

To use this example:

  1. Replace 1234abcd-12ab-34cd-56ef-1234567890ab with the key ID of the CMK that you used when you downloaded the public key and import token. To identify the CMK, use its key ID or ARN. You cannot use an alias for this operation.

  2. Replace EncryptedKeyMaterial.bin with the name of the file that contains the encrypted key material.

  3. Replace ImportToken.bin with the name of the file that contains the import token.

$ aws kms import-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --encrypted-key-material fileb://EncryptedKeyMaterial.bin \ --import-token fileb://ImportToken.bin \ --expiration-model KEY_MATERIAL_EXPIRES \ --valid-to 2016-11-08T12:00:00-08:00