Importing key material for AWS KMS keys

You can create an AWS KMS keys (KMS key) with key material that you supply.

A KMS key is a logical representation of an encryption key. The metadata for a KMS key includes the ID of key material used to encrypt and decrypt data. When you create a KMS key, by default, AWS KMS generates the key material for that KMS key. But you can create a KMS key without key material and then import your own key material into that KMS key, a feature often known as "bring your own key" (BYOK).

Note

AWS KMS does not support decrypting any AWS KMS ciphertext outside of AWS KMS, even if the ciphertext was encrypted under a KMS key with imported key material. AWS KMS does not publish the ciphertext format this task requires, and the format might change without notice.

Imported key material is supported on all types of KMS keys except for KMS keys in custom key stores. However, in China Regions you can only import symmetric encryption key material into KMS keys.

When you use imported key material, you remain responsible for the key material while allowing AWS KMS to use a copy of it. You might choose to do this for one or more of the following reasons:

To prove the key material was generated using a source of entropy that meets your requirements.
To use key material from your own infrastructure with AWS services, and to use AWS KMS to manage the lifecycle of that key material within AWS.
To use existing, well-established keys in AWS KMS, such as keys for code signing, PKI certificate signing, and certificate pinned applications
To set an expiration time for the key material in AWS and to manually delete it, but to also make it available again in the future. In contrast, scheduling key deletion requires a waiting period of 7 to 30 days, after which you cannot recover the deleted KMS key.
To own the original copy of the key material, and to keep it outside of AWS for additional durability and disaster recovery during the complete lifecycle of the key material.
For asymmetric keys and HMAC keys, importing creates compatible and interoperable keys that operate within and outside of AWS.

You can audit and monitor the use and management of a KMS key with imported key material. AWS KMS records an event in your AWS CloudTrail log when you create the KMS key, download the wrapping public key and import token, and import the key material. AWS KMS also records an event when you manually delete imported key material or when AWS KMS deletes expired key material.

For information about important differences between KMS keys with imported key material and those with key material generated by AWS KMS, see About imported key material.

Supported KMS keys

AWS KMS supports imported key material for the following types of KMS keys. You cannot import key material into KMS keys in custom key stores. In China Regions, you can import key material only into symmetric encryption keys.

Symmetric encryption KMS keys
Asymmetric RSA KMS keys (for encryption or signing, but not both)
Asymmetric elliptic curve (ECC) KMS keys (signing only)
HMAC KMS keys
Multi-Region keys of all supported types.

Regions

Imported key material is supported in all AWS Regions that AWS KMS supports.

In China Regions, you can import key material only into symmetric encryption KMS keys. Also, the key material requirements differ from other Regions. For details, see Importing key material step 3: Encrypt the key material.

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Deleting multi-Region keys

Planning to import key material