Managing CMKs in a custom key store - AWS Key Management Service

Managing CMKs in a custom key store

You can create, view, manage, use, and schedule deletion of the customer master keys (CMKs) in a custom key store. The procedures that you use are very similar to those that you use for CMKs in AWS KMS. The only difference is that you specify a custom key store when you create the CMK. Then, AWS KMS creates non-extractable key material for the CMK in the AWS CloudHSM cluster that is associated with the custom key store. When you use a CMK in a custom key store, the cryptographic operations are performed in the HSMs in the cluster.

Note

AWS KMS custom key stores support only symmetric keys. Although AWS CloudHSM supports asymmetric keys, you cannot create asymmetric CMKs or asymmetric data key pairs in a custom key store.

You cannot import key material into a CMK in a custom key store. AWS KMS generates the key material for the CMK in the AWS CloudHSM cluster.

In addition to the procedures discussed in this section, you can do the following with CMKs in a custom key store:

However, you cannot import key material into a CMK in a custom key store.