Comparing symmetric and asymmetric KMS keys
You can create and manage symmetric and asymmetric KMS keys by using the AWS KMS console and the AWS KMS API. However, AWS KMS supports different features for KMS keys of different types.
For example, you can only use symmetric KMS keys to generate symmetric data keys and asymmetric data key pairs. Also, importing key material and automatic key rotation are supported only for symmetric KMS keys, and you can create only symmetric KMS keys in a custom key store.
The following table lists the AWS KMS operations that you can use to create and manage KMS keys of each type. If you use the operation on a KMS key that doesn't not support it, the operation fails.
|
AWS KMS operations with symmetric and asymmetric KMS keys
|
|||
|---|---|---|---|
| AWS KMS API operation | Symmetric KMS keys | Asymmetric KMS keys (ENCRYPT_DECRYPT) | Asymmetric KMS keys (SIGN_VERIFY) |
|
|
|
 |
|
|
|
|
|
|
|
|
|
|
|
- With no key material (Origin = EXTERNAL) - In a custom key store (Origin = AWS_CLOUDHSM) |
|
|
|
|
|
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
( |
( |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| ReplicateKey | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The current KMS key and the new KMS key must be the same type (both
symmetric or both asymmetric) and they must have the same key usage
( |
|
|
|
|
|
|
|
|
| UpdatePrimaryRegion | |
|
|
|
|
|
|
[1] GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext
generate an asymmetric data key pair that is protected by a symmetric KMS key.
