Comparing symmetric and asymmetric CMKs

You can create and manage symmetric and asymmetric CMKs by using the AWS KMS console and the AWS KMS API. However, AWS KMS supports different features for CMKs of different types.

For example, you can only use symmetric CMKs to generate symmetric data keys and asymmetric data key pairs. Also, importing key material and automatic key rotation are supported only for symmetric CMKs, and you can create only symmetric CMKs in a custom key store.

The following table lists the AWS KMS operations that you can use to create and manage CMKs of each type. If you use the operation on a CMK that doesn't not support it, the operation fails.

AWS KMS operations with symmetric and asymmetric CMKs
AWS KMS API operation	Symmetric CMKs	Asymmetric CMKs (ENCRYPT_DECRYPT)	Asymmetric CMKs (SIGN_VERIFY)
CancelKeyDeletion
CreateAlias
CreateGrant
CreateKey - With no key material (Origin = EXTERNAL) - In a custom key store (Origin = AWS_CLOUSDHSM)
Decrypt
DeleteAlias
DeleteImportedKeyMaterial
DescribeKey
DisableKey
DisableKeyRotation
EnableKey
EnableKeyRotation
Encrypt
GenerateDataKey
GenerateDataKeyPair	[1]
GenerateDataKeyPairWithoutPlaintext	[1]
GenerateDataKeyWithoutPlaintext
GetKeyPolicy
GetKeyRotationStatus		(KeyRotationEnabled will always be false.)	(KeyRotationEnabled will always be false.)
GetParametersForImport
GetPublicKey
ImportKeyMaterial
ListAliases
ListGrants
ListKeyPolicies
ListResourceTags
ListRetirableGrants
PutKeyPolicy
ReEncrypt
RetireGrant
RevokeGrant
ScheduleKeyDeletion
Sign
TagResource
UntagResource
UpdateAlias The current CMK and the new CMK must be the same type (both symmetric or both asymmetric) and they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY).
UpdateKeyDescription
Verify

[1] GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext generate an asymmetric data key pair that is protected by a symmetric CMK.