Comparing symmetric and asymmetric KMS keys - AWS Key Management Service

Comparing symmetric and asymmetric KMS keys

You can create and manage symmetric and asymmetric KMS keys by using the AWS KMS console and the AWS KMS API. However, AWS KMS supports different features for KMS keys of different types.

For example, you can only use symmetric KMS keys to generate symmetric data keys and asymmetric data key pairs. Also, importing key material and automatic key rotation are supported only for symmetric KMS keys, and you can create only symmetric KMS keys in a custom key store.

The following table lists the AWS KMS operations that you can use to create and manage KMS keys of each type. If you use the operation on a KMS key that doesn't not support it, the operation fails.

AWS KMS operations with symmetric and asymmetric KMS keys
AWS KMS API operation Symmetric KMS keys Asymmetric KMS keys (ENCRYPT_DECRYPT) Asymmetric KMS keys (SIGN_VERIFY)

CancelKeyDeletion

CreateAlias

CreateGrant

CreateKey

- With no key material (Origin = EXTERNAL)

- In a custom key store (Origin = AWS_CLOUDHSM)

Decrypt

DeleteAlias

DeleteImportedKeyMaterial

DescribeKey

DisableKey

DisableKeyRotation

EnableKey

EnableKeyRotation

Encrypt

GenerateDataKey

GenerateDataKeyPair

[1]

GenerateDataKeyPairWithoutPlaintext

[1]

GenerateDataKeyWithoutPlaintext

GetKeyPolicy

GetKeyRotationStatus

(KeyRotationEnabled will always be false.)

(KeyRotationEnabled will always be false.)

GetParametersForImport

GetPublicKey

ImportKeyMaterial

ListAliases

ListGrants

ListKeyPolicies

ListResourceTags

ListRetirableGrants

PutKeyPolicy

ReEncrypt

ReplicateKey

RetireGrant

RevokeGrant

ScheduleKeyDeletion

Sign

TagResource

UntagResource

UpdateAlias

The current KMS key and the new KMS key must be the same type (both symmetric or both asymmetric) and they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY).

UpdateKeyDescription

UpdatePrimaryRegion

Verify

[1] GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext generate an asymmetric data key pair that is protected by a symmetric KMS key.