Comparing symmetric and asymmetric CMKs - AWS Key Management Service

Comparing symmetric and asymmetric CMKs

You can create and manage symmetric and asymmetric CMKs by using the AWS KMS console and the AWS KMS API. However, AWS KMS supports different features for CMKs of different types.

For example, you can only use symmetric CMKs to generate symmetric data keys and asymmetric data key pairs. Also, importing key material and automatic key rotation are supported only for symmetric CMKs, and you can create only symmetric CMKs in a custom key store.

The following table lists the AWS KMS operations that you can use to create and manage CMKs of each type. If you use the operation on a CMK that doesn't not support it, the operation fails.

AWS KMS operations with symmetric and asymmetric CMKs
AWS KMS API operation Symmetric CMKs Asymmetric CMKs (ENCRYPT_DECRYPT) Asymmetric CMKs (SIGN_VERIFY)

CancelKeyDeletion

CreateAlias

CreateGrant

CreateKey

- With no key material (Origin = EXTERNAL)

- In a custom key store (Origin = AWS_CLOUSDHSM)

Decrypt

DeleteAlias

DeleteImportedKeyMaterial

DescribeKey

DisableKey

DisableKeyRotation

EnableKey

EnableKeyRotation

Encrypt

GenerateDataKey

GenerateDataKeyPair

[1]

GenerateDataKeyPairWithoutPlaintext

[1]

GenerateDataKeyWithoutPlaintext

GetKeyPolicy

GetKeyRotationStatus

(KeyRotationEnabled will always be false.)

(KeyRotationEnabled will always be false.)

GetParametersForImport

GetPublicKey

ImportKeyMaterial

ListAliases

ListGrants

ListKeyPolicies

ListResourceTags

ListRetirableGrants

PutKeyPolicy

ReEncrypt

RetireGrant

RevokeGrant

ScheduleKeyDeletion

Sign

TagResource

UntagResource

UpdateAlias

The current CMK and the new CMK must be the same type (both symmetric or both asymmetric) and they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY).

UpdateKeyDescription

Verify

[1] GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext generate an asymmetric data key pair that is protected by a symmetric CMK.