Using symmetric and asymmetric keys - AWS Key Management Service

Using symmetric and asymmetric keys

AWS KMS protects the customer master keys (CMKs) that you use to protect your data and data keys. Your secret keys are generated and used only in hardware security modules designed so that no one, including AWS employees, can access the plaintext key material.

You can create and manage the CMKs in your AWS account, including setting the key policies, IAM policies, and grants that control access to your CMKs, enabling and disabling the CMKs, creating tags and aliases, and deleting the CMKs. You can use your CMKs to protect your resources in AWS services that are integrated with AWS KMS. And, you can audit all operations that use or manage your CMKs in AWS CloudTrail logs.

AWS KMS supports symmetric and asymmetric CMKs.

  • Symmetric CMK: Represents a single 256-bit secret encryption key that never leaves AWS KMS unencrypted. To use your symmetric CMK, you must call AWS KMS.

  • Asymmetric CMK: Represents a mathematically related public key and private key pair that you can use for encryption and decryption or signing and verification, but not both. The private key never leaves AWS KMS unencrypted. You can use the public key within AWS KMS by calling the AWS KMS API operations, or download the public key and use it outside of AWS KMS.

AWS KMS also supports symmetric data keys and asymmetric data key pairs designed for use with client-side signing and cryptography outside of AWS KMS. The symmetric data key and the private key in an asymmetric data key pair are protected by a symmetric CMK in AWS KMS.

  • Symmetric data key — A symmetric encryption key that you can use to encrypt data outside of AWS KMS. This key is protected by a symmetric CMK in AWS KMS.

  • Asymmetric data key pair — An RSA or elliptic curve (ECC) key pair that consists of a public key and a private key. The private key is protected by a symmetric CMK in AWS KMS. You can use your data key pair outside of AWS KMS to encrypt and decrypt data, or sign messages and verify signatures.

    AWS KMS recommends that your use ECC key pairs for signing, and use RSA key pairs for either encryption or signing, but not both. However, AWS KMS cannot enforce any restrictions on the use of data key pairs outside of AWS KMS.

This topic explains how symmetric and asymmetric CMKs work, how they differ, and how to decide which type of CMK you need to protect your data. It also explains how symmetric data keys and asymmetric data key pairs work and how to use them outside of AWS KMS.

Regions

Asymmetric CMKs and asymmetric data key pairs are supported in all AWS Regions that AWS KMS supports.

Learn more