Using symmetric and asymmetric keys - AWS Key Management Service

Using symmetric and asymmetric keys

AWS KMS protects the customer master keys (CMKs) that you use to protect your data and data keys. Your secret keys are generated and used only in hardware security modules designed so that no one, including AWS employees, can access the plaintext key material.

You can create and manage the CMKs in your AWS account, including setting the key policies, IAM policies, and grants that control access to your CMKs, enabling and disabling the CMKs, creating tags and aliases, and deleting the CMKs. You can use your CMKs to protect your resources in AWS services that are integrated with AWS KMS. And, you can audit all operations that use or manage your CMKs in AWS CloudTrail logs.

AWS KMS supports symmetric and asymmetric CMKs.

  • Symmetric CMK: Represents a single 256-bit secret encryption key that never leaves AWS KMS unencrypted. To use your symmetric CMK, you must call AWS KMS.

  • Asymmetric CMK: Represents a mathematically related public key and private key pair that you can use for encryption and decryption or signing and verification, but not both. The private key never leaves AWS KMS unencrypted. You can use the public key within AWS KMS by calling the AWS KMS API operations, or download the public key and use it outside of AWS KMS.

AWS KMS also provides symmetric data keys and asymmetric data key pairs designed for use with client-side cryptography outside of AWS KMS. The symmetric data key and the private key in an asymmetric data key pair are protected by a symmetric CMK in AWS KMS.

  • Symmetric data key — A symmetric encryption key that you can use to encrypt data outside of AWS KMS. This key is protected by a symmetric CMK in AWS KMS.

  • Asymmetric data key pair — An RSA or elliptic curve (ECC) key pair that consists of a public key and a private key. You can use your data key pair outside of AWS KMS to encrypt and decrypt data, or sign messages and verify signatures. The private key is protected by a symmetric CMK in AWS KMS. ECC key pairs can be used to sign and verify messages. An RSA key pair can be generated for encryption and decryption, or for signing and verification, but a single RSA key pair cannot be used to do both.

For information about how to create and use data keys and data key pairs, see Data keys and Data key pairs. To learn how to limit the types of data key pairs that principals in your account are permitted to generate, use the kms:DataKeyPairSpec condition key.

This topic explains how symmetric and asymmetric CMKs work, how they differ, and how to decide which type of CMK you need to protect your data. It also explains how symmetric data keys and asymmetric data key pairs work and how to use them outside of AWS KMS.


Asymmetric CMKs and asymmetric data key pairs are supported in all AWS Regions that AWS KMS supports except for China (Beijing) and China (Ningxia).

Learn more