Asymmetric keys in AWS KMS - AWS Key Management Service

Asymmetric keys in AWS KMS

AWS KMS supports asymmetric KMS keys that represent a mathematically related RSA or elliptice curve (ECC) public and private key pair. These key pairs are generated in AWS KMS hardware security modules certified under the FIPS 140-2 Cryptographic Module Validation Program, except in the China (Beijing) and China (Ningxia) Regions.. The private key never leaves the HSMs unencrypted. You can download the public key for distribution and use outside of AWS. You can create asymmetric KMS keys for encryption and decryption, or signing and verification, but not both.

You can create and manage the asymmetric KMS keys in your AWS account, including setting the key policies, IAM policies, and grants that control access to the keys, enabling and disabling the KMS keys, creating tags and aliases, and deleting the KMS keys. You can audit all operations that use or manage your asymmetric KMS keys within AWS in AWS CloudTrail logs.

AWS KMS also provides asymmetric data key pairs that are designed to be used for client-side cryptography outside of AWS KMS. The symmetric data key and the private key in an asymmetric data key pair are protected by a symmetric KMS key in AWS KMS.

This topic explains how asymmetric KMS keys work, how they differ from symmetric KMS keys, and how to decide which type of KMS key you need to protect your data. It also explains how asymmetric data key pairs work and how to use them outside of AWS KMS.

Regions

Asymmetric KMS keys and asymmetric data key pairs are supported in all AWS Regions that AWS KMS supports.

Learn more

Asymmetric KMS keys

You can create an asymmetric KMS key in AWS KMS. An asymmetric KMS key represents a mathematically related public key and private key pair. You can give the public key to anyone, even if they're not trusted, but the private key must be kept secret.

In an asymmetric KMS key, the private key is created in AWS KMS and never leaves AWS KMS unencrypted. To use the private key, you must call AWS KMS. You can use the public key within AWS KMS by calling the AWS KMS API operations. Or, you can download the public key and use it outside of AWS KMS.

If your use case requires encryption outside of AWS by users who cannot call AWS KMS, asymmetric KMS keys are a good choice. However, if you are creating a KMS key to encrypt the data that you store or manage in an AWS service, use a symmetric KMS key. AWS services that are integrated with AWS KMS use symmetric KMS keys to encrypt your data. These services do not support encryption with asymmetric KMS keys.

AWS KMS supports two types of asymmetric KMS keys.

  • RSA KMS keys: A KMS key with an RSA key pair for encryption and decryption or signing and verification (but not both). AWS KMS supports several key lengths for different security requirements.

  • Elliptic Curve (ECC) KMS keys: A KMS key with an elliptic curve key pair for signing and verification. AWS KMS supports several commonly-used curves.

For technical details about the encryption and signing algorithms that AWS KMS supports for RSA KMS keys, see RSA Key Specs. For technical details about the signing algorithms that AWS KMS supports for ECC KMS keys, see Elliptic Curve Key Specs.

For a table comparing the operations that you can perform on symmetric and asymmetric KMS keys, see Comparing Symmetric and Asymmetric KMS keys. For help determining whether a KMS key is symmetric or asymmetric, see Identifying symmetric and asymmetric KMS keys.

Regions

Asymmetric KMS keys and asymmetric data key pairs are supported in all AWS Regions that AWS KMS supports.