Import and export keys - AWS Payment Cryptography

Import and export keys

AWS Payment Cryptography keys can be imported from other solutions or exported to other solutions (such as other HSMs). It is a common use case to exchange keys with service providers using import and export functionality. As a cloud service, AWS Payment Cryptography takes a modern, electronic approach to key management while helping you maintain applicable compliance and controls. The long-term objective is to move away from paper-based key components towards standards-based, electronic means of key exchange.

Key Encryption Key (KEK) Exchange

AWS Payment Cryptography encourages the use of public key cryptography (RSA) for the initial key exchange using the well established ANSI X9.24 TR-34 norm. Common names for this initial key type includes Key Encryption Key (KEK), Zone Master Key (ZMK) and Zone Control Master Key (ZCMK). If your systems or partners are not yet able to support TR-34, you can also consider utilizing RSA Wrap/Unwrap.

If you have a need to continue processing paper key components until all partners support electronic key exchange, you can consider retaining an offline HSM for this purpose.


If you would like to import your own test keys, please check out the sample project on Github. For instructions on how to import/export keys from other platforms, please consult the user guide for those platforms.

Working Key (WK) Exchange

AWS Payment Cryptography uses the relevant industry norm (ANSI X9.24 TR 31-2018) for exchanging working keys. TR-31 assumes that a KEK has previously been exchanged. This is consistent with requirement of PCI PIN to cryptographically bind key material to its key type and usage at all times. Working keys have various names including acquirer working keys, issuer working keys, BDK, IPEK, etc.