About AWS KMS keys
AWS Key Management Service (AWS KMS) allows you to create cryptographic keys that can be used on data that you pass to the service. The primary resource type is the KMS key, of which there are three types:
-
Advanced Encryption Standard (AES) symmetric keys – These are 256-bit keys that are used under the Galois Counter Mode (GCM) mode of AES. These keys provide authenticated encryption and decryption of data that is less than 4 KB in size. This is the most common type of key. It is used to protect other data keys, such as those used in your applications or by AWS services that encrypt data on your behalf.
-
RSA or elliptic curve asymmetric keys – These keys are available in various sizes and support many algorithms. Depending on the algorithm, they can be used for encryption and decryption and for sign and verify operations.
-
Symmetric keys for performing hash-based message authentication code (HMAC) operations – These keys are 256-bit keys that are used for sign and verify operations.
KMS keys cannot be exported from the service in plaintext. They are generated by and can
only be used within the hardware security modules (HSMs) used by the service. This is a
foundational security property of AWS KMS to prevent key compromise. In China (Beijing) and
China (Ningxia) Regions, these HSMs are certified by OSCCA
You can submit data to AWS KMS by using various cryptographic APIs in order to perform encrypt, decrypt, sign, or verify operations with KMS keys. You can also choose to have a KMS key act like a key-encryption key, which protects a key type called a data key. A data key can be exported from AWS KMS for use within your local application or an AWS service that is protecting data on your behalf. The use of data keys is common in all key management systems and is often referred to as envelope encryption. Envelope encryption allows a data key to be used on the remote system that is handling your sensitive data, instead of having to send your sensitive data to AWS KMS for encryption directly under a KMS key.
For more information, see AWS KMS keys and AWS KMS cryptography essentials in the AWS KMS documentation.