CreateKeyResponse

The following example creates a symmetric KMS key for encryption and decryption. No parameters are required for this operation.

To create a KMS key

var client = new AmazonKeyManagementServiceClient();
var response = client.CreateKey(new CreateKeyRequest 
{
});

KeyMetadata keyMetadata = response.KeyMetadata; // Detailed information about the KMS key that this operation creates.

            

This example creates a KMS key that contains an asymmetric RSA key pair for encryption and decryption. The key spec and key usage can't be changed after the key is created.

To create an asymmetric RSA KMS key for encryption and decryption

var client = new AmazonKeyManagementServiceClient();
var response = client.CreateKey(new CreateKeyRequest 
{
    KeySpec = "RSA_4096", // Describes the type of key material in the KMS key.
    KeyUsage = "ENCRYPT_DECRYPT" // The cryptographic operations for which you can use the KMS key.
});

KeyMetadata keyMetadata = response.KeyMetadata; // Detailed information about the KMS key that this operation creates.

            

This example creates a KMS key that contains an asymmetric elliptic curve (ECC) key pair for signing and verification. The key usage is required even though "SIGN_VERIFY" is the only valid value for ECC KMS keys. The key spec and key usage can't be changed after the key is created.

To create an asymmetric elliptic curve KMS key for signing and verification

var client = new AmazonKeyManagementServiceClient();
var response = client.CreateKey(new CreateKeyRequest 
{
    KeySpec = "ECC_NIST_P521", // Describes the type of key material in the KMS key.
    KeyUsage = "SIGN_VERIFY" // The cryptographic operations for which you can use the KMS key.
});

KeyMetadata keyMetadata = response.KeyMetadata; // Detailed information about the KMS key that this operation creates.

            

This example creates a 384-bit symmetric HMAC KMS key. The GENERATE_VERIFY_MAC key usage value is required even though it's the only valid value for HMAC KMS keys. The key spec and key usage can't be changed after the key is created.

To create an HMAC KMS key

var client = new AmazonKeyManagementServiceClient();
var response = client.CreateKey(new CreateKeyRequest 
{
    KeySpec = "HMAC_384", // Describes the type of key material in the KMS key.
    KeyUsage = "GENERATE_VERIFY_MAC" // The cryptographic operations for which you can use the KMS key.
});

KeyMetadata keyMetadata = response.KeyMetadata; // Detailed information about the KMS key that this operation creates.

            

This example creates a multi-Region primary symmetric encryption key. Because the default values for all parameters create a symmetric encryption key, only the MultiRegion parameter is required for this KMS key.

To create a multi-Region primary KMS key

var client = new AmazonKeyManagementServiceClient();
var response = client.CreateKey(new CreateKeyRequest 
{
    MultiRegion = true // Indicates whether the KMS key is a multi-Region (True) or regional (False) key.
});

KeyMetadata keyMetadata = response.KeyMetadata; // Detailed information about the KMS key that this operation creates.

            

This example creates a symmetric KMS key with no key material. When the operation is complete, you can import your own key material into the KMS key. To create this KMS key, set the Origin parameter to EXTERNAL.

To create a KMS key for imported key material

var client = new AmazonKeyManagementServiceClient();
var response = client.CreateKey(new CreateKeyRequest 
{
    Origin = "EXTERNAL" // The source of the key material for the KMS key.
});

KeyMetadata keyMetadata = response.KeyMetadata; // Detailed information about the KMS key that this operation creates.

            

This example creates a KMS key in the specified AWS CloudHSM key store. The operation creates the KMS key and its metadata in AWS KMS and creates the key material in the AWS CloudHSM cluster associated with the custom key store. This example requires the CustomKeyStoreId and Origin parameters.

To create a KMS key in an AWS CloudHSM key store

var client = new AmazonKeyManagementServiceClient();
var response = client.CreateKey(new CreateKeyRequest 
{
    CustomKeyStoreId = "cks-1234567890abcdef0", // Identifies the custom key store that hosts the KMS key.
    Origin = "AWS_CLOUDHSM" // Indicates the source of the key material for the KMS key.
});

KeyMetadata keyMetadata = response.KeyMetadata; // Detailed information about the KMS key that this operation creates.

            

This example creates a KMS key in the specified external key store. It uses the XksKeyId parameter to associate the KMS key with an existing symmetric encryption key in your external key manager. This CustomKeyStoreId, Origin, and XksKeyId parameters are required in this operation.

To create a KMS key in an external key store

var client = new AmazonKeyManagementServiceClient();
var response = client.CreateKey(new CreateKeyRequest 
{
    CustomKeyStoreId = "cks-9876543210fedcba9", // Identifies the custom key store that hosts the KMS key.
    Origin = "EXTERNAL_KEY_STORE", // Indicates the source of the key material for the KMS key.
    XksKeyId = "bb8562717f809024" // Identifies the encryption key in your external key manager that is associated with the KMS key
});

KeyMetadata keyMetadata = response.KeyMetadata; // Detailed information about the KMS key that this operation creates.