1 Respuesta
- Más nuevo
- Más votos
- Más comentarios
0
You can use GenerateDataKeyPair API to create private/public key pair you can use outside of AWS KMS. The private key is encrypted under a symmetric KMS key. To use the private key, you would need to call Decrypt API on the private key to get plaintext private key back. This solution works if your use case does not involve encrypting/decrypting within FIPS boundary.
For larger messages the guidance is to generate a message digest and sign that, but we need to sign the entire response.
Could you elaborate on this a little more? Curious to know why you need to sign the entire response. Also, how big is your response on average?
respondido hace un año
Contenido relevante
- ¿Cómo puedo enumerar las concesiones de claves y entidades principales de KMS por región en AWS KMS?OFICIAL DE AWSActualizada hace 3 años
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace un año
Signing the entire response was the original API customer requirement, but after some inquiries we were able to get sign-off on generating a message digest and just signing that. FYI our responses are around 600-700K.