How do I import my keys into AWS Key Management Service?

3 minute read
1

I want to import my key material into AWS Key Management Service (AWS KMS) so I can use 256-bit symmetric keys with AWS services.

Resolution

AWS KMS allows you to import your key material into an AWS KMS key. You can then use this key with AWS services that are supported by AWS KMS.
Follow these steps to import your key material into AWS KMS.
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

  1. Create an AWS KMS key with no key material and note your AWS KMS key's ID.
    Note: For Define Key Administrative Permissions and Define Key Usage Permissions, it's a best practice to separate the key administrator and key roles. This limits the impact if either credential is exposed.

  2. Open a terminal on your local machine or Amazon Elastic Compute Cloud (Amazon EC2) instance with OpenSSL installed.

  3. To generate a 256-bit symmetric key, run the following command:

    openssl rand -out PlaintextKeyMaterial.bin 32
  4. To describe the key and get the parameters for the import, run the following AWS CLI commands:
    Note: The commands store the public key and import token parameters into a variable.

    export KEY=`aws kms --region eu-west-2 get-parameters-for-import --key-id example1-2345-67ab-9123-456789abcdef --wrapping-algorithm RSAES_OAEP_SHA_256 --wrapping-key-spec RSA_2048 --query '{Key:PublicKey,Token:ImportToken}' --output text`
  5. To place the public key and import token into separate base64-encoded files, run the following command:

    echo $KEY | awk '{print $1}' > PublicKey.b64echo $KEY | awk '{print $2}' > ImportToken.b64
  6. To convert the base64-encoded file into binary files to import, run the following commands:

    openssl enc -d -base64 -A -in PublicKey.b64 -out PublicKey.binopenssl enc -d -base64 -A -in ImportToken.b64 -out ImportToken.bin
  7. To encrypt the key material with the public key that was converted to a binary file, run the following command:

    openssl pkeyutl -in PlaintextKeyMaterial.bin -out EncryptedKeyMaterial.bin -inkey PublicKey.bin -keyform DER -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
  8. To import the encrypted key material into AWS KMS, run the following command:
    Note: This example specifies that the key material doesn't expire, but you can set an expiration date for your key material. For more information, see ExpirationModel.

    aws kms --region eu-west-2 import-key-material --key-id example1-2345-67ab-9123-456789abcdef --encrypted-key-material fileb://EncryptedKeyMaterial.bin --import-token fileb://ImportToken.bin --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE
  9. Verify that the imported key status is set to Enabled. To do this, review the key in the AWS KMS console, or run the DescribeKey API action.

If you can't import your key, then follow these steps for your use case:

  • You waited longer than 24 hours and the import token is expired. To resolve this, download the wrapping key and import token again to re-encrypt the key material.
  • Your key material isn't a 256-bit symmetric key. To resolve this, verify that the file size of the encrypted key material is 32 bytes. To check the file size, run one of the following commands:

Linux

wc -c <filename>.bin

Windows

For more information, see Importing key material for AWS KMS keys.

dir <filename>.bin

Related information

I'm using OpenSSL to import my key into AWS KMS, but I'm getting an "InvalidCiphertext" error. How can I fix this?

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago
3 Comments

Very good procedure. It works perfectly. The procedure does require some bash knowledge. I changed a little my way, by using an intermediate file, to keep inside the wrapping key and the import token.

replied a year ago

Please mind the syntax error in step 5 and step 6: Step 5: echo $KEY | awk '{print $1}' > PublicKey.b64echo $KEY | awk '{print $2}' > ImportToken.b64 This is actually two commands and there is a space missing between PublicKey.b64 and echo. Step 6: Here is a space missing between PublicKey.bin and openssl.

replied a month ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a month ago