Outside decrypt data encrypted with KMS. Divergency in docs.

Question

Hello everybody!

I'm using a KMS assymetric key (RSA 4096) with imported key material to encrypt some pieces of data. Docs says that [**Asymmetric keys and HMAC keys are portable and interoperable**](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-conceptual.html#importing-keys-considerations), including decrypt with assymetric private key outside AWS.

But there is a note in [Importing key material for AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) that says "AWS KMS does not support decrypting any AWS KMS ciphertext outside of AWS KMS, even if the ciphertext was encrypted under a KMS key with imported key material".

One of these informations is wrong, the question is which one?

If is possible to decrypt with assymetric private key outside AWS, how to use original imported key material to do that?

Answer

For encryption using asymmetric key (specifically RSA keys), as long as you use the compatible algorithm (i.e., RSAES_OAEP_SHA_1 and RSAES_OAEP_SHA_256) you should be able to decrypt the ciphertext. Link to [doc](https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-rsa). The statement you highlighted applies to symmetric key that you import.

Outside decrypt data encrypted with KMS. Divergency in docs.

관련 콘텐츠