AWS Customer Managed KMS replica - key material import


I am trying to get replica of existing customer managed KMS key working in a different region. Since replicated it is in "Pending Import" status. I have tried to import the same key material and different Import Token (the one downloaded from the region where replica lives) but getting InvalidCyphertext Exception".

Have anybody ever had to deal with regional customer managed KMS key and import of key material ? Please share the steps you followed on this process.

  • To be clear, the primary KMS key is working perfectly well and status for that one is enabled. Replica is the issue.

asked 8 months ago232 views
1 Answer
Accepted Answer

Hi ilona-savinova,

On your question, I followed the steps exactly as mentioned at Creating replica key for replicating one of my multi-region kms key and I was able to replicate it in us-east-2 from us-east-1

Could you please comment here, how are you replicating, through console or KMS API and if you can list steps, that would be helpful too.

I'm sure, you are already aware of:

Supported KMS key types for multi region KMS key replication are:

  1. Symmetric encryption KMS keys

  2. Asymmetric KMS keys

  3. HMAC KMS keys

  4. KMS keys with imported key material

You cannot create multi-Region keys in a custom key store.

Additional Reference: Multi Region Key Import

profile pictureAWS
answered 8 months ago
profile picture
reviewed 8 months ago
  • I am doing it via console. it is symmetric key I am having an issue to import key material to replica which is in Pending Import status

    I tried to download wrapping key and import token from replica, import primary key material (the one I used in primary KMS key in Ohio) and import token that I downloaded from replica KMS key (because they are described as unique per region?) but I am getting InvalidCyphertext Exception error message when trying to import.

  • The steps I took to replicate:

    1. Went to Regional section, chose region for replica- us-east-1
    2. Switched to us-east-1 - the replica showed up in status "Pending Import"
    3. Went to Key Material, clicked on Import Key:
    4. Downloaded Wrapping Public Key and Import Token
    5. Imported primary key material generated for the base key from Ohio Region. Uploaded Import token previously downloaded from replica key in N.Virginia region
    6. Upload failed with InvalidCyphertext Exception error
  • Can you please make sure, if you are exactly following step3 from Creating a replica key with imported key material. It says that "Use the public key to encrypt the primary key's key material, and then import the primary key's key material in the replica key. You need a different public key and import token for each replica key." Let me know if you are still facing the problem.

  • Thank you for confirming my doubts. I finally resolved the issue. I was not sure why this command below wasn't doing the job - I lost my plain_text_aes.bin during initial creation of the key material.

    I recreated the KMS primary key, did it from scratch alltogether and it worked. Thank you very much for your support!

    openssl pkeyutl -in plain_text_aes_key.bin -inkey <your-wrappingKey...> -pubin -keyform DER -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -out enc.aes.key

  • I'm glad you were able to resolve the issue.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions