By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Recreate KMS key with same CMK from key material

0

The test that I'm running is to backup a database from one RDS SQL Server to S3 along w/ the TDE cert, and then restore it to another SQL Server. For this, I'd like to use a single-region KMS key to export the TDE cert, and then import it using another KMS key, such that the key material is the same in the second KMS key. The TDE cert along w/ the private key is exported to S3 by providing a KMS key. The import to the second SQL Server is to create the UserTDE cert so that the encrypted database backup (.bak file can be decrypted).

To do the test, I created a single-region KMS key using imported key material. The EncryptedKeyMaterial.bin was created using the WrappingPublicKey.bin from the downloaded zip file. Now, I want to create another key, with the same key material. Is this possible? The issue that I'm trying to address, is that the KMS key was accidentally deleted.

Topics
Security, Identity, & Compliance
Tags
AWS Key Management Service
Language
English
Shiva
asked 7 months ago370 views
2 Answers
0

You can create two separate KMS key and import same key material for both keys. However, you won't be able to interchange one for another (e.g., if you encrypt S3 bucket using Key A then switch to Key B, you won't be able to decrypt the object even though the key material for both keys are the same.)

Per doc:

Symmetric encryption keys are not portable or interoperable

KMS keys with the same imported key material are not interoperable. The symmetric ciphertext that AWS KMS generates ciphertext that is specific to each KMS key. This ciphertext format guarantees that only the KMS key that encrypted data can decrypt it.

AWS
kumo-hiyori
answered 7 months ago
  • Shiva
    7 months ago

    thanks for the response. Is there any way to recreate a customer managed key? I do realize the multi-region keys that can have replicas w/ the same keyid+ciphertext and that they can encrypt/decrypt in different regions. but what I'm specifically looking for is the scenario where the KMS key was deleted, and whether it can be recreated. Please note, that the question does apply even for the case where the key material is provided by the user.

0

Deleting the key material of a KMS key with imported key material is temporary and reversible. To restore the key, reimport its key material. In contrast, deleting a KMS key is irreversible. If you schedule key deletion and the required waiting period expires, AWS KMS permanently and irreversibly deletes the KMS key, its key material, and all metadata associated with the KMS key.

https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-managing.html

AWS
Yuri_K
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content