1 Answer
- Newest
- Most votes
- Most comments
0
You can use GenerateDataKeyPair API to create private/public key pair you can use outside of AWS KMS. The private key is encrypted under a symmetric KMS key. To use the private key, you would need to call Decrypt API on the private key to get plaintext private key back. This solution works if your use case does not involve encrypting/decrypting within FIPS boundary.
For larger messages the guidance is to generate a message digest and sign that, but we need to sign the entire response.
Could you elaborate on this a little more? Curious to know why you need to sign the entire response. Also, how big is your response on average?
answered 2 years ago
Relevant content
- asked a year ago
- asked 4 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Signing the entire response was the original API customer requirement, but after some inquiries we were able to get sign-off on generating a message digest and just signing that. FYI our responses are around 600-700K.