1 回答
- 最新
- 投票最多
- 评论最多
0
You can use GenerateDataKeyPair API to create private/public key pair you can use outside of AWS KMS. The private key is encrypted under a symmetric KMS key. To use the private key, you would need to call Decrypt API on the private key to get plaintext private key back. This solution works if your use case does not involve encrypting/decrypting within FIPS boundary.
For larger messages the guidance is to generate a message digest and sign that, but we need to sign the entire response.
Could you elaborate on this a little more? Curious to know why you need to sign the entire response. Also, how big is your response on average?
已回答 1 年前
相关内容
- AWS 官方已更新 6 个月前
- AWS 官方已更新 2 年前
Signing the entire response was the original API customer requirement, but after some inquiries we were able to get sign-off on generating a message digest and just signing that. FYI our responses are around 600-700K.