- 最新
- 最多得票
- 最多評論
You can create two separate KMS key and import same key material for both keys. However, you won't be able to interchange one for another (e.g., if you encrypt S3 bucket using Key A then switch to Key B, you won't be able to decrypt the object even though the key material for both keys are the same.)
Per doc:
Symmetric encryption keys are not portable or interoperable
KMS keys with the same imported key material are not interoperable. The symmetric ciphertext that AWS KMS generates ciphertext that is specific to each KMS key. This ciphertext format guarantees that only the KMS key that encrypted data can decrypt it.
Deleting the key material of a KMS key with imported key material is temporary and reversible. To restore the key, reimport its key material. In contrast, deleting a KMS key is irreversible. If you schedule key deletion and the required waiting period expires, AWS KMS permanently and irreversibly deletes the KMS key, its key material, and all metadata associated with the KMS key.
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-managing.html
相關內容
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前
thanks for the response. Is there any way to recreate a customer managed key? I do realize the multi-region keys that can have replicas w/ the same keyid+ciphertext and that they can encrypt/decrypt in different regions. but what I'm specifically looking for is the scenario where the KMS key was deleted, and whether it can be recreated. Please note, that the question does apply even for the case where the key material is provided by the user.