Skip to content

epomatti/aws-kms-import-key

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

clear.sh

clear.sh

 
 

wrapKey.sh

wrapKey.sh

 
 

Repository files navigation

AWS KMS Key with external key material

Key Creation & import

Create the key with EXTERNAL origin configuration:

aws kms create-key --origin EXTERNAL --description "External key"

aws kms create-alias \
    --alias-name alias/MyImportedKey \
    --target-key-id 1234abcd-12ab-34cd-56ef-1234567890ab

Create the work directory where artifacts will be created:

mkdir work

Download the wrapping public key:

aws kms get-parameters-for-import \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --wrapping-algorithm RSAES_OAEP_SHA_256 \
    --wrapping-key-spec RSA_3072 \
    > ./work/import.txt

Execute the script to prepare the key material:

bash wrapKey.sh

Import the key material into KMS:

aws kms import-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --encrypted-key-material fileb://work/EncryptedKeyMaterial.bin \
    --import-token fileb://work/ImportToken.bin \
    --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE

💡 To add expiration to the key, change the following:

--expiration-model KEY_MATERIAL_EXPIRES \
--valid-to 2023-06-17T12:00:00-08:00

Test the key:

aws kms encrypt \
    --key-id alias/MyImportedKey \
    --plaintext c2Vuc2l0aXZlIGRhdGEK \
    --output text \
    --query CiphertextBlob | base64 \
    --decode > ./work/ExampleEncryptedFile

Key Management

Rotating keys

It is not possible to automatically rotate keys with imported keys.

You'll need to generate a new KMS Key, import a new key, and then change the alias pointer:

aws kms update-alias \
    --alias-name alias/MyImportedKey \
    --target-key-id "<< NEW KEY ID >>"

Deleting keys

You cannot immediately delete a KMS Key.

Options are:

  • Disable the key.
  • Delete the key material (imported keys only).
  • Schedule for deletion with the standard range of 7-30 days.

When the key material is deleted, it is only possible to upload the same previous key material (view next section).

Re-upload key material

🚨 You cannot change the key material. Only re-upload the same material.

You simulate this by testing:

mv work work-backup

aws kms get-parameters-for-import \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --wrapping-algorithm RSAES_OAEP_SHA_256 \
    --wrapping-key-spec RSA_3072 \
    > ./work/import.txt

You'll get an error. Even if you delete the key material, you can only import the same that was previously used.

About

AWS KMS Key importing external key material

Topics

aws kms aws-kms aws-security

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages