Understanding AWS KMS Keys - Key Material and Origins
Jan 25, 2024Introduction - What is Key Material?
In the world of cryptography, key material refers to the string of bits used in a cryptographic algorithm. It's the core element that encrypts and decrypts our data. There are two types of key material: secret and public. Secret key material must be kept confidential to ensure the security of cryptographic operations, while public key material is meant to be shared.
AWS KMS Keys and Their Key Material
Each AWS KMS key is associated with a key material, as referenced in its metadata. By default, AWS is responsible for creating the key material using FIPS-validated hardware security modules, and it never leaves AWS KMS unencrypted. Users cannot extract, export, view, or directly manage this key material. The sole exception lies in the public keys of asymmetric key pairs, which can be exported for outside use.
If we opt for AWS-generated key material, AWS KMS offers a feature to automatically rotate the key material, enhancing security over time. AWS KMS also allows the creation of multi-Region keys, which share the same key material across different regions. This can be helpful for maintaining consistency in global applications.
Key Material Origin
The "key material origin" is a specific attribute of a KMS key in AWS KMS, which indicates the source from which its key material is derived. The origin of key material is a significant attribute in a KMS key, as it determines several factors such as Security, Durability, Availability, Latency and Throughput. We choose the key material origin when we create a KMS key. Once set, it cannot be changed.
Key Material Origin Values
The key material origin values for a KMS key can be one of the following:
- AWS_KMS: The default and most recommended. AWS handles the creation and management of the key material.
- EXTERNAL (Import key material): For those who prefer to import their own key material. Remember, this requires us to manage and secure this material independently.
- AWS_CLOUDHSM: AWS KMS creates the key material in our AWS CloudHSM cluster.
- EXTERNAL_KEY_STORE: Used when the key material is in an external key manager outside AWS. This is specific to KMS keys in an external key store.
How to Find the Key Material Origin?
We can use the DescribeKey operation or check the Origin value in the AWS KMS console under the Cryptographic configuration tab.
Importing Our Own Key Material
In some scenarios, organizations might need to use cryptographic key material that they generate and manage outside of AWS. This could be due to regulatory requirements, compliance with specific security policies, or a need for key material that has been generated with specialized hardware or software.
How It's Done:
-
Generate Key Material: First, the key material must be generated outside AWS using your own methods or tools. This should be done in a secure environment.
-
Create a KMS Key Without Material: In AWS KMS, you create a KMS key without key material – a placeholder for the key material you will import.
-
Import Process: The key material is then encrypted with a public key provided by AWS KMS and sent securely to AWS. The AWS KMS then associates this encrypted key material with the KMS key you created.
-
Use Like Any KMS Key: Once the import is successful, the KMS key can be used just like any other KMS key within AWS for cryptographic operations.
Utilizing External Key Managers
Some organizations prefer to use external key managers for various reasons, such as integrating with existing key management infrastructure, adhering to specific security practices, or leveraging certain features of third-party key management solutions.
How It's Done:
-
Setup External Key Manager: The external key manager, which could be a hardware security module (HSM) or a key management service outside AWS, is set up and configured according to your organizational policies.
-
Integration with AWS KMS: For integration, AWS provides the option to create a custom key store in AWS KMS that is backed by your external key manager.
-
Create KMS Keys in Custom Key Store: You can then create KMS keys in this custom key store. These keys use the key material generated and stored in your external key manager.
-
Cryptographic Operations: The KMS keys in the custom key store can then be used for cryptographic operations within AWS, but the key material remains in the external key manager.
Importing our own vs. external key manager
The choice between importing your own key material and utilizing external key managers depends on your organization's specific needs and policies. Importing your own key material is suitable when you need to generate key material with specific tools or under certain conditions, while external key managers are ideal when you want to maintain control over the key material in an existing infrastructure outside AWS.
Conclusion
AWS KMS offers flexible options for key materials catering to different security and management needs. We can also import our own keys or use an external key manager. The choice between importing your own key material and utilizing external key managers depends on your organization's specific needs and policies.
See also
Read about custom key stores at cloudericks.com/blog/understanding-custom-key-stores-in-aws-kms.
Stay connected with news and updates!
Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.
We hate SPAM. We will never sell your information, for any reason.