Home Membership Courses Blog
About Contact

Understanding AWS KMS Keys - Key Material and Origins

all aws aws kms aws security Jan 25, 2024

Introduction - What is Key Material?

In the world of cryptography, key material refers to the string of bits used in a cryptographic algorithm. It's the core element that encrypts and decrypts our data. There are two types of key material: secret and public. Secret key material must be kept confidential to ensure the security of cryptographic operations, while public key material is meant to be shared. 

AWS KMS Keys and Their Key Material

Each AWS KMS key is associated with a key material, as referenced in its metadata. By default, AWS is responsible for creating the key material using FIPS-validated hardware security modules, and it never leaves AWS KMS unencrypted. Users cannot extract, export, view, or directly manage this key material. The sole exception lies in the public keys of asymmetric key pairs, which can be exported for outside use.

If we opt for AWS-generated key material, AWS KMS offers a feature to automatically rotate the key material, enhancing security over time. AWS KMS also allows the creation of multi-Region keys, which share the same key material across different regions. This can be helpful for maintaining consistency in global applications. 

Key Material Origin

The "key material origin" is a specific attribute of a KMS key in AWS KMS, which indicates the source from which its key material is derived. The origin of key material is a significant attribute in a KMS key, as it determines several factors such as Security, Durability, Availability, Latency and Throughput. We choose the key material origin when we create a KMS key. Once set, it cannot be changed.

Key Material Origin Values

The key material origin values for a KMS key can be one of the following:

  1. AWS_KMS: The default and most recommended. AWS handles the creation and management of the key material.
  2. EXTERNAL (Import key material): For those who prefer to import their own key material. Remember, this requires us to manage and secure this material independently.
  3. AWS_CLOUDHSM: AWS KMS creates the key material in our AWS CloudHSM cluster.
  4. EXTERNAL_KEY_STORE: Used when the key material is in an external key manager outside AWS. This is specific to KMS keys in an external key store.

How to Find the Key Material Origin?

We can use the DescribeKey operation or check the Origin value in the AWS KMS console under the Cryptographic configuration tab.

Importing Our Own Key Material

In some scenarios, organizations might need to use cryptographic key material that they generate and manage outside of AWS. This could be due to regulatory requirements, compliance with specific security policies, or a need for key material that has been generated with specialized hardware or software.

How It's Done:

  1. Generate Key Material: First, the key material must be generated outside AWS using your own methods or tools. This should be done in a secure environment.

  2. Create a KMS Key Without Material: In AWS KMS, you create a KMS key without key material – a placeholder for the key material you will import.

  3. Import Process: The key material is then encrypted with a public key provided by AWS KMS and sent securely to AWS. The AWS KMS then associates this encrypted key material with the KMS key you created.

  4. Use Like Any KMS Key: Once the import is successful, the KMS key can be used just like any other KMS key within AWS for cryptographic operations.

Utilizing External Key Managers

Some organizations prefer to use external key managers for various reasons, such as integrating with existing key management infrastructure, adhering to specific security practices, or leveraging certain features of third-party key management solutions.

How It's Done:

  1. Setup External Key Manager: The external key manager, which could be a hardware security module (HSM) or a key management service outside AWS, is set up and configured according to your organizational policies.

  2. Integration with AWS KMS: For integration, AWS provides the option to create a custom key store in AWS KMS that is backed by your external key manager.

  3. Create KMS Keys in Custom Key Store: You can then create KMS keys in this custom key store. These keys use the key material generated and stored in your external key manager.

  4. Cryptographic Operations: The KMS keys in the custom key store can then be used for cryptographic operations within AWS, but the key material remains in the external key manager.

Importing our own vs. external key manager

The choice between importing your own key material and utilizing external key managers depends on your organization's specific needs and policies. Importing your own key material is suitable when you need to generate key material with specific tools or under certain conditions, while external key managers are ideal when you want to maintain control over the key material in an existing infrastructure outside AWS.

Conclusion

AWS KMS offers flexible options for key materials catering to different security and management needs. We can also import our own keys or use an external key manager. The choice between importing your own key material and utilizing external key managers depends on your organization's specific needs and policies. 

See also

Read about custom key stores at cloudericks.com/blog/understanding-custom-key-stores-in-aws-kms.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.

Recent Posts

Understanding TLS Termination with Load Balancers in AWS
all aws aws networking aws security
Apr 19, 2024
Understanding Load Balancing in AWS
all aws aws networking
Apr 18, 2024
A Beginner's Roadmap to Mastering AWS Networking
all aws aws networking roadmaps
Apr 08, 2024

Categories

All Categories all aws all azure amazon ec2 amazon s3 announcements aws aws architecture aws automation aws cloudhsm aws comparison 101 aws compute aws containers aws cost management aws developer tools aws devops aws feature 101 aws governance aws iam aws kms aws management tools aws messaging aws networking aws optimizations aws policies aws principles 101 aws recipes aws security aws serverless aws service 101 aws ssm aws storage aws tools 101 aws vpc azure networking azure security cloud computing ec2 security getting started multi-cloud roadmaps s3 security security updated
Lead Author @ Cloudericks Blogs

Heartin Kanikathottu

Principal Cloud Architect & Author

The Cloudericks blog posts are created and maintained by Heartin Kanikathottu and his team at Cloudericks with a bit of AI help. Heartin is an accomplished Cloud Architect and a prolific international author recognized globally, with one of his books being named all-time 8th best in cloud computing. Read more at heartin.github.io.

Want to askĀ doubts directly to Heartin and team?

Please become a Cloudericks member to join the KEWA group andĀ ask any questions directly to Heartin and the Cloudericks team! You can alsoĀ get access to our courses, cookbooks, quizzes, and the KEWA group!

Special Note: If you purchase any of Heartin's books related to cloud,Ā ask for a complimentary membership to KEWA group.Ā 

Explore Membership