Importing Key Material Step 3: Encrypt the Key Material
After you download the public key and import token, you use the public key to encrypt your key material. Typically, you encrypt your key material when exporting it from your hardware security module (HSM) or key management system. For information about how to do this, see the documentation for your HSM or key management system. You can also refer to the following section that provides a proof of concept demonstration using OpenSSL. When you encrypt your key material, use the RSA PKCS #1 encryption scheme with the padding option that you specified when you downloaded the public key and import token (RSAES_OAEP_SHA_256, RSAES_OAEP_SHA_1, or RSAES_PKCS1_V1_5).
Encrypt Key Material with OpenSSL
The following example demonstrates how to use OpenSSL to generate a 256-bit symmetric key and then encrypt this key material for import into a KMS customer master key (CMK).
Important
This example is a proof of concept demonstration only. For production systems, use a more secure method (such as a commercial HSM or key management system) to generate and store your key material.
To use OpenSSL to generate key material and encrypt it for import into AWS KMS
Use the following command to generate a 256-bit symmetric key and save it in a file named
PlaintextKeyMaterial.bin.$ openssl rand -out PlaintextKeyMaterial.bin 32Use the following command to encrypt the key material with the public key that you downloaded previously (see Download the Public Key and Import Token (AWS KMS API)) and save it in a file named
EncryptedKeyMaterial.bin. ReplacePublicKey.binCMK_key_ID_timestamp(for example,wrappingKey_f44c4e20-f83c-48f4-adc6-a1ef38829760_0809092909).$ openssl rsautl -encrypt \ -in PlaintextKeyMaterial.bin \ -oaep \ -inkeyPublicKey.bin\ -keyform DER \ -pubin \ -out EncryptedKeyMaterial.bin
Proceed to Step 4: Import the Key Material.
