Skip to main content

Create AWS KMS Key

By default, AWS KMS creates key material when you create an AWS KMS key. To import your own key material instead, create a KMS key without key material. Then import the key material. To create a KMS key with no key material, it is possible to use the AWS Management Console or the create-key request with AWS KMS API.

To create a key with no key material, specify a key spec of SYMMETRIC_DEFAULT (the default value) and an origin of EXTERNAL. The key spec and origin of a KMS key are immutable values.

note

Once you create a key designed for imported key material in KMS, it is not possible to convert it into a KMS key with key material from AWS KMS or any other source!

The key state of a KMS key with an EXTERNAL origin and no key material is PendingImport. A KMS key can remain in PendingImport state indefinitely. However, it is not possible to use a KMS key in PendingImport state in cryptographic operations. When key material is imported, the key state of the KMS key changes to Enabled, and is ready to use in cryptographic operations.

AWS KMS records an entry in the AWS CloudTrail log when creating a KMS key, downloading the public key and import token, as well as importing the key material. AWS KMS also records an entry when you delete imported key material or when AWS KMS deletes expired key material.

For information about creating multi-Region keys with imported key material, see Importing key material into multi-Region keys.

Optionally you can use the AWS KMS API to create a symmetric encryption KMS key with no key material, send a create-key request with the Origin parameter set to EXTERNAL. The following example shows how to do so with the AWS Command Line Interface (AWS CLI).

$ aws kms create-key --origin EXTERNAL

If the command was successful, an output similar to the following should be printed out:

{
"KeyMetadata": {
"Origin": "EXTERNAL",
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"Description": "",
"Enabled": false,
"MultiRegion": false,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "PendingImport",
"CreationDate": 1568289600.0,
"Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"AWSAccountId": "111122223333",
"KeyManager": "CUSTOMER",
"KeySpec": "SYMMETRIC_DEFAULT",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}

The AWS KMS key's Origin is seen as EXTERNAL and its KeyState is PendingImport.

Ensure to copy the KeyId value from your command output as it will be used in later steps of the guide.

Get started withCloudHSM for free.
Other questions?Ask Sales.
Feedback
Need help?