aws kms create-key --origin=EXTERNAL
aws create-key command has –origin=EXTERNAL option, that indicates the key material will not come from AWS KMS, but from an external source.
aws kms get-parameters-for-import --key-id <key ID of your External CMK> --wrapping-algorithm RSAES_OAEP_SHA_1 --wrapping-key-spec RSA_2048
:wq. Press Enter to save file and quit.
ls -lrt to check. We wil see pkey.b64 file and token.b64 file.
openssl enc -d -base64 -A -in pkey.b64 -out pkey.bin.
openssl enc -d -base64 -A -in token.b64 -out token.bin.
ls -lrt to check
Usually key material will come from an enterprise HSM or other key management system in the company that would be in charge of generating the keys. For the workshop, we will generate the keys with the OpenSSL library directly in our instance.
openssl rand -out genkey.bin 32
2. Encrypt the Key material. Then, saves the output in another file named WrappedKeyMaterial.bin.
openssl rsautl -encrypt -in genkey.bin -oaep -inkey pkey.bin -keyform DER -pubin -out WrappedKeyMaterial.bin.
ls -lrt to check.
aws kms import-key-material --key-id <key ID of your External CMK> --encrypted-key-material fileb://WrappedKeyMaterial.bin --import-token fileb://token.bin --expiration-model KEY_MATERIAL_EXPIRES --valid-to 2022-06-02T12:00:00-08:00
To import, we will use the aws kms import-key-material command, We will need the import token we have in the token.bin file and the wrapped encrypted key material we have just stored in file WrappedKeyMaterial.bin.
On the expiration date, AWS KMS will delete the key material and the CMK is not longer there for being used. You can always set the expiration model to KEY_MATERIAL_DOES_NOT_EXPIRE instead of KEY_MATERIAL_EXPIRES, if you don’t want the CMK to expire
We need to configure the expiration date for –expiration-model parameter to be able to monitor in CloudWatch (Section 6)
aws kms create-alias --alias-name alias/ImportedCMK --target-key-id <key ID of your External CMK>
3. To list all of the CMK, execute the command
aws kms list-aliases
The JSON output will display the keys we have created and its alias, along with the aws service CMKs created by default for some of the services.