Updated on 2024-09-29 GMT+08:00

Overview

A custom key contains key metadata (key ID, key alias, description, key status, and creation date) and key materials used for encrypting and decrypting data.
  • When a user uses the KMS console to create a custom key, the KMS automatically generates a key material for the custom key.
  • If you want to use your own key material, you can use the key import function on the KMS console to create a custom key whose key material is empty, and import the key material to the custom key.

Important Notes

  • Security

    You need to ensure that random sources meet your security requirements when using them to generate key materials. When using the import key function, you need to be responsible for the security of your key materials. Save the original backup of the key material so that the backup key material can be imported to the KMS in time when the key material is deleted accidentally.

  • Availability and Durability

    Before importing the key material into KMS, you need to ensure the availability and durability of the key material.

    Differences between the imported key material and the key material generated by KMS are shown in Table 1.

    Table 1 Differences between the imported key material and the key material generated by KMS

    Key Material Source

    Difference

    Imported keys

    • You can delete the key material, but cannot delete the custom key and its metadata.
    • Such keys cannot be rotated.
    • When importing the key material, you can set the expiration time of the key material. After the key material expires, the KMS automatically deletes the key material within 24 hours, but does not delete the custom key and its metadata.

      It is recommended that you save a copy of the material on your local device because it may be used for re-import in cases of invalid key materials or key material mis-deletion.

      NOTE:

      Keys using RSA_2048, RSA_3072, RSA_4096, EC_P256, and EC_P384 algorithms are permanently valid. Their key materials cannot be manually deleted, and their expiration time cannot be configured.

    Keys created in KMS

    • The key material cannot be manually deleted.
    • Symmetric keys can be rotated.
    • You cannot set the expiration time for key material.
  • Association

    When a key material is imported to a custom key, the custom key is permanently associated with the key material. Other key materials cannot be imported into the custom key.

  • Uniqueness

    If you use the custom key created using the imported key material to encrypt data, the encrypted data can be decrypted only by the custom key that has been used to encrypt the data, because the metadata and key material of the custom key must be consistent.