If you set the Origin parameter to EXTERNAL when you create a customer master key (CMK) for Dedicated Key Management Service (KMS), Dedicated KMS does not create key material. In this case, you must import external key material for the CMK. This topic describes how to import external key material.

Background information

You can call the DescribeKey operation to view the key material source of an existing CMK. If the value of the Origin parameter is EXTERNAL, the key material is imported from an external source. In this case, the CMK is considered an external CMK.

Before you import external key material, take note of the following points:
  • Make sure that the external source from which the key material is generated meets security requirements.
  • The key material is imported to your hardware security module (HSM) cluster. You cannot call the DeleteKeyMaterial operation to delete the key material. To delete the key material, you must call the ScheduleKeyDeletion operation to specify a waiting period of 7 days to 30 days for deleting the CMK. When the CMK is deleted, the key material is also deleted.
  • Key material is unique for each CMK. After the key material is imported for the CMK, the CMK is bound to the key material. You can no longer import key material for the CMK.
  • The key material must be a 128-, 192-, or 256-bit symmetric key.

Procedure

  1. Create an external CMK.
    1. Log on to the KMS console.
    2. In the top navigation bar, select the region where your dedicated KMS instance resides.
      For more information about the regions that support Dedicated KMS, see Supported regions.
    3. In the left-side navigation pane, click Dedicated KMS.
    4. Find your dedicated KMS instance and click Manage in the Actions column.
    5. In the User master key section, click Create Key.
    6. In the Create Key dialog box, configure the Key Spec parameter.
      Dedicated KMS supports the following key types: Aliyun_AES_128, Aliyun_AES_192, and Aliyun_AES_256.
    7. Configure the Alias and Description parameters.
    8. Click Advanced and set the Key Material Source parameter to External.
    9. Select I understand the implications of using the external key materials key and click OK.
  2. Obtain the parameters that are used to import key material.
    The parameters include a public key and an import token. The public key is used to encrypt the key material.
    1. In the User master key section, find the CMK for which you want to import key material and click its ID to go to the key management page.
    2. In the Key Material section, click Obtain Parameters Used to Import Key Material.
    3. In the Obtain Parameters Used to Import Key Material dialog box, set the Wrapping Key Type parameter to RSA_2048 and the Wrapping Algorithm parameter to RSAES_PKCS1_V1_5. Then, click Next.
      Note

      If you set the Wrapping Key Type parameter to RSA_2048, you can set the Wrapping Algorithm parameter to RSAES_PKCS1_V1_5 or RSAES_OAEP_SHA_256. The default value is RSAES_PKCS1_V1_5. In this example, the value RSAES_PKCS1_V1_5 is used.

    4. Click Download next to Public Key Format and that next to Import Token to download the public key and import token. Then, click Close.
  3. Use OpenSSL to encrypt key material.
    The public key is a 2048-bit Rivest-Shamir-Adleman (RSA) public key. The encryption algorithm must be the same as the algorithm that is specified when you obtain the parameters in the previous step. The public key is encoded in Base64. Before you can use the public key to encrypt key material, you must decode the public key. Then, you can use OpenSSL to generate and encrypt key material.
    1. Create key material. In this example, a 32-byte random number is generated by using OpenSSL.
    2. Use the specified encryption algorithm to encrypt the key material. In this example, the RSAES_PKCS1_V1_5 algorithm is specified.
    3. Encode the encrypted key material in Base64 and save it to a text file.
      openssl rand -out KeyMaterial.bin 32
      openssl rsautl -encrypt -in KeyMaterial.bin -pkcs -inkey PublicKey.bin  -keyform DER  -pubin -out EncryptedKeyMaterial.bin
      openssl enc -e -base64 -A -in EncryptedKeyMaterial.bin -out EncryptedKeyMaterial_base64.txt
  4. Import the key material.

    You can import the key material for an external CMK that never has key material. Each import token is bound to a public key that is used to encrypt key material. A CMK is specified when an import token is generated. The import token can be used to import key material only for the specified CMK. The validity period of the import token is 24 hours. The token can be repeatedly used within this period. After the token expires, you must obtain a new import token and a new public key.

    1. In the User master key section, find the CMK for which you want to import key material and click its ID to go to the key management page.
    2. In the Key Material section, click Import Wrapped Key Material.
    3. In the Import Wrapped Key Material dialog box, configure the Wrapped Key Material and Import Token parameters.
      • Wrapped Key Material: Upload the text file that contains the key material and is generated in Step 3.
      • Import Token: Upload the text file that contains the import token and is obtained in Step 2.
    4. Click OK.
      After the key material is imported, the status of the CMK changes from Pending Import to Enabled.