# Generate data keys
<a name="data-keys"></a>

*Data keys* are symmetric keys you can use to encrypt data, including large amounts of data and other data encryption keys. Unlike symmetric KMS keys, which can't be downloaded, data keys are returned to you for use outside of AWS KMS. 

When AWS KMS generates data keys, it returns a plaintext data key for immediate use (optional) and an encrypted copy of the data key that you can safely store with the data. When you are ready to decrypt the data, you first ask AWS KMS to decrypt the encrypted data key. 

AWS KMS generates, encrypts, and decrypts data keys. However, AWS KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys. You must use and manage data keys outside of AWS KMS. For help using the data keys securely, see the [AWS Encryption SDK](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/).

**Topics**
+ [Create a data key](#data-keys-create)
+ [How cryptographic operations with data keys work](#use-data-keys)
+ [How unusable KMS keys affect data keys](unusable-kms-keys.md)

## Create a data key
<a name="data-keys-create"></a>

To create a data key, call the [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) operation. AWS KMS generates the data key. Then it encrypts a copy of the data key under a [symmetric encryption KMS key](symm-asymm-choose-key-spec.md#symmetric-cmks) that you specify. The operation returns a plaintext copy of the data key and the copy of the data key encrypted under the KMS key. The following image shows this operation.

![\[Generate a data key\]](http://docs.aws.amazon.com/kms/latest/developerguide/images/generate-data-key.png)


AWS KMS also supports the [GenerateDataKeyWithoutPlaintext](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html) operation, which returns only an encrypted data key. When you need to use the data key, ask AWS KMS to [decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) it.

## How cryptographic operations with data keys work
<a name="use-data-keys"></a>

The following topics explain how data keys generated by a [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) or [GenerateDataKeyWithoutPlaintext](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html) operation work.

### Encrypt data with a data key
<a name="data-keys-encrypt"></a>

AWS KMS cannot use a data key to encrypt data. But you can use the data key outside of AWS KMS, such as by using OpenSSL or a cryptographic library like the [AWS Encryption SDK](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/).

After using the plaintext data key to encrypt data, remove it from memory as soon as possible. You can safely store the encrypted data key with the encrypted data so it is available to decrypt the data.

![\[Encrypt user data outside of AWS KMS\]](http://docs.aws.amazon.com/kms/latest/developerguide/images/encrypt-with-data-key.png)


### Decrypt data with a data key
<a name="data-keys-decrypt"></a>

To decrypt your data, pass the encrypted data key to the [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) operation. AWS KMS uses your KMS key to decrypt the data key and then returns the plaintext data key. Use the plaintext data key to decrypt your data and then remove the plaintext data key from memory as soon as possible.

The following diagram shows how to use the `Decrypt` operation to decrypt an encrypted data key.

![\[Decrypting a data key\]](http://docs.aws.amazon.com/kms/latest/developerguide/images/decrypt.png)


# How unusable KMS keys affect data keys
<a name="unusable-kms-keys"></a>

When a KMS key becomes unusable, the effect is almost immediate (subject to eventual consistency). The [key state](key-state.md) of the KMS key changes to reflect its new condition, and all requests to use the KMS key in [cryptographic operations](kms-cryptography.md#cryptographic-operations) fail.

However, the effect on data keys encrypted by the KMS key, and on data encrypted by the data key, is delayed until the KMS key is used again, such as to decrypt the data key.

KMS keys can become unusable for a variety of reasons, including the following actions that you might perform.
+ [Disabling the KMS key](enabling-keys.md)
+ [Scheduling the KMS key for deletion](deleting-keys.md)
+ [Deleting the key material](importing-keys-delete-key-material.md) from a KMS key with imported key material, or allowing the imported key material to expire. If a KMS key with `EXTERNAL` origin has multiple key materials associated, the deletion or expiration of any key material will cause the key to become unusable.
+ [Disconnecting the AWS CloudHSM key store](disconnect-keystore.md) that hosts the KMS key, or [deleting the key from the AWS CloudHSM cluster](fix-keystore.md#fix-cmk-failed) that serves as key material for the KMS key.
+ [Disconnecting the external key store](about-xks-disconnecting.md) that hosts the KMS key, or any other action that interferes with encryption and decryption requests to the external key store proxy, including deleting the external key from its external key manager.

This effect is particularly important for the many AWS services that use data keys to protect the resources that the service manages. The following example uses Amazon Elastic Block Store (Amazon EBS) and Amazon Elastic Compute Cloud (Amazon EC2). Different AWS services use data keys in different ways. For details, see the Data protection section of the Security chapter for the AWS service.

For example, consider this scenario:

1. You [create an encrypted EBS volume](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-volume.html) and specify a KMS key to protect it. Amazon EBS asks AWS KMS to use your KMS key to [generate an encrypted data key](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html) for the volume. Amazon EBS stores the encrypted data key with the volume's metadata.

1. When you attach the EBS volume to an EC2 instance, Amazon EC2 uses your KMS key to decrypt the EBS volume's encrypted data key. Amazon EC2 uses the data key in the Nitro hardware, which is responsible for encrypting all disk I/O to the EBS volume. The data key persists in the Nitro hardware while the EBS volume is attached to the EC2 instance.

1. You perform an action that makes the KMS key unusable. This has no immediate effect on the EC2 instance or the EBS volume. Amazon EC2 uses the data key—not the KMS key—to encrypt all disk I/O while the volume is attached to the instance.

1. However, when the encrypted EBS volume is detached from the EC2 instance, Amazon EBS removes the data key from the Nitro hardware. The next time the encrypted EBS volume is attached to an EC2 instance, the attachment fails, because Amazon EBS cannot use the KMS key to decrypt the volume's encrypted data key. To use the EBS volume again, you must make the KMS key usable again.