Identify different key types

The Key type column of the Customer managed keys table shows whether each KMS key is symmetric or asymmetric. You can filter the table by the Key type value to display only asymmetric KMS keys. For more information see Sort and filter your KMS keys.

The Cryptographic configuration tab on the details page for a KMS key displays the Key Type, which indicates whether the key is symmetric or asymmetric. It also displays the Key Usage, which indicates whether your asymmetric KMS key is used for encryption and decryption, signing and verification, or deriving shared secrets.

When you call the DescribeKey operation on an asymmetric KMS key the response includes the KeySpec and KeyUsage values, which can be used to determine if a KMS key is symmetric or asymmetric.

If the KeySpec value is SYMMETRIC_DEFAULT, the key is a symmetric encryption KMS key. For details on asymmetric key specs, see Key spec reference.

If the KeyUsage value is SIGN_VERIFY or KEY_AGREEMENT, the key is an asymmetric KMS key.

The DescribeKey operation also returns the following details for asymmetric KMS keys.

HMAC KMS keys are included in the Customer managed keys table, but you cannot sort or filter this table by the key spec or key usage values that identify HMAC keys. To make it easier to find your HMAC keys, assign them a distinctive alias or tag. Then you can sort or filter by the alias or tag.

The Cryptographic configuration tab on the details page for a KMS key displays the Key Type, which indicates whether the key is symmetric or asymmetric. HMAC KMS keys are symmetric. The Cryptographic configuration tab also displays the Key Usage. For HMAC KMS keys the key usage value is always Generate and verify MAC.

When you call the DescribeKey operation on an HMAC KMS key the response includes the KeySpec and KeyUsage values. For HMAC KMS keys the key usage value is always GENERATE_VERIFY_MAC and the key spec value always starts with HMAC_.

The Customer managed keys table only displays KMS keys in the selected Region. You can view multi-Region primary and replica keys in the selected Region. To change the AWS Region, use the Region selector in the upper-right corner of the console.

To make it easier to identify multi-Region keys in the Customer managed keys table, add the Regionality column to your table. For help, see Customize your KMS key tables.

The detail page for multi-Region KMS keys includes a Regionality tab. The Regionality tab for a primary key includes Change primary Region and Create new replica keys buttons. (The Regionality tab for a replica key has neither button.) The Related multi-Region keys section lists all multi-Region keys related to the current one. If the current key is a replica key, this list includes the primary key.

If you choose a related multi-Region key from the Related multi-Region keys table, the AWS KMS console changes to the Region of the selected key and it opens the detail page for the key. For example, if you choose the replica key in the sa-east-1 Region from the example Related multi-Region keys section below, the AWS KMS console changes to the sa-east-1 Region to display the detail page for that replica key. You might do this to view the alias or key policy for the replica key. To change the Region again, use the Region selector at the top right corner of the page.

By default, AWS KMS API operations are Regional and only return the resources in the current or specified Region. But, when you call the DescribeKey operation on a multi-Region KMS key, the response includes all related multi-Region keys in other AWS Regions in the MultiRegionConfiguration element.

To make it easier to identify KMS keys with imported key material in the Customer managed keys table, add the Origin column to your table. The Origin column makes it easy to identify KMS keys with an External (Import Key material) origin property value. For help, see Customize your KMS key tables.

The Cryptographic configuration tab on the details page for a KMS key displays the Origin, which identifies the source of the key material for the KMS key. For KMS keys with imported key material, the origin value is always External (Import Key material). The details page also includes a Key material tab that provides detailed information about the imported key material. The Key material tab only appears on the detail page for KMS keys with imported key material.

When you call the DescribeKey operation on a KMS key with imported key material the response includes the Origin, ExpirationModel, and ValidTo values. For KMS keys with imported key material the origin value is always EXTERNAL. The ExpirationModel value indicates whether or not the key material is set to expire, and the ValidTo value indicates when the key material will expire. For more information, see Setting an expiration time (optional).

To make it easier to identify KMS keys in AWS CloudHSM key stores in the Customer managed keys table, add the Origin column to your table. The Origin column makes it easy to identify KMS keys with an AWS CloudHSM origin property value. For help, see Customize your KMS key tables.

The Cryptographic configuration tab on the details page for a KMS key displays the Origin, which identifies the source of the key material for the KMS key. For KMS keys in AWS CloudHSM key stores, the origin value is always AWS CloudHSM.

For a KMS key in an AWS CloudHSM key store, the Cryptographic configuration tab includes an additional section, Custom key store, that provides information about the AWS CloudHSM key store and AWS CloudHSM cluster associated with the KMS key.

When you call the DescribeKey operation on a KMS key in an AWS CloudHSM key store the response includes the Origin, which identifies the source of the key material. For KMS keys in an AWS CloudHSM key store the origin value is always AWS_CLOUDHSM. The operation also returns the following special fields for KMS keys in AWS CloudHSM key stores:

To make it easier to identify KMS keys in external key stores in the Customer managed keys table, add the Origin column to your table. The Origin column makes it easy to identify KMS keys with an External key store origin property value. For help, see Customize your KMS key tables.

The Cryptographic configuration tab on the details page for a KMS key displays the Origin, which identifies the source of the key material for the KMS key. For KMS keys in external key stores, the origin value is always External key store.

For a KMS key in an external key store, the Cryptographic configuration tab includes two additional sections, Custom key store and External key. The Custom key store table provides information about the external key store associated with the KMS key. The External key table appears in the AWS KMS console only for KMS keys in external key stores. It provides information about the external key associated with the KMS key. The external key is a cryptographic key outside of AWS that serves as the key material for the KMS key in the external key store. When you encrypt or decrypt with the KMS key, the operation is performed by your external key manager using the specified external key.

The following values appear in the External key section.

When you call the DescribeKey operation on a KMS key in an external key store the response includes the Origin, which identifies the source of the key material. For KMS keys in an AWS CloudHSM key store the origin value is always EXTERNAL_KEY_STORE. The operation also returns the CustomKeyStoreId element, which identifies the external key store associated with the KMS keys.