AWS KMS uses a cross-Region replication mechanism to copy the key material in a KMS key from an HSM in one AWS Region to an HSM in a different AWS Region. For this mechanism to work, the KMS key that is being replicated must be a multi-Region key. When replicating a KMS key from one Region to another, the HSMs in the Regions cannot communicate directly, because they're in isolated networks. Instead, the messages exchanged during the cross-Region replication are delivered by a proxy service.
During cross-Region replication, every message generated by an AWS KMS HSM is cryptographically signed using a replication signing key. Replication signing keys (RSKs) are ECDSA keys on the NIST P-384 curve. Every Region owns at least one RSK, and the public component of each RSK is shared with every other Region in the same AWS partition.
The cross-Region replication process to copy key material from Region A to Region B works as follows:
-
The HSM in Region B generates an ephemeral ECDH key on the NIST P-384 curve, Replication Agreement Key B (RAKB). The public component of RAKB is sent to an HSM in Region A by the proxy service.
-
The HSM in Region A receives the public component of RAKB and then generates another ephemeral ECDH key on the NIST P-384 curve, Replication Agreement Key A (RAKA). The HSM runs the ECDH key establishment scheme on RAKA and the public component of RAKB, and derives a symmetric key from the output, the Replication Wrapping Key (RWK). The RWK is used to encrypt the key material of the multi-Region KMS key that is being replicated.
-
The public component of RAKA and the key material encrypted with the RWK are sent to the HSM in Region B through the proxy service.
-
The HSM in Region B receives the public component of RAKA and the key material encrypted using the RWK. The HSM derives by RWK by running the ECDH key establishment scheme on RAKB and the public component of RAKA.
-
The HSM in Region B use the RWK to decrypt the key material from Region A.
