Asymmetric keys in AWS KMS

An asymmetric KMS key represents a mathematically related public key and private key pair. You can give the public key to anyone, even if they're not trusted, but the private key must be kept secret.

In an asymmetric KMS key, the private key is created in AWS KMS and never leaves AWS KMS unencrypted. To use the private key, you must call AWS KMS. You can use the public key within AWS KMS by calling the AWS KMS API operations. Or, you can download the public key and use it outside of AWS KMS.

If your use case requires encryption outside of AWS by users who cannot call AWS KMS, asymmetric KMS keys are a good choice. However, if you are creating a KMS key to encrypt the data that you store or manage in an AWS service, use a symmetric encryption KMS key. AWS services that are integrated with AWS KMS use only symmetric encryption KMS keys to encrypt your data. These services do not support encryption with asymmetric KMS keys.

AWS KMS supports three types of asymmetric KMS keys.

RSA KMS keys

A KMS key with an RSA key pair for encryption and decryption or signing and verification (but not both). AWS KMS supports several key lengths for different security requirements.

For technical details about the encryption and signing algorithms that AWS KMS supports for RSA KMS keys, see RSA key specs.

Elliptic Curve (ECC) KMS keys

A KMS key with an elliptic curve key pair for signing and verification or deriving shared secrets (but not both). AWS KMS supports several commonly-used curves.

For technical details about the signing algorithms that AWS KMS supports for ECC KMS keys, see Elliptic curve key specs.

SM2 KMS keys (China Regions only)

A KMS key with an SM2 key pair for encryption and decryption, signing and verification, or deriving shared secrets (you must choose one key usage type).

For technical details about the encryption and signing algorithms that AWS KMS supports for SM2 KMS keys (China Regions only), see SM2 key spec.

For help choosing your asymmetric key configuration, see Choosing what type of KMS key to create.

Regions

Asymmetric KMS keys and asymmetric data key pairs are supported in all AWS Regions that AWS KMS supports.

Learn more

To create asymmetric KMS keys, see Create an asymmetric KMS key.
To create multi-Region asymmetric KMS keys, see Create multi-Region primary keys.
To learn how to sign messages and verify signatures with asymmetric KMS keys, see Digital signing with the new asymmetric keys feature of AWS KMS in the AWS Security Blog.
To learn about special considerations for deleting asymmetric KMS keys, see Deleting asymmetric KMS keys.
To identify and view asymmetric KMS keys, see Identify asymmetric KMS keys.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS KMS keys

HMAC keys