AWS CMK(custom managed key)

June Chung
1 min readOct 1, 2020


How to create CMK

AWS has 3 options — AWS Key Management Service (AWS KMS)

  • AWK default generated key
  • AWS CMK (custom managed key)
  • Custom Stored Keys (HSM)

How to generate AWS CMK
You will need to create the outline for the key first
→ and then wrap it with the actual key material (actual key generated by openssl)

<How to create CMK outline — without key material>

<How to input key material → CMK>
Choose encryption method : this example is — RSAES_OAEP_SHA_1

>>Create your key in local : openssl rand -out PlaintextKeyMaterial.bin 32

>>Wrap your key with generated public key(from AWS)

openssl rsautl -encrypt \
-in PlaintextKeyMaterial.bin \
-oaep \
-inkey PublicKey.bin \
-keyform DER \
-pubin \
-out EncryptedKeyMaterial.bin

>> and submit the wrapped key & token