AWS CMK(custom managed key)

1 min readOct 1, 2020

How to create CMK

AWS has 3 options — AWS Key Management Service (AWS KMS)

AWK default generated key
AWS CMK (custom managed key)
Custom Stored Keys (HSM)

How to generate AWS CMK
You will need to create the outline for the key first
→ and then wrap it with the actual key material (actual key generated by openssl)

Importing key material step 1: Create an AWS KMS customer master key (CMK) with no key material

By default, AWS KMS creates key material for you when you create a customer master key (CMK). To instead import your…

docs.aws.amazon.com

<How to input key material → CMK>
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
Choose encryption method : this example is — RSAES_OAEP_SHA_1

>>Create your key in local : openssl rand -out PlaintextKeyMaterial.bin 32

>>Wrap your key with generated public key(from AWS)

openssl rsautl -encrypt \
-in PlaintextKeyMaterial.bin \
-oaep \
-inkey PublicKey.bin \
-keyform DER \
-pubin \
-out EncryptedKeyMaterial.bin

>> and submit the wrapped key & token

AWS CMK(custom managed key)

Importing key material step 1: Create an AWS KMS customer master key (CMK) with no key material

By default, AWS KMS creates key material for you when you create a customer master key (CMK). To instead import your…

Written by June Chung