Integrate with Amazon Web Services

Access the Key Management System in the AWS Management Console

Connect to the Key Management Service (KMS) using the AWS Management Console and select your AWS region.

The steps below can be carried out either on the AWS Management Console or using the AWS KMS API. See the AWS KMS documentation for details of how to use these tools. This guide provides instructions for using the console. Instructions for using the API can be found in the AWS documentation.

Create a customer master key in the AWS Management Console

  1. In the navigation pane in KMS, select Customer Managed Keys.

  2. Select Create key.

  3. For Key Type, specify Symmetric or Asymmetric.

  4. For Key Usage:

    1. If using Symmetric, select Encrypt and Decrypt. The key type will be 256-bit AES.

    2. If using Asymmetric, select the appropriate option for your use.

  5. For Key spec (Asymmetric only), select the appropriate option for your use.

    Supported options in cloud_integration_tool are RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1.

  6. Expand Advanced Options.

  7. For Key Material Origin, specify External.

  8. Confirm that you understand the implications of using an imported key.

  9. Select Next.

  10. Create an Alias, Description, and Tags:

    1. Specify an alias for the key and, optionally, a description and tags.

    2. Select Next.

  11. Define Key Administrative Permissions:

    1. Specify the Identity and Access Management (IAM) users who can administer the key and decide whether key administrators are able to delete the key.

    2. Select Next.

  12. Under This Account, define Key Usage Permissions:

    1. Specify the IAM users who can use the key.

    2. Select Next.

  13. Review Key Policy:

    1. A preview of your key policy is displayed.

    2. Select Finish.

If the operation succeeds, you have created a CMK with no key material. The following message is displayed:

Your customer master key (CMK) was created with alias _<key name>_ and key ID _<key id>_.
To use this CMK, you must import key material.

Download a wrapping key and import token in the AWS Management Console

After completing the instructions in Create a customer master key in the AWS Management Console, you are on the Download wrapping key and import token screen.

Otherwise complete these steps:

  1. Connect to the AWS Management Console and select your AWS Region.

  2. In the navigation pane in KMS, select Customer Managed Keys.

  3. Select the alias or key ID of the CMK that is pending import.

  4. Expand Cryptographic configuration and view its values.

  5. Expand Key Material and select Download wrapping key and import token.

You can continue to download the wrapping key:

  1. Select the wrapping algorithm to use.

    Entrust recommends selecting the strongest hashing algorithm supported.

    Supported options in cloud_integration_tool are RSAES_OAEP_SHA_256 or RSAES_OAEP_SHA_1 for Symmetric keys and RSA_AES_KEY_WRAP_SHA_256 or RSA_AES_KEY_WRAP_SHA_1 for Asymmetric keys.

  2. Select the wrapping key type to use.

    Supported options in cloud_integration_tool are RSA_4096, RSA_3072 and RSA_2048.

  3. Select Download wrapping key and import token and save the ImportParameters.zip file.

  4. Decompress ImportParameters.zip. You should find the following files:

    • A README text file.

    • The wrapping key file.

    • The import token file.

Use cloud_integration_tool to generate, wrap, and export a key

Using the downloaded wrapping key file, call cloud_integration_tool as follows:

cloud_integration_tool aws <key name> <wrapping key> --wrap-alg <wrapping algorithm> --key-type <key type>

The option --key-type <key type> can be omitted if generating/wrapping a 256-bit AES key. The option --wrap-alg <wrapping algorithm> can be omitted if using RSAES_OAEP_SHA_256 wrapping algorithm.

The table below shows how the Key spec options selected in AWS map onto the possible key types accepted by cloud_integration_tool.

AWS Key spec cloud_integration_tool Key type

RSA_2048

RSA-2048

RSA_3072

RSA-3072

RSA_4096

RSA-4096

ECC_NIST_P256

EC-NISTP256

ECC_NIST_P384

EC-NISTP384

ECC_NIST_P521

EC-NISTP521

ECC_SECG_P256K1

EC-SECP256K1

Running this command creates a file called <key name>-wrapped.

Upload the wrapped key material

If you have just completed the instructions in Download a wrapping key and import token in the AWS Management Console, you are on the Upload your wrapped key material screen.

Otherwise complete these steps:

  1. Connect to the AWS Management Console and select your AWS Region.

  2. In the navigation pane in KMS, select Customer Managed Keys.

  3. Select the key ID or alias of the CMK for which you downloaded the public key and import token.

  4. Expand Cryptographic configuration and view its values.

  5. Expand Key Material and then select Upload key material.

Now you can continue to upload the wrapped key.

  1. Under Encrypted key material and import token > Wrapped key material, select Choose file.

    Upload the file that contains your wrapped (encrypted) key material. This is the file that was produced in Use cloud_integration_tool to generate, wrap, and export a key.

  2. Under Encrypted key material and import token > Import token, select Choose file.

    Select and upload the file that contains the import token that you downloaded.

  3. In the Expiration option section, you can determine whether the key material expires.

    To set an expiration date and time, choose Key material expires and use the calendar to select a date and time.

  4. Select Upload key material.

The following message is displayed:

Your key material was imported into the customer master key (CMK) with key ID <key id>.
You can now use this CMK.

The AWS key is now ready for use.

At this point users have now extended trust to AWS in terms of use of the key and its destruction.