Integrate with Amazon Web Services

Access the Key Management System in the AWS Management Console

Connect to the Key Management Service (KMS) using the AWS Management Console, and select your AWS region.

The steps below can be carried out either on the AWS Management Console or using the AWS KMS API. See the AWS KMS documentation for details of how to use these tools. We provide instructions here for using the console. Instructions for using the API can be found in the AWS documentation.

Create a customer master key in the AWS Management Console

  1. In the navigation pane in KMS, select Customer Managed Keys.

  2. Select Create key.

  3. Select Symmetric.

  4. Expand Advanced Options.

  5. Specify External for Key Material Origin.

  6. Confirm that you understand the implications of using an imported key.

  7. Select Next.

  8. Create an Alias, Description, and Tags:

    1. Specify an alias for the key and, optionally, a description and tags.

    2. Select Next.

  9. Define Key Administrative Permissions:

    1. Specify the Identity and Access Management (IAM) users who can administer the key, and decide whether key administrators are able to delete the key.

    2. Select Next.

  10. In the This Account section, define Key Usage Permissions:

    1. Specify the IAM users who can use the key.

    2. Select Next.

  11. Review Key Policy:

    1. A preview of your key policy should be displayed.

    2. Select Finish.

If the operation succeeds, you have created a CMK with no key material. The following message should be displayed:

Your customer master key (CMK) was created with alias <key name> and key ID <key id>. To use this CMK, you must import key material.

Download a wrapping key and import token in the AWS Management Console

If you have just completed the instructions in Create a customer master key in the AWS Management Console, you should be on the Download wrapping key and import token screen.

Otherwise complete these steps:

  1. Connect to the AWS Management Console, and select your AWS Region.

  2. In the navigation pane in KMS, select Customer Managed Keys.

  3. Select the alias or key ID of the CMK that is pending import.

  4. Expand the Cryptographic configuration section, and view its values.

  5. Expand the Key Material section, and then select Download wrapping key and import token.

You can continue to download the wrapping key:

  1. Select the wrapping algorithm to use.

    We recommend selecting the strongest hashing algorithm supported.

  2. Select Download wrapping key and import token, then save the file (ImportParameters.zip).

  3. Unzip ImportParameters, and you should find the following files:

    • A README text file.

    • The wrapping key file.

    • The import token file.

Use cssadmin to generate, wrap, and export a key

Using the downloaded wrapping key file, call cssadmin as follows:

cssadmin aws <key name> <wrapping key> <wrapping algorithm>

Running this command creates a file called <key name>-wrapped.

Upload the wrapped key material

If you have just completed the instructions in Download a wrapping key and import token in the AWS Management Console, you should be on the Upload your wrapped key material screen.

Otherwise complete these steps:

  1. Connect to the AWS Management Console and select your AWS Region.

  2. In the navigation pane in KMS, select Customer Managed Keys.

  3. Select the key ID or alias of the CMK for which you downloaded the public key and import token.

  4. Expand the Cryptographic configuration section, and view its values.

  5. Expand the Key Material section, and then select Upload key material.

Now you can continue to upload the wrapped key.

  1. In the Encrypted key material and import token section, under Wrapped key material, select Choose file.

    Upload the file that contains your wrapped (encrypted) key material. This is the file that was produced in Use cssadmin to generate, wrap, and export a key.

  2. In the Encrypted key material and import token section, under Import token, select Choose file.

    Upload the file that contains the import token that you downloaded.

  3. In the Expiration option section, you can determine whether the key material expires.

    To set an expiration date and time, choose Key material expires, and use the calendar to select a date and time.

  4. Select Upload key material.

The following message should be displayed:

Your key material was imported into the customer master key (CMK) with key ID <key id>. You can now use this CMK.

The AWS key is now ready for use.

At this point users have now extended trust to AWS in terms of use of the key and its destruction.