Integrate with Amazon Web Services

Access the Key Management System in the AWS Management Console

Connect to the Key Management Service (KMS) using the AWS Management Console and select your AWS region.

The steps below can be carried out either on the AWS Management Console or using the AWS KMS API. See the AWS KMS documentation for details of how to use these tools. This guide provides instructions for using the console. Instructions for using the API can be found in the AWS documentation.

Create a customer master key in the AWS Management Console

  1. In the navigation pane in KMS, select Customer Managed Keys.

  2. Select Create key.

  3. Select Symmetric.

  4. Expand Advanced Options.

  5. For Key Material Origin, specify External.

  6. Confirm that you understand the implications of using an imported key.

  7. Select Next.

  8. Create an Alias, Description, and Tags:

    1. Specify an alias for the key and, optionally, a description and tags.

    2. Select Next.

  9. Define Key Administrative Permissions:

    1. Specify the Identity and Access Management (IAM) users who can administer the key and decide whether key administrators are able to delete the key.

    2. Select Next.

  10. Under This Account, define Key Usage Permissions:

    1. Specify the IAM users who can use the key.

    2. Select Next.

  11. Review Key Policy:

    1. A preview of your key policy is displayed.

    2. Select Finish.

If the operation succeeds, you have created a CMK with no key material. The following message is displayed:

Your customer master key (CMK) was created with alias _<key name>_ and key ID _<key id>_.
To use this CMK, you must import key material.

Download a wrapping key and import token in the AWS Management Console

After completing the instructions in Create a customer master key in the AWS Management Console, you are on the Download wrapping key and import token screen.

Otherwise complete these steps:

  1. Connect to the AWS Management Console and select your AWS Region.

  2. In the navigation pane in KMS, select Customer Managed Keys.

  3. Select the alias or key ID of the CMK that is pending import.

  4. Expand Cryptographic configuration and view its values.

  5. Expand Key Material and select Download wrapping key and import token.

You can continue to download the wrapping key:

  1. Select the wrapping algorithm to use.

    Entrust recommends selecting the strongest hashing algorithm supported.

  2. Select Download wrapping key and import token and save the ImportParameters.zip file.

  3. Decompress ImportParameters.zip. You should find the following files:

    • A README text file.

    • The wrapping key file.

    • The import token file.

Use cloud_integration_tool to generate, wrap, and export a key

Using the downloaded wrapping key file, call cloud_integration_tool as follows:

cloud_integration_tool aws <key name> <wrapping key> <wrapping algorithm>

Running this command creates a file called <key name>-wrapped.

Upload the wrapped key material

If you have just completed the instructions in Download a wrapping key and import token in the AWS Management Console, you are on the Upload your wrapped key material screen.

Otherwise complete these steps:

  1. Connect to the AWS Management Console and select your AWS Region.

  2. In the navigation pane in KMS, select Customer Managed Keys.

  3. Select the key ID or alias of the CMK for which you downloaded the public key and import token.

  4. Expand Cryptographic configuration and view its values.

  5. Expand Key Material and then select Upload key material.

Now you can continue to upload the wrapped key.

  1. Under Encrypted key material and import token > Wrapped key material, select Choose file.

    Upload the file that contains your wrapped (encrypted) key material. This is the file that was produced in Use cloud_integration_tool to generate, wrap, and export a key.

  2. Under Encrypted key material and import token > Import token, select Choose file.

    Select and upload the file that contains the import token that you downloaded.

  3. In the Expiration option section, you can determine whether the key material expires.

    To set an expiration date and time, choose Key material expires and use the calendar to select a date and time.

  4. Select Upload key material.

The following message is displayed:

Your key material was imported into the customer master key (CMK) with key ID <key id>.
You can now use this CMK.

The AWS key is now ready for use.

At this point users have now extended trust to AWS in terms of use of the key and its destruction.