Skip to main content

Import Key Material

After wrapping the import key material, import the key material to use within AWS KMS. To import key material, upload the wrapped import key material from the chapter Export and Wrap Key Material and the import token that was downloaded in chapter Download the Public key and Import Token. It is important to import key material into the same KMS key that was specified when downloading the public key and import token, otherwise the import will fail.

When key material is imported, the key state of the KMS key changes to Enabled. The key is now available to use in cryptographic operations.

When importing key material, it is possible to set an optional expiration date for the key material. When the key material expires, AWS KMS deletes the key material and the KMS key becomes unusable. To use the KMS key in cryptographic operations, reimport the same key material. After importing the key material, it is not possible to set, change, or cancel the expiration date for the current import. To change these values, delete and reimport the same key material.

To import key material, use either the AWS KMS console or the ImportKeyMaterial API request.

When importing the key material, an ImportKeyMaterial entry is added to the AWS CloudTrail log to record the ImportKeyMaterial operation. The CloudTrail entry is the same whether using the AWS KMS console or the AWS KMS API.

After a successful import of the encrypted key material to the AWS KMS, it uses your corresponding account private key to decrypt the encrypted key material.

To import key material, use the ImportKeyMaterial request. The following example uses the AWS CLI. To import the key material please use this example, please replace the variables with your own:

$ aws kms import-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--encrypted-key-material EncryptedKeyMaterial.bin \
--import-token ImportToken.bin \
--expiration-model KEY_MATERIAL_EXPIRES \
--valid-to 2022-09-17T12:00:00-08:00
ParameterDescription
--key-idReplace 1234abcd-12ab-34cd-56ef-1234567890ab with a key ID of the KMS key that you specified when you downloaded the public key and import token. To identify the KMS key, use its key ID or key ARN.
--encrypted-key-materialReplace EncryptedKeyMaterial.bin with the name of the file that contains the encrypted key material.
--import-tokenReplace ImportToken.bin with the name of the file that contains the import token.
--expiration-modelTo enable expiration of the imported key material, insert the value of the --expiration-model parameter to its default value, KEY_MATERIAL_EXPIRES, or omit the parameter. To set the imported key material so it does not expire, insert the value of the parameter to KEY_MATERIAL_DOES_NOT_EXPIRE.
--valid-toIf the --expiration-model parameter was set to KEY_MATERIAL_EXPIRES then introduce the --valid-to parameter to the command and replace the example date to the desired key expiration date and time. The date and time can be up to a maximum of 365 days from the time of the request. The parameter value corresponds to ISO 8601. Omit the --valid-to parameter from the command, if parameter --expiration-model wasn’t added.

If the key import was successful the key state of the KMS key changes to Enabled, and the KMS key is now available to use in cryptographic operations. An ImportKeyMaterial entry has been added to the AWS CloudTrail log to record the ImportKeyMaterial operation.