📄️ Create Key on HSM
By default, AWS KMS creates key material when you create an AWS KMS key. To import your own key material instead, create a KMS key without key material. Then import the key material. To create a KMS key with no key material, it is possible to use the AWS Management Console or the create-key request with AWS KMS API.
📄️ Downloading Public Key & Import Token
After creating a symmetric encryption AWS KMS key without key material it is necessary to download its public key and import token. Download both items in one step by using the AWS KMS console or the GetParametersForImport AWS API request. The public key that AWS KMS provides is a 2048-bit RSA public key that is unique to your AWS account.
📄️ Create Key on HSM
It is necessary to generate a key on the HSM which will be imported to the AWS KMS. In the below example we create a key using Primus Tools, but a different tool can be used. If you will be using different tools please ensure to create the key with the proper parameters.
📄️ Export & Wrap Key Material
The Securosys HSM records an entry in the logs when performing actions with keys as well as any established or failed authentication.
📄️ Import Key Material
After wrapping the import key material, import the key material to use within AWS KMS. To import key material, upload the wrapped import key material from the chapter Export and Wrap Key Material and the import token that was downloaded in chapter Download the Public key and Import Token. It is important to import key material into the same KMS key that was specified when downloading the public key and import token, otherwise the import will fail.