Formatting keys for import

Key Management Service allows you to import user-provided cryptographic keys. This topic describes how to properly format your keys, so that they can be imported by KMS.

The correct format for your key material varies based on whether the key material is being imported into a symmetric key, or into an asymmetric key. For more information about the difference between symmetric and asymmetric keys, see Key purposes and algorithms.

Formatting symmetric keys

For keys with the purpose ENCRYPT_DECRYPT, the key material to be wrapped must consist of 32 bytes of binary data. Keys must not be hex- or base64-encoded.

The file command can help you verify that your unwrapped key consists of binary data:

file /path/to/unwrapped-symmetric-key

The output of the file command should be data. If it is something else (for example, ASCII text), inspect the contents of the file to ensure that it is not hex- or base64-encoded. You may use a hex or base64 decoder to convert your key into binary format.

The wc command can help you verify that your unwrapped key is the correct length:

wc -c /path/to/unwrapped-symmetric-key

The output of the wc command should be 32.

Formatting asymmetric keys

For keys with the purpose ASYMMETRIC_DECRYPT and ASYMMETRIC_SIGN, key material must be PKCS #8-formatted and DER-encoded. The following commands can help you determine if your key material is formatted properly.

To begin, use the file command to test the contents of your unwrapped key:

file /path/to/unwrapped-asymmetric-key

Then, follow the instructions based on the output of the file command:

  • If the output suggests that the key is PEM-encoded (for example, if the output of the file command is PEM RSA private key), see Converting from PEM.

  • If the output of the file command is ASCII text, it is likely PEM-encoded. You can manually inspect the contents of the file to be sure. If the file begins with a line like --BEGIN XXX PRIVATE KEY--, and is followed by base64 data, see Converting from PEM.

  • If the output of the file command is data, it is likely DER-encoded. There are multiple formats of DER encoding specific to RSA and EC private keys, as well as encrypted variants for PKCS #8-formatted keys. Converting from DER will ensure that your key is formatted properly, and is safe to run even in the event that your key is already formatted properly.

Converting from PEM

You can use OpenSSL to convert from a number of PEM private key formats to the DER-encoded PKCS #8 required by KMS using the following command:

openssl pkcs8 -topk8 -nocrypt -inform PEM -outform DER \
    -in /path/to/asymmetric-key-pem -out /path/to/formatted-key

This command will properly convert PEM keys with the headers EC PRIVATE KEY, RSA PRIVATE KEY, and PRIVATE KEY.

Converting from DER

You can use OpenSSL to convert from a number of DER private key formats to the DER-encoded PKCS #8 required by KMS using the following command:

openssl pkcs8 -topk8 -nocrypt -inform DER -outform DER \
    -in /path/to/asymmetric-key-der -out /path/to/formatted-key

This command will properly convert DER-encoded keys in the RSA PKCS #1 format, the Elliptic Curve Private Key format, as well as encrypted PKCS #8 keys. If your key is already in the proper format, it will simply output a copy of your current key.

Bu sayfayı yararlı buldunuz mu? Lütfen görüşünüzü bildirin:

Şunun hakkında geri bildirim gönderin...

Cloud KMS Documentation