- 최신
- 최다 투표
- 가장 많은 댓글
Hi ilona-savinova,
On your question, I followed the steps exactly as mentioned at Creating replica key for replicating one of my multi-region kms key and I was able to replicate it in us-east-2 from us-east-1
Could you please comment here, how are you replicating, through console or KMS API and if you can list steps, that would be helpful too.
I'm sure, you are already aware of:
Supported KMS key types for multi region KMS key replication are:
-
Symmetric encryption KMS keys
-
Asymmetric KMS keys
-
HMAC KMS keys
-
KMS keys with imported key material
You cannot create multi-Region keys in a custom key store.
Additional Reference: Multi Region Key Import
I am doing it via console. it is symmetric key I am having an issue to import key material to replica which is in Pending Import status
I tried to download wrapping key and import token from replica, import primary key material (the one I used in primary KMS key in Ohio) and import token that I downloaded from replica KMS key (because they are described as unique per region?) but I am getting InvalidCyphertext Exception error message when trying to import.
The steps I took to replicate:
- Went to Regional section, chose region for replica- us-east-1
- Switched to us-east-1 - the replica showed up in status "Pending Import"
- Went to Key Material, clicked on Import Key:
- Downloaded Wrapping Public Key and Import Token
- Imported primary key material generated for the base key from Ohio Region. Uploaded Import token previously downloaded from replica key in N.Virginia region
- Upload failed with InvalidCyphertext Exception error
Can you please make sure, if you are exactly following step3 from Creating a replica key with imported key material. It says that "Use the public key to encrypt the primary key's key material, and then import the primary key's key material in the replica key. You need a different public key and import token for each replica key." Let me know if you are still facing the problem.
Thank you for confirming my doubts. I finally resolved the issue. I was not sure why this command below wasn't doing the job - I lost my plain_text_aes.bin during initial creation of the key material.
I recreated the KMS primary key, did it from scratch alltogether and it worked. Thank you very much for your support!
openssl pkeyutl -in plain_text_aes_key.bin -inkey <your-wrappingKey...> -pubin -keyform DER -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -out enc.aes.key
I'm glad you were able to resolve the issue.
관련 콘텐츠
AWS 공식업데이트됨 일 년 전
To be clear, the primary KMS key is working perfectly well and status for that one is enabled. Replica is the issue.