在 Route 53 中创建密钥签名密钥 (KSK) 时,需要创建客户管理的客户主密钥 (CMK) ( Working with customer managed CMKs for DNSSEC )
<块引用>客户管理的 CMK 必须是非对称 CMK ECC_NIST_P256 关键规范。
尝试创建 CMK 时,我收到“不支持 KeySpec ECC_NIST_P256”
aws kms create-key --region us-east-1 --origin EXTERNAL --customer-master-key-spec ECC_NIST_P256
--key-usage SIGN_VERIFY
An error occurred (ValidationException) when calling the CreateKey operation: KeySpec ECC_NIST_P256 is not supported for Origin EXTERNAL
如何创建 CMK 密钥以创建 KSK?
答案 0 :(得分:0)
KMS does not support 导入非对称 CMK:
<块引用>导入的密钥材料仅支持 AWS KMS 密钥存储中的对称 CMK。非对称 CMK 或自定义密钥存储中的 CMK 不支持它。
您必须通过 --origin AWS_KMS
使用 AWS 提供的密钥材料。也许您也可以使用 AWS_CLOUDHSM
,但这可能很昂贵。
答案 1 :(得分:0)
Name space need to add from nuget packeg
using Amazon.KeyManagementService;
using Amazon.KeyManagementService.Model;
**1) Encryption :-**
AmazonKeyManagementServiceConfig kmsConfig = new AmazonKeyManagementServiceConfig();
kmsConfig.UseHttp = true;
kmsConfig.ServiceURL = serviceEndPoint;
//create client, specify Region end point or kms config
AmazonKeyManagementServiceClient kmsClient = new AmazonKeyManagementServiceClient(awsKeyForKMS, awsSecretKeyForKMS, kmsConfig);
GenerateDataKeyRequest dataKeyReq = new GenerateDataKeyRequest();
dataKeyReq.KeyId = keyARNForKMS;
dataKeyReq.KeySpec = DataKeySpec.AES_256;//The length of the data encryption key. AES_256 to generate a 256-bit symmetric key.
GenerateDataKeyResponse dataKeyResponse = kmsClient.GenerateDataKey(dataKeyReq);
//read encrypted data key from memory
MemoryStream streamCipherText = dataKeyResponse.CiphertextBlob;
// need to save this key with encrypted data because with the help of it
// you can decrypt(you got plaindatakey) the data
encryptedDataKey = Convert.ToBase64String(streamCipherText.ToArray());
//read plain data key from memory
MemoryStream streamPlainText = dataKeyResponse.Plaintext;
// use this key to encrypt your data and than forgot this key
plainDataKey = Convert.ToBase64String(streamPlainText.ToArray());
//your encryption logic
Encryption encrypt = new Encryption();
encrypt.EncryptTextForKms(PlainKey, "data to be encrypted")