如何在 AWS 上创建客户管理的客户主密钥 (CMK)

时间:2021-03-26 10:34:03

标签: amazon-web-services amazon-route53 amazon-kms

在 Route 53 中创建密钥签名密钥 (KSK) 时,需要创建客户管理的客户主密钥 (CMK) ( Working with customer managed CMKs for DNSSEC )

<块引用>

客户管理的 CMK 必须是非对称 CMK ECC_NIST_P256 关键规范。

尝试创建 CMK 时,我收到“不支持 KeySpec ECC_NIST_P256”

aws kms create-key --region us-east-1 --origin EXTERNAL --customer-master-key-spec ECC_NIST_P256
 --key-usage SIGN_VERIFY


An error occurred (ValidationException) when calling the CreateKey operation: KeySpec ECC_NIST_P256 is not supported for Origin EXTERNAL

如何创建 CMK 密钥以创建 KSK?

2 个答案:

答案 0 :(得分:0)

KMS does not support 导入非对称 CMK:

<块引用>

导入的密钥材料仅支持 AWS KMS 密钥存储中的对称 CMK。非对称 CMK 或自定义密钥存储中的 CMK 不支持它。

您必须通过 --origin AWS_KMS 使用 AWS 提供的密钥材料。也许您也可以使用 AWS_CLOUDHSM,但这可能很昂贵。

答案 1 :(得分:0)

Name space need to add from nuget packeg

using Amazon.KeyManagementService;
using Amazon.KeyManagementService.Model; 

**1) Encryption :-**
AmazonKeyManagementServiceConfig kmsConfig = new AmazonKeyManagementServiceConfig();
            kmsConfig.UseHttp = true;
            kmsConfig.ServiceURL = serviceEndPoint;           
                //create client, specify Region end point or kms config
                AmazonKeyManagementServiceClient kmsClient = new AmazonKeyManagementServiceClient(awsKeyForKMS, awsSecretKeyForKMS, kmsConfig);
                GenerateDataKeyRequest dataKeyReq = new GenerateDataKeyRequest();
                dataKeyReq.KeyId = keyARNForKMS;
                dataKeyReq.KeySpec = DataKeySpec.AES_256;//The length of the data encryption key. AES_256 to generate a 256-bit symmetric key.
                GenerateDataKeyResponse dataKeyResponse = kmsClient.GenerateDataKey(dataKeyReq);
                //read encrypted data key from memory
                MemoryStream streamCipherText = dataKeyResponse.CiphertextBlob;
               // need to save this key with encrypted data because with the help of it 
               // you can decrypt(you got plaindatakey) the data
                encryptedDataKey = Convert.ToBase64String(streamCipherText.ToArray());

                //read plain data key from memory
                MemoryStream streamPlainText = dataKeyResponse.Plaintext;
              // use this key to encrypt your data and than forgot this key
                plainDataKey = Convert.ToBase64String(streamPlainText.ToArray());    
               //your encryption logic
                Encryption encrypt = new Encryption();
                encrypt.EncryptTextForKms(PlainKey, "data to be encrypted")
相关问题
最新问题