如何创建客户管理的客户主密钥(CMK) i AWS

Question

在53号路由中创建密钥签名密钥(KSK)时，需要创建客户管理的客户主密钥( 为DNSSEC使用客户管理的CMK )。

客户管理的CMK必须是具有ECC_NIST_P256密钥规范的非对称CMK。

在尝试创建CMK时，我得到“不支持KeySpec ECC_NIST_P256”

aws kms create-key --region us-east-1 --origin EXTERNAL --customer-master-key-spec ECC_NIST_P256
 --key-usage SIGN_VERIFY


An error occurred (ValidationException) when calling the CreateKey operation: KeySpec ECC_NIST_P256 is not supported for Origin EXTERNAL

如何创建CMK键以创建KSK？

Answer 1

KMS 不支持导入非对称CMK：

只支持AWS密钥存储中的对称CMKs。自定义密钥存储中的非对称CMK或CMK不支持它。

您必须使用AWS提供的关键材料通过--origin AWS_KMS。也许您也可以使用AWS_CLOUDHSM，但这可能很昂贵。

Answer 2

Name space need to add from nuget packeg

using Amazon.KeyManagementService;
using Amazon.KeyManagementService.Model; 

**1) Encryption :-**
AmazonKeyManagementServiceConfig kmsConfig = new AmazonKeyManagementServiceConfig();
            kmsConfig.UseHttp = true;
            kmsConfig.ServiceURL = serviceEndPoint;           
                //create client, specify Region end point or kms config
                AmazonKeyManagementServiceClient kmsClient = new AmazonKeyManagementServiceClient(awsKeyForKMS, awsSecretKeyForKMS, kmsConfig);
                GenerateDataKeyRequest dataKeyReq = new GenerateDataKeyRequest();
                dataKeyReq.KeyId = keyARNForKMS;
                dataKeyReq.KeySpec = DataKeySpec.AES_256;//The length of the data encryption key. AES_256 to generate a 256-bit symmetric key.
                GenerateDataKeyResponse dataKeyResponse = kmsClient.GenerateDataKey(dataKeyReq);
                //read encrypted data key from memory
                MemoryStream streamCipherText = dataKeyResponse.CiphertextBlob;
               // need to save this key with encrypted data because with the help of it 
               // you can decrypt(you got plaindatakey) the data
                encryptedDataKey = Convert.ToBase64String(streamCipherText.ToArray());

                //read plain data key from memory
                MemoryStream streamPlainText = dataKeyResponse.Plaintext;
              // use this key to encrypt your data and than forgot this key
                plainDataKey = Convert.ToBase64String(streamPlainText.ToArray());    
               //your encryption logic
                Encryption encrypt = new Encryption();
                encrypt.EncryptTextForKms(PlainKey, "data to be encrypted")