aws kms create-key --origin EXTERNAL
The result will be something like:
{
"KeyMetadata": {
"Origin": "EXTERNAL",
"KeyId": "external-key-id",
"Description": "",
"KeyManager": "CUSTOMER",
"Enabled": false,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "PendingImport",
"CreationDate": 1538511755.698,
"Arn": "arn:aws:kms:eu-west-1::key/ca",
"AWSAccountId": "your-account-id"
}
}
aws kms get-parameters-for-import --key-id external-key-id --wrapping-algorithm RSAES_OAEP_SHA_1 --wrapping-key-spec RSA_2048
As a response, you will obtain a JSON file with the public key base64 encoded, key id and import token base64 encoded. Copy the public key, this is the value of "PublicKey" field in the JSON response, into a new file and name it, for example public-key.b64. You can use vim or nano or any other Linux text editor of your choice to create the file and paste the public key value copied. Do the same for the import token, this is the value from the "ImportToken" field in the JSON response, naming the file for example import-token.b64. You will finally have two files in your directory:
$ ls -l
total 0
-rw-r--r-- 1 juliovillane staff 0 Aug 19 20:54 import-token.b64
-rw-r--r-- 1 juliovillane staff 0 Aug 19 20:54 public-key.b64
We are ready to decode the b64 format. We will use the OpenSSL, issuing the following command that will produce a binary file with the same filename but extension .bin:
$ openssl enc -d -base64 -A -in public-key.b64 -out public-key.bin
We need to do the same for the import token:
$ openssl enc -d -base64 -A -in import-token.b64 -out import-token.bin
Generate the key with the OpenSSL library producing the b64, binary and hexadecimal formats:
$ openssl rand 32 -base64 -out generated-key.b64
$ openssl enc -d -base64 -A -in generated-key.b64 -out generated-key.bin
$ xxd -l 16 -p generated-key.bin > generated-key.hex
We now will wrap this key material with the public key obatined from AWS KMS before (pkey.bin):
$ openssl rsautl -encrypt -in generated-key.bin -oaep -inkey public-key.bin -keyform DER -pubin -out WrappedKeyMaterial.bin
$ aws kms import-key-material --key-id [your-key-id] --encrypted-key-material fileb://WrappedKeyMaterial.bin --import-token fileb://token.bin --expiration-model KEY_MATERIAL_EXPIRES --valid-to 2021-02-01T12:00:00-08:00
$ aws kms import-key-material --key-id [your-key-id] --encrypted-key-material fileb://WrappedKeyMaterial.bin --import-token fileb://token.bin --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE
It's feasible to use the aws-cli to decrypt an encrypted value using:
$ aws kms decrypt --ciphertext-blob [the-encrypted-text] --key-id [your-key-id] --output text --query Plaintext | base64 --decode