Cloud key management
AWS BYOK
Create a customer-managed key in AWS KMS
1min
perform the following steps to create a customer managed key in aws kms the kms key you create has no key material because the {{k}} is ultimately the source of the key material log in to the aws management console go to the key management service select customer managed keys in the left side menu, then select the orange create key button in the upper right corner of the page configure the key by selecting the following choices option required configuration key type symmetric key material origin external the kms option also works, but it generates a key so that the {{k}} does not have the key material for this initial key the external option creates a placeholder key without key material, enabling the {{k}} to provide key material in later steps regionality single region key select \[ next ] to continue add the following labels option required configuration alias choose a nickname description optional tags optional select \[ next ] to continue define the following key administrative permissions option required configuration key administrators select your user account key deletion select the allow key administrators to delete this key checkbox select \[ next ] to continue define the following key usage permissions option required configuration this account select your user account other aws accounts optional select \[ next ] to continue review your configuration ensure the top three fields ( key configuration , alias and description , and tags ) are correct copy and paste the contents of key policy into a file and save it with the json extension you must copy this file or move it to the storage medium configured on your {{k3}} device select \[ finish ] when prompted to download a wrapping key and import token, select \[ cancel ] to skip that step on the main key management service (kms) page, make a copy of the generated key id (formatted as xxxxxxxx xxxx xxxx xxxx xxxxxxxxxxxx ) the aws properties tab requires this id (and the policy) when creating an hsm protected key group on the {{k}} in the next section