Asymmetric keys in AWS KMS

0
votes

I realised that AWS now offers Asymmetric Keys in KMS in few regions. The question I have is that, as per this page Link: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html, there is a limit on the size of data that can be encrypted using a public key (It is hardly 470 bytes). Is my understanding right ?

My plan was to create a pair of Public key / private key in KMS, then share the public key with my source which happens to be a different company. When I receive the encrypted file from them, my plan was to use the private key to decrypt the file !

It seems if the length that KMS supports is 470 bytes, I cannot use the Asymmetric key feature provided by AWS !!

Thanks, Ryandam

1
amazon-web-servicesencryption-asymmetric

1 Answers

1
votes

there is a limit on the size of data that can be encrypted using a public key (It is hardly 470 bytes). Is my understanding right ?

Indeed. Asymmetric keys (RSA) are not intended for encrypting the content itself (it is very performance-intensive and slow). You should use PKI along hybrid encrption.

It is not limit of the AWS KMS, it is limit of secure RSA usage.

The idea is - you may encrypt content as long as you want with a random symmetric key (data encryption key) and encrypt the symmetric key using your generated public key. This encrypted key needs to be sent along the ciphertext. Symmetric keys are having common length 128 or 256 bites.

Please note the doc kms importing-keys - you may create a keypair in KMS, but not import it. This way the private key never leaves KMS.