Is it possible to provide asymmetric keys as your own keys (BYOK) to a cloud KMS (key management service) for any cloud providers?

Question

I want to encrypt storage/volumes using customer supplied keys. I have seen examples where symmetric customer keys can be imported and used to encrypt volumes for example in case of EBS volumes in AWS. But no examples where customers can supply asymmetric keys such that public key resides in cloud kms and private keys are held only by the customers. Is it possible to import your own keys into a cloud KMS by providing asymmetric keys?

Answer 1

You can "bring your own key" to Google Cloud KMS by importing symmetric or private asymmetric keys: the documentation is here - https://cloud.google.com/kms/docs/key-import. AWS has a similar feature for symmetric keys only, the documentation is here - https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html.

However, in both these situations the KMS holds a private key, whether symmetric or asymmetric, so that you can do secure operations inside the KMS. When you want to keep the private key and only send a public key to the KMS, I'm uncertain of what architecture you want.

If you want to retain private control over key material, GCP supports it through the "External Key Manager", which allows you to "hold your own key". Docs are here: https://cloud.google.com/kms/docs/ekm. As far as I know, Amazon has no equivalent.

Disclosure: I work at Google Cloud on key management solutions, including KMS and EKM.