Convert AWS KMS Public Key (from bytes) to a .pem file

Question

I am using AWS KMS (Key Management Service) programmatically using Python3 and Boto3. I have created an asymmetric key pair (public and private) in the KMS itself. Now is there a way to save public and private file locally onto the disk that is created on KMS.

Here is my code :

import boto3
import base64


def get_keys_from_kms(key_id):
    client = boto3.client('kms')
    response = client.get_public_key(KeyId=key_id)
    pub_key_dec = base64.b64encode(response['PublicKey']).decode()

Now my point is how can I save the content of pub_key_dec to a file and converting it to pem format. And similarly is there a way I can download Private Key as well. Hope my question is clear.

you can use AWS KMS custom key stores but its not available with the asymmetric . — mahendra rathod, Feb 02 '21 at 10:36
@Marcin Got it! then how will I decrypt the file using Private Key in KMS? Apologies if this sounds noob-ish — Aniket Maithani, Feb 02 '21 at 11:04
You have to use AWS api for that, [decrypt](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms.html#KMS.Client.decrypt) which is for both "symmetric or asymmetric CMK.". — Marcin, Feb 02 '21 at 11:07

score 0 · Answer 1 · answered Jun 28 '21 at 17:10

0

The only way to get access to the key material for a private key in AWS KMS is if you generated the key and uploaded it to AWS to a customer managed CMK. However, you can only do so for symmetric encryption keys, not asymmetric keys. What you ask is unavailable. However, what you likely want to do is restrict access to kms:decrypt operations to users/principles through KMS Key Policies and/or IAM Policies.

https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html

answered Jun 28 '21 at 17:10

Foghorn

2,238
2
13
35

Not true -you can get the public key but NOT the private key. I think OP was asking how to convert the DER-encoded X.509 public key you get from https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms/client/get_public_key.html into bytes / pem recognized by python's cryptography package. (That is how I ended up here at least) – tofarr Mar 03 '23 at 20:18
@tofarr I am genuinely confused as to your comment. You start out by saying 'Not true', and then immediately agree with what I stated. I said "The only way to get access to the key material for a private key in AWS KMS is if you generated the key and uploaded it to AWS to a customer managed CMK." You said "you can get the public key but NOT the private key". We are saying the same thing, but somehow you think what I said is "Not true"??? – Foghorn Mar 04 '23 at 21:13

score 0 · Answer 2 · answered Mar 03 '23 at 20:48

Just to clarify: AWS KMS allows you to export the PUBLIC key - but NOT the private key. This makes the most sense in sign / verify situations, as it allows you to expose the public key so anybody can verify the signature. The key is returned is a DER-encoded X.509 public key.

Docs: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms/client/get_public_key.html

In order to sign, you will still need to use the sign function: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms/client/sign.html

Exporting:

import boto3
from cryptography.hazmat.primitives import serialization as crypto_serialization

# Load key
kms = boto3.client('kms')
response = kms.get_public_key(KeyId='myKeyIdOrAlias')
public_key = crypto_serialization.load_der_public_key(response['PublicKey'])

# ...Use key for verifiying signatures - my usage was with pyjwt

Convert AWS KMS Public Key (from bytes) to a .pem file

2 Answers2