Overview

Important Notes

• Security

  You need to ensure that random sources meet your security requirements when using them to generate key material. When using the import key function, you need to be responsible for the security of your key material. Save the original backup of the key material so that the backup key material can be imported to the KMS in time when the key material is deleted accidentally.

• Availability and Durability

  Before importing the key material into KMS, you need to ensure the availability and durability of the key material.

  Differences between the imported key material and the key material generated by KMS are shown in Table 1.

  Table 1 Differences between the imported key material and the key material generated by KMS

  Key Material Source	Difference
  CMKs using the imported key material	You can delete the key material, but cannot delete the CMK and its metadata. When importing the key material, you can set the expiration time of the key material. After the key material expires, the KMS automatically deletes the key material within 24 hours, but does not delete the CMK and its metadata. It is recommended that you save a copy of the material on your local device because it may be used for re-import in cases of invalid key material or unintended deletion of key material.
  CMKs using KMS generated key material	The key material cannot be manually deleted. You cannot set the expiration time for key material.

• Association

  When a key material is imported to a CMK, the CMK is permanently associated with the key material. Other key material cannot be imported into the CMK.

• Uniqueness

  If you use the CMK created using the imported key material to encrypt data, the encrypted data can be decrypted only by the CMK that has been used to encrypt the data, because the metadata and key material of the CMK must be consistent.