在 Route 53 中创建密钥签名密钥 (KSK) 时,需要创建客户管理的客户主密钥 (CMK)(使用客户管理的 CMKs for DNSSEC)
客户管理的 CMK 必须是具有 ECC_NIST_P256 密钥规范的非对称 CMK。
尝试创建 CMK 时,我得到“不支持 KeySpec ECC_NIST_P256”
aws kms create-key --region us-east-1 --origin EXTERNAL --customer-master-key-spec ECC_NIST_P256
--key-usage SIGN_VERIFY
An error occurred (ValidationException) when calling the CreateKey operation: KeySpec ECC_NIST_P256 is not supported for Origin EXTERNAL
您如何创建 CMK 密钥以创建 KSK?
Name space need to add from nuget packeg
using Amazon.KeyManagementService;
using Amazon.KeyManagementService.Model;
**1) Encryption :-**
AmazonKeyManagementServiceConfig kmsConfig = new AmazonKeyManagementServiceConfig();
kmsConfig.UseHttp = true;
kmsConfig.ServiceURL = serviceEndPoint;
//create client, specify Region end point or kms config
AmazonKeyManagementServiceClient kmsClient = new AmazonKeyManagementServiceClient(awsKeyForKMS, awsSecretKeyForKMS, kmsConfig);
GenerateDataKeyRequest dataKeyReq = new GenerateDataKeyRequest();
dataKeyReq.KeyId = keyARNForKMS;
dataKeyReq.KeySpec = DataKeySpec.AES_256;//The length of the data encryption key. AES_256 to generate a 256-bit symmetric key.
GenerateDataKeyResponse dataKeyResponse = kmsClient.GenerateDataKey(dataKeyReq);
//read encrypted data key from memory
MemoryStream streamCipherText = dataKeyResponse.CiphertextBlob;
// need to save this key with encrypted data because with the help of it
// you can decrypt(you got plaindatakey) the data
encryptedDataKey = Convert.ToBase64String(streamCipherText.ToArray());
//read plain data key from memory
MemoryStream streamPlainText = dataKeyResponse.Plaintext;
// use this key to encrypt your data and than forgot this key
plainDataKey = Convert.ToBase64String(streamPlainText.ToArray());
//your encryption logic
Encryption encrypt = new Encryption();
encrypt.EncryptTextForKms(PlainKey, "data to be encrypted")
KMS不支持导入非对称 CMK:
仅AWS KMS 密钥存储中的对称 CMK 支持导入的密钥材料。非对称 CMK 或自定义密钥存储中的 CMK 不支持它。
您必须使用 AWS 提供的密钥材料通过--origin AWS_KMS. 也许您也可以使用AWS_CLOUDHSM,但这可能很昂贵。