Certified Security - Specialty

Sign Up Free or Log In to participate!

CMK Data Key Pair with SSH on EC2?

It seems that KMS has support for generating data key pairs using the GenerateDataKeyPair API.

I assume SSH access is not what this key pair is intended to be used for. Would there be any valid reason not to though?

1 Answers

After reviewing the whitepages at:

ws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair.html

It does not appear that there would be any particular reason not to use this tool to generate private and public keys. In fact, this seems like a very good tool to use in a script for generating key pairs for new employees who need to connect to an EC2 instance that requires key pairs.

The following, provided in the whitepages that I’ve included in this answer, is what primarily influenced my conclusion:

Generates a unique asymmetric data key pair. The GenerateDataKeyPair operation returns a plaintext public key, a plaintext private key, and a copy of the private key that is encrypted under the symmetric CMK you specify. You can use the data key pair to perform asymmetric cryptography outside of AWS KMS.

GenerateDataKeyPair returns a unique data key pair for each request. The bytes in the keys are not related to the caller or the CMK that is used to encrypt the private key.

Hopefully this helps!

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?