Is the Customer Master Key just a shell that contains the key material or is it a key itself?
It’s the former. CMK is the logical container of the key material, among others. CMKs also contains other info like ids (ARNs), creation date, state, etc. The key material is what’s used to encrypt and decrypt data.
Hi, thanks for the question!
I guess when you create a CMK without key material and then import your own key material, the CMK that you created was a shell…
Without any key material the CMK cannot encrypt.
But by default when you create a CMK, AWS will create Key Material for you at the same time, and when AWS rotates your keys it will just change the key material (also known as the backing key), with the CMK ID remaining the same.
hope that helps!
A CMK is a key that is used to encrypt other keys.
For example, if you are using S3 SSE-KMS, the CMK is not actually used to encrypt S3 objects. Rather, for each object being encrypted S3 will ask KMS for a new data encryption key (DEK), along with a copy of the DEK that is encrypted by the CMK. S3 will encrypt the object with the DEK, then delete the DEK from memory and store a copy of the encrypted DEK with the object’s metadata.
The decryption process reverses this: S3 sends the encrypted DEK that is associated with an object to KMS, which then decrypts it using the CMK and sends it back to S3. S3 decrypts the object using this unencrypted DEK then deletes it from memory.
This means that the CMK never leaves KMS, and KMS does not need to store DEKs. It also means a compromise of a DEK does not compromise the CMK. It is known as envelope encryption:
Summary of how SSE-KMS works: