Certified Security - Specialty

Sign Up Free or Log In to participate!

How you you reimport the same key material when ImportToken has expired?

Let’s say that your KMS/CMK with your key material expires (or you delete from console)- you’re supposed to be able to fix by reimporting the same key material


"Deleting key material affects the CMK right away, but you can reverse the deletion of key material by reimporting the same key material into the CMK."

But how do you do that since the ImportToken used to generate that key material only lasted 24 hours.  If you upload the same key material and import token, error

If you download a new ImportParameters.zip, then the key ID changes

I thought this was the process for a manual rotation when using your own key material

3 Answers

Hi Maureen,

1).  If you delete the key, you are out of luck as you permanently lost all access to your data.  You do not even have an option to reimport your key material as the key is gone (deleted). 

2).  If you delete your key MATERIAL, you can re-import the key material later.   I believe initially you must import the key material within 24 hour on initial key creation.   I am testing this within my lab and validate this answer in excess of 24 hours from now. 

AWS Documentation:  https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-delete-key-material.html

From AWS documentation:

"When you import key material, you have the option of specifying a time at which the key material expires. When the key material expires, AWS KMS deletes the key material and the customer master key (CMK) becomes unusable. You can also delete key material on demand. Whether you wait for the key material to expire or you delete it manually, the effect is the same. AWS KMS deletes the key material, the CMK’s key state changes to pending import, and the CMK is unusable. To use the CMK again, you must reimport the same key material.

Deleting key material affects the CMK right away, but you can reverse the deletion of key material by reimporting the same key material into the CMK. In contrast, scheduling key deletion for a CMK is irreversible. It deletes the key material and all metadata associated with the CMK, and requires a waiting period of between 7 and 30 days."

3).  I will also validate expired keys in excess of 24 hours from now ..   I set another key to expire about 12 hours from now.  I will validate this 24 hours from now and update this answer.

Maureen Chew

Thank you so much Trianr for the detailed answer and pointers! But we know that the import token is only valid for 24 hours so its a pretty sure bet that you can’t use it in 12 hours.. That’s what I had tried – I deleted the key material in my CMK to simulate an expired CMK(say 2 weeks after creation)… I still had the same key material file but the import failed because the 24hour token had expired. So, that’s the question – how do you update the key material in the case of expiration or want of manual rotation?


You should generate a new ImportToken and PublicKey to import the previous KeyMaterial. This will not alter the key-id or alias for the CMK. You may discard the previous ImportParameters.zip you used to initially upload the KeyMaterial into the CMK and download a new one using the console or the CLI.

This is how I did it using the AWS CLI:

# Download new ImportParameters  
aws kms get-parameters-for-import --key-id "1234b0c4-0000-0123-aaaa-123456789012" --wrapping-algorithm "RSAES_OAEP_SHA_1" --wrapping-key-spec RSA_2048  
# Copy and paste the PublicKey base64 string into a text file: PublicKey.b64  
# Copy and paste the ImportToken base64 string into a text file: ImportToken.b64  
# Convert the Base64 PublicKey and ImportToken to binary   
# (Windows)  
certutil -decode Publickey.b64 Publickey.bin  
certutil -decode ImportToken.b64 ImportToken.bin  
# (Linux)  
base64 -d Publickey.b64 > Publickey.bin  
base64 -d ImportToken.b64 > ImportToken.bin  
# Using openssl to encrypt the KeyMaterial  
openssl rsautl -encrypt -in PlaintextKeyMaterial.bin -oaep -inkey PublicKey.bin -keyform DER -pubin -out EncryptedKeyMaterial.bin  
# Importing the Encrypted Key Material back into the CMK  
aws kms import-key-material --key-id "1234b0c4-0000-0123-aaaa-123456789012" --encrypted-key-material fileb://EncryptedKeyMaterial.bin --import-token fileb://ImportToken.bin --expiration-model KEY_MATERIAL_EXPIRES --valid-to 2019-02-28T15:44:00-05:00

As long as you upload the same KeyMaterial you had previously into the same CMK, you should be able to decrypt your existing files/volumes.

Maureen Chew

Thank you Felipe! Got it to work! I thought I was using the original PlainTextKeyMaterial.bin but must have overwritten it in the many attempts to get it to work. I started over with a new CMK, imported fresh KM, deleted the KM, downloaded new ImportParameters, encrypted KM and imported

This command not working for me on my Windows  $ openssl rand -out PlaintextKeyMaterial.bin 32

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?