AWS KMS: What's the difference between CMK and key material?

Question

In the following documentation, AWS refers to a concept called key material.

AWS KMS Documentation: Using a custom key store

AWS KMS supports custom key stores backed by AWS CloudHSM clusters. When you create an AWS KMS customer master key (CMK) in a custom key store, AWS KMS generates and stores non-extractable key material for the CMK in an AWS CloudHSM cluster that you own and manage.

Take an asymmetric encryption key pair in KMS as an example, what is key material? what is CMK? what's the difference between CMK and key material?

Answer 1

AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key. The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term.

Answer 2

CMK is the logical container, which contains:

• key material, which is used to encrypt data and decrypt data.
• key-id
• ARN
• other stuff.

Reference

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys

Answer 3

For asymmetric key, the "key material" would be your private key. You could generate it yourself using AWS CloudHSM Dynamic Engine if you were using your own CloudHSM cluster at AWS, not AWS-owned cluster used for KMS.

Since you are using KMS, you have no direct access to the private key as it is "non-extractable".

Customer master key (CMK) is an AWS resource allowing you to manage and indirectly use the key material (i.e. private key for asymmetric). So because you can't directly see nor operate on your private key, you use CMK resource to use it. Since CMK is a resource, it provides a lot of additional functionality build around the key material, such as:

• automated key rotation
• KMS key policies and IAM policies
• transparent integration with numerous AWS services, such as S3, EBS, RDS,
• and others.