AWS BYOK Process

This section describes the workflow that occurs in the KeyControl Vault for Cloud Keys when you use BYOK for AWS.

1. A Cloud Key is created with key material in the KeyControl Vault for Cloud Keys. If HSM is configured, the key is generated and wrapped with a root key on the HSM.

2. A customer master key (CMK) is created in the AWS Key Management Service (KMS) that has no key material associated.

3. The RSA-2048 wrapping public key and the import token from the AWS KMS is downloaded.

4. The RSA-2048 wrapping public key and the import token are imported into the KeyControl Vault for Cloud Keys.

5. The imported wrapping key is used to rewrap the symmetric key. If HSM is configured, then the wrapping will be done in the HSM.

6. The symmetric key is imported into the AWS KMS using the import token from Step 3.