When you create a CMK in KMS, by default, you get a symmetric CMK.
A symmetric CMK represents a 256-bit encryption key that never leaves KMS unencrypted.
To use a symmetric CMK, you must call KMS.
Symmetric keys are used in symmetric encryption, where the same key is used for encryption and decryption.
Unless your task explicitly requires asymmetric encryption, symmetric CMKs are a good choice.
An asymmetric CMK represents a mathematically related public key and private key pair.
You can give the public key to anyone, even if they're not trusted, but the private key must be kept secret.
In an asymmetric CMK, the private key is created in AWS KMS and never leaves KMS unencrypted.
To use the private key, you must call KMS.
You can use the public key within KMS by calling the KMS API operations. Or, you can download the public key and use it outside of KMS.
Last updated 5 years ago