AWS FSx: BYOK (Using Customer-managed keys)

AWS FSx: Encryption

When creating the FSx file system, the default AWS KMS key is provided. To use the customer-managed key, first, create the customer-managed key in AWS KMS and then provide the ARN for that key in the AWS FSx >>Create File System >>Encryption section.

Creating Customer Managed Key

• Go to AWS KMS console AWS KMS Console.
• Select Customer Managed Keys >> Create Key.

• On Configure Key sections, select Symmetric for the key type.
• Select external for key material origin inside Advanced Options.
• Click Next. Then add labels as required
• Define Key Administrative Permissions and Key usage permissions in the next sections.
• Review and Create

Download Wrapping key and Import Token

• Select the key created previously.
• Select the Key material tab for the key and then download the wrapping key and import the token

Generating a test key

Encrypt Key Material

• Use the following command to generate a 256-bit symmetric key and save it in a file named PlaintextKeyMaterial.bin.

openssl rand -out PlaintextKeyMaterial.bin 32

• Use the following command to encrypt the key material with the public key that you downloaded previously

openssl rsautl -encrypt \
 -in PlaintextKeyMaterial.bin \
 -oaep \
 -inkey wrappingKey_KMS key_key_ID_timestamp \
 -keyform DER \
 -pubin \
 -out EncryptedKeyMaterial.bin

Import Key Material

• In the Key Material section, select upload key material and then upload the EncryptedMaterial.bin file.

Now, just copy the ARN of your key and paste it into the Encryption section while creating FSx.