kms/aws.sdk.kotlin.services.kms.model/CreateKeyRequest/keySpec

keySpec

val keySpec: KeySpec?

Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit AES-GCM key that is used for encryption and decryption, except in China Regions, where it creates a 128-bit symmetric key that uses SM4 encryption. For a detailed description of all supported key specs, see Key spec reference in the Key Management Service Developer Guide.

The KeySpec determines whether the KMS key contains a symmetric key or an asymmetric key pair. It also determines the algorithms that the KMS key supports. You can't change the KeySpec after the KMS key is created. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see kms:EncryptionAlgorithm, kms:MacAlgorithm, kms:KeyAgreementAlgorithm, or kms:SigningAlgorithm in the Key Management Service Developer Guide.

Amazon Web Services services that are integrated with KMS use symmetric encryption KMS keys to protect your data. These services do not support asymmetric KMS keys or HMAC KMS keys.

KMS supports the following key specs for KMS keys:

  • Symmetric encryption key (default)

    • SYMMETRIC_DEFAULT

  • HMAC keys (symmetric)

    • HMAC_224

    • HMAC_256

    • HMAC_384

    • HMAC_512

  • Asymmetric RSA key pairs (encryption and decryption -or- signing and verification)

    • RSA_2048

    • RSA_3072

    • RSA_4096

  • Asymmetric NIST-standard elliptic curve key pairs (signing and verification -or- deriving shared secrets)

    • ECC_NIST_P256 (secp256r1)

    • ECC_NIST_P384 (secp384r1)

    • ECC_NIST_P521 (secp521r1)

    • ECC_NIST_EDWARDS25519 (ed25519) - signing and verification only

      • Note: For ECC_NIST_EDWARDS25519 KMS keys, the ED25519_SHA_512 signing algorithm requires MessageType:RAWkms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType, while ED25519_PH_SHA_512 requires MessageType:DIGESTkms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType. These message types cannot be used interchangeably.

  • Other asymmetric elliptic curve key pairs (signing and verification)

    • ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies.

  • Asymmetric ML-DSA key pairs (signing and verification)

    • ML_DSA_44

    • ML_DSA_65

    • ML_DSA_87

  • SM2 key pairs (encryption and decryption -or- signing and verification -or- deriving shared secrets)

    • SM2 (China Regions only)

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved. Generated by dokka