Deveab Blog

Importing Blockchain Private Keys into AWS CMK

Written by

deveab

in

Overview

In the world of digital assets, private keys are paramount. The saying, “Not your keys, not your coins,” underscores the critical importance of securely storing private keys. Unlike traditional assets, digital assets are controlled by a private key—a string of letters and numbers that acts like a password, granting access to manage and use the assets.

The power vested in private keys makes their confidentiality essential. Owners should never share them, as they can irreversibly transfer funds out of a wallet. With the global adoption of blockchain technology, individuals and businesses alike are encrypting and storing their keys. However, frequent use in signing and verification processes increases the risk of exposure.

AWS customers seek robust solutions to protect private keys while minimizing operational costs. On June 5, 2023, AWS KMS introduced support for importing asymmetric and HMAC keys, enhancing security for blockchain applications.

👉 Learn more about AWS KMS key import capabilities

Solution Overview

This solution builds upon a February 10, 2022 blog post, extending functionality for secure key management. The deployment architecture includes:

  • AWS Management Console
  • AWS KMS/CMK
  • AWS Lambda
  • Amazon Managed Blockchain (AMB)

Key Principles

  1. CloudFormation-Managed CMK:
  2. Creates a KMS-backed CMK where the private key is never exposed.
  3. Lifecycle management is handled by AWS KMS.

  4. IAM policies enforce strict access controls.

  5. Lambda Functions:

  6. EIP-1559 Signer: Signs transactions compliant with Ethereum’s EIP-1559 protocol.
  7. Legacy Signer: Signs transactions using traditional methods.

Configuration Parameters:
ETH_NETWORK: Specifies the blockchain type.
KMS_KEY_ID: References the asymmetric CMK.
LOG_LEVEL: Sets logging verbosity.

Two Methods to Create a CMK

1. Default AWS-Managed CMK

This method ensures AWS fully manages the private key, which cannot be exported.

Steps:

  1. Navigate to AWS KMS Console (or use AWS CLI).
  2. Select Key Type:
  3. Asymmetric encryption
  4. Usage: Sign and Verify
  5. Algorithm: ECC_SECG_P256K1 (standard for blockchain keys)
  6. Assign an Alias (e.g., Blockchain-Signer-Key).
  7. Define Key Administrators.
  8. Specify Key Users (separate from admins for security).
  9. Review and Create.

👉 Explore AWS KMS best practices

2. Importing User-Provided Private Keys

This method allows users to import existing private keys while preventing future exports.

Steps:

  1. Follow steps 1–6 from the default method.
  2. Enable “External Key Material” in advanced options.
  3. Note the Key ID (e.g., 9bd5ca27-9b87-4c95-a60d-6f9f0885d464).

Key Material Generation & Upload

Use an EC2 instance or AWS CloudShell:

“`bash

Generate a Private Key

openssl ecparam -name secp256k1 -genkey -noout -out ec-secp256k1-priv-key.pem

Download AWS KMS PublicKey and ImportToken

export KEY=aws kms get-parameters-for-import \
--key-id 9bd5ca27-9b87-4c95-a60d-6f9f0885d464 \
--wrapping-algorithm RSAES_OAEP_SHA_256 \
--wrapping-key-spec RSA_2048 \
--query '{Key:PublicKey,Token:ImportToken}' \
--output text

echo $KEY | awk ‘{print $1}’ > PublicKey.b64
echo $KEY | awk ‘{print $2}’ > ImportToken.b64
openssl enc -d -base64 -A -in PublicKey.b64 -out PublicKey.bin
openssl enc -d -base64 -A -in ImportToken.b64 -out ImportToken.bin

Encrypt and Upload Key Material

cat ec-secp256k1-priv-key.pem | openssl pkcs8 -topk8 -outform der -nocrypt > ec-secp256k1-priv-key.der

openssl pkeyutl -encrypt \
-in ec-secp256k1-priv-key.der \
-out EncryptedKeyMaterial.bin \
-inkey PublicKey.bin \
-keyform DER \
-pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256

aws kms import-key-material \
–key-id 9bd5ca27-9b87-4c95-a60d-6f9f0885d464 \
–encrypted-key-material fileb://EncryptedKeyMaterial.bin \
–import-token fileb://ImportToken.bin \
–expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE
“`

Testing

1. Validate Private Key with MetaMask

  1. Extract the public and private keys:
    bash
    cat ec-secp256k1-priv-key.pem | openssl ec -text -noout > key
    cat key | grep pub -A 5 | tail -n +2 | tr -d ‘\\n[:space:]:’ | sed ‘s/^04//’ > pub
    cat key | grep priv -A 3 | tail -n +2 | tr -d ‘\\n[:space:]:’ | sed ‘s/^00//’ > priv
  2. Import the private key (priv) into MetaMask.
  3. Verify the derived address matches the Lambda output.

2. Cleanup

Delete resources to avoid unnecessary costs:
CloudFormation stack
Lambda functions
KMS CMKs

Conclusion

This guide demonstrated two methods to manage blockchain private keys with AWS KMS:

  1. AWS-Managed CMKs: Fully secured by AWS.
  2. Imported Keys: Retain control of pre-existing keys.

For advanced use cases, AWS CloudHSM offers additional flexibility, including exportable keys.

FAQs

1. Can I export a private key from AWS KMS after importing it?

No. Imported keys are non-exportable to prevent unauthorized access.

2. What happens if I lose my imported private key?

AWS cannot recover it. Always back up keys before importing.

3. Which blockchain networks support AWS KMS-signed transactions?

Ethereum (EIP-1559 and legacy) and other EVM-compatible chains.

4. How does AWS KMS ensure key security?

Keys are stored in FIPS 140-2 validated hardware and audited for compliance.

5. Can I use AWS KMS for multi-signature wallets?

Yes, by combining multiple CMKs with Lambda-based logic.

6. Is CloudHSM better than KMS for blockchain keys?

CloudHSM supports key export and stricter compliance, but KMS is more cost-effective for most use cases.

👉 Discover advanced key management strategies

More posts