kms 密钥对可以注册到 EC2 密钥对吗?
Can a kms keypair be registered in the EC2 keypair?
能否在EC2节点上注册一个kms的密钥对作为SSH登录的密钥对?
我想用 Terraform 来管理它。
自 2020 年 6 月 20 日起,AWS KMS 无法直接用于管理 SSH 密钥。
您可以使用 KMS 为客户端加密操作生成 RSA 和 ECC 数据密钥,但您必须自己管理这些密钥。
AWS KMS 目前支持:
- 使用对称密钥加密(截至 2020 年 6 月 20 日,仅限 AES)
- 使用非对称密钥的数字签名(截至 2020 年 6 月 20 日,RSA 和 ECC)
KMS customer master keys (CMKs) for service-side encryption(对于 SSH 客户端的实际使用而言,价格昂贵且延迟可能过高):
AWS KMS supports symmetric and asymmetric CMKs.
- Symmetric CMK: Represents a single 256-bit secret encryption key that never leaves AWS KMS unencrypted. To use your symmetric CMK, you must call AWS KMS.
- Asymmetric CMK: Represents a mathematically related public key and private key pair that you can use for encryption and decryption or signing and verification, but not both. The private key never leaves AWS KMS unencrypted. You can use the public key within AWS KMS by calling the AWS KMS API operations, or download the public key and use it outside of AWS KMS.
将非对称 CMK 与 SSH 结合使用需要修改客户端或我不知道的插件,而且会非常昂贵且缓慢。
Data keys for use in client-side operations;
AWS KMS also provides symmetric data keys and asymmetric data key pairs that are designed to be used for client-side cryptography outside of AWS KMS. The symmetric data key and the private key in an asymmetric data key pair are protected by a symmetric CMK in AWS KMS.
- Symmetric data key — A symmetric encryption key that you can use to encrypt data outside of AWS KMS. This key is protected by a symmetric CMK in AWS KMS.
*Asymmetric data key pair — An RSA or elliptic curve (ECC) key pair that consists of a public key and a private key. You can use your data key pair outside of AWS KMS to encrypt and decrypt data, or sign messages and verify signatures. The private key is protected by a symmetric CMK in AWS KMS.
使用来自 KMS 的非对称数据密钥会更实用,但需要修改后的客户端使用 CMK 来解包它,或者需要您使用 SSH 在客户端管理密钥本身的加密客户的特点。
您还需要将 public 密钥添加到您正在登录的主机。一个示例是使用 Terraform 生成一个 CMK,并使用 null_resource 配置器从中创建一个非对称数据密钥。
然后您可以获得非对称数据密钥的 public 密钥,并将其作为密钥对添加到 EC2 以用于配置实例。
这太复杂了,不值得这么复杂。你最好在本地使用 ssh-keygen。
能否在EC2节点上注册一个kms的密钥对作为SSH登录的密钥对?
我想用 Terraform 来管理它。
自 2020 年 6 月 20 日起,AWS KMS 无法直接用于管理 SSH 密钥。
您可以使用 KMS 为客户端加密操作生成 RSA 和 ECC 数据密钥,但您必须自己管理这些密钥。
AWS KMS 目前支持:
- 使用对称密钥加密(截至 2020 年 6 月 20 日,仅限 AES)
- 使用非对称密钥的数字签名(截至 2020 年 6 月 20 日,RSA 和 ECC)
KMS customer master keys (CMKs) for service-side encryption(对于 SSH 客户端的实际使用而言,价格昂贵且延迟可能过高):
AWS KMS supports symmetric and asymmetric CMKs.
- Symmetric CMK: Represents a single 256-bit secret encryption key that never leaves AWS KMS unencrypted. To use your symmetric CMK, you must call AWS KMS.
- Asymmetric CMK: Represents a mathematically related public key and private key pair that you can use for encryption and decryption or signing and verification, but not both. The private key never leaves AWS KMS unencrypted. You can use the public key within AWS KMS by calling the AWS KMS API operations, or download the public key and use it outside of AWS KMS.
将非对称 CMK 与 SSH 结合使用需要修改客户端或我不知道的插件,而且会非常昂贵且缓慢。
Data keys for use in client-side operations;
AWS KMS also provides symmetric data keys and asymmetric data key pairs that are designed to be used for client-side cryptography outside of AWS KMS. The symmetric data key and the private key in an asymmetric data key pair are protected by a symmetric CMK in AWS KMS.
- Symmetric data key — A symmetric encryption key that you can use to encrypt data outside of AWS KMS. This key is protected by a symmetric CMK in AWS KMS. *Asymmetric data key pair — An RSA or elliptic curve (ECC) key pair that consists of a public key and a private key. You can use your data key pair outside of AWS KMS to encrypt and decrypt data, or sign messages and verify signatures. The private key is protected by a symmetric CMK in AWS KMS.
使用来自 KMS 的非对称数据密钥会更实用,但需要修改后的客户端使用 CMK 来解包它,或者需要您使用 SSH 在客户端管理密钥本身的加密客户的特点。
您还需要将 public 密钥添加到您正在登录的主机。一个示例是使用 Terraform 生成一个 CMK,并使用 null_resource 配置器从中创建一个非对称数据密钥。
然后您可以获得非对称数据密钥的 public 密钥,并将其作为密钥对添加到 EC2 以用于配置实例。
这太复杂了,不值得这么复杂。你最好在本地使用 ssh-keygen。