Download Public Key and Import Token: CLI | Utimaco Integration Guides

With the CMK KeyId set, the wrapping key and the import token will be downloaded. The wrapping key is always a 2048-RSA key and is unique to each import operation. The import token contains metadata to ensure that the key material is imported to the correct CMK ID.

Both the import token and the import wrapping key are valid only for 24 hours. After this, the import wrapping key and the import token are expired and a new set must be downloaded from the KMS.

Although other wrapping mechanisms are supported by AWS KMS as well, the RSAES_OAEP_SHA_256 mechanism is mandatory in this case.

›_ Console
`> aws kms get-parameters-for-import --key-id <KeyId> --wrapping-algorithm RSAES_OAEP_SHA_256 --wrapping-key-spec RSA_2048 --region <region>`

If the command is successful, you see an output similar to what is shown below.

›_ Console
`{ "KeyId": "arn:aws:kms:<region>:<AWSAccountID>,:key/<KeyID>", "ImportToken": "AQECAHjS7Vj0eN0qmSLqs8…" "PublicKey": "MIIBIjANBgkqhkiG9w0BAQEFAj…", "ParametersValidTo": <date> }`