Export key material and public keys
KMS provides two distinct export capabilities: public key export for verification and client-side workflows, and sensitive key material export for break-glass scenarios.
Public key export
Export public key material for asymmetric keys without special create-time flags.
GET /v1/kms/{region}/keys/{id}/public-keyFormat by key type
| Key type family | Export format |
|---|---|
| RSA, ECDSA | PEM-encoded public key |
| Ed25519 | Base64-encoded raw public key |
You can request public keys for specific versions. Public key export returns only public material—it never exposes private key bytes.
Use cases
- Offline signature verification without calling the verify API
- Distributing verification keys to clients or CI systems
- Client-side RSA encryption workflows where only the public key leaves KMS
Public key export requires read permission. It does not require exportAllowed on the key.
Export key material
Export raw key material for a specific key version. This is a highly sensitive operation.
POST /v1/kms/{region}/keys/{id}/exportThe response returns base64-encoded key material for the requested version.
Requirements
| Requirement | Description |
|---|---|
exportAllowed: true | Must be set at key creation; cannot be enabled later |
update permission | Caller must have update permission on the key |
Warning
Exported key material grants full cryptographic capability for that key version. Treat exports as break-glass operations. Restrict access to the smallest set of administrators, monitor kms.export audit events, and store exported material in a hardware security module or equivalent secure storage—never in plaintext files or ticket systems.
When to enable export
Enable exportAllowed only when:
- Regulatory requirements mandate key escrow or data sovereignty controls
- You are migrating key material to another system and cannot re-encrypt data in place
- Your disaster recovery plan requires offline key backup
For most workloads, keep exportAllowed disabled (default).
Comparison
| Capability | Public key export | Key material export |
|---|---|---|
| Endpoint | GET …/public-key | POST …/export |
| Material exposed | Public only | Full private key material |
Requires exportAllowed | No | Yes |
| Permission | read | update |
| Risk level | Low | Critical |
Supported key types
| Operation | Supported types |
|---|---|
| Public key export | RSA, ECDSA, Ed25519 |
| Key material export | Types that support exportAllowed at create (symmetric, RSA, ECDSA, Ed25519) |
HMAC keys do not support key material export.
Audit
Key material export generates a kms.export audit event. Public key reads are covered by standard read/list auditing. See Audit log.
Best practices
- Default to
exportAllowed: falsefor all new keys - Use public key export for verification workflows instead of exporting private material
- Rotate and disable keys if material may have been exposed
See Best practices and Access control.