Export symmetric keys using a pre-established key exchange key (TR-31)
When exchanging multiple keys or supporting key rotation, you typically first exchange an initial key encryption key (KEK) using paper key components or, with AWS Payment Cryptography, using TR-34. After establishing a KEK, you can use it to transport subsequent keys, including other KEKs. We support this key exchange using ANSI TR-31, which is widely supported by HSM vendors.
1. Set up your Key Encryption Key (KEK)
Make sure you have already exchanged your KEK and have the keyARN (or keyAlias) available.
2. Create your key on AWS Payment Cryptography
Create your key if it doesn't already exist. Alternatively, you can create the key on your other system and use the import command.
3. Export your key from AWS Payment Cryptography
When exporting in TR-31 format, specify the key you want to export and the wrapping key to use.
Example – Exporting a key using TR31 key block
4. Import the key to your system
Use your system's import key implementation to import the key.
