Migration from AWS KMS
Migrate keys from AWS KMS to QNSP.
Migration from AWS KMS
Migrate keys from AWS KMS to QNSP.
Overview
QNSP supports importing keys from AWS KMS using BYOK.
Key types supported
| AWS KMS | QNSP equivalent |
|---|---|
| SYMMETRIC_DEFAULT | aes-256-gcm |
| RSA_2048 | Not supported (use PQC) |
| ECC_NIST_P256 | ecdsa-p256 |
Migration steps
1. Export key material (if extractable)
AWS KMS keys are typically not extractable. Options:
- Re-encrypt data with new QNSP keys
- Use HYOK to keep keys in AWS KMS
2. Create equivalent keys in QNSP
qnsp kms keys create \
--name "migrated-key" \
--algorithm aes-256-gcm
3. Re-encrypt data
# Decrypt with AWS KMS
aws kms decrypt \
--ciphertext-blob fileb://encrypted.bin \
--output text --query Plaintext | base64 -d > plaintext.bin
# Encrypt with QNSP
qnsp kms encrypt \
--key-id $QNSP_KEY_ID \
--input plaintext.bin \
--output encrypted-qnsp.bin
# Securely delete plaintext
shred -u plaintext.bin
HYOK option
Keep keys in AWS KMS, use QNSP for orchestration:
{
"type": "hyok",
"provider": "aws-kms",
"keyArn": "arn:aws:kms:us-east-1:123456789:key/..."
}
Considerations
- Plan for re-encryption downtime
- Maintain AWS KMS for decrypt during transition
- Update all applications to use QNSP