Posts tagged Encryption

AWS KMS doesn't allow key material export by design. When an external PKI partner generates keys but doesn't retain them, you're stuck. Here are the four AWS alternatives — CloudHSM, XKS, Private CA, and fixing the process — with a decision framework to pick the right one.

XKS protects key material from extraction, but does it protect against legal compulsion to use those keys? Updated with AWS European Sovereign Cloud (GA January 2026).