Key
Specifies the type of KMS key to create. The default value, `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, `SYMMETRIC_DEFAULT` creates a 128-bit symmetric key that uses SM4 encryption. You can't change the `KeySpec` value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The `KeySpec` property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the `KeySpec` property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys:
Symmetric encryption key (default)
`SYMMETRIC_DEFAULT`(AES-256-GCM)HMAC keys (symmetric)
`HMAC_224``HMAC_256``HMAC_384``HMAC_512`Asymmetric RSA key pairs (encryption and decryption or signing and verification)
`RSA_2048``RSA_3072``RSA_4096`Asymmetric NIST-recommended elliptic curve key pairs (signing and verification or deriving shared secrets)
`ECC_NIST_P256`(secp256r1)`ECC_NIST_P384`(secp384r1)`ECC_NIST_P521`(secp521r1)Other asymmetric elliptic curve key pairs (signing and verification)
`ECC_SECG_P256K1`(secp256k1), commonly used for cryptocurrencies.SM2 key pairs (encryption and decryption or signing and verification or deriving shared secrets)
`SM2`(China Regions only)