AWS KMS asymmetric key support

[james-callahan]

I'd like to be able to allow anyone to encrypt secrets to me; but only allow decryption through sops/KMS.
AWS support this with key_usage of ENCRYPT_DECRYPT. https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks

When I attempted to just use an RSA_4096 KMS key with sops I got:

Failed to call KMS encryption service: InvalidKeyUsageException: Algorithm SYMMETRIC_DEFAULT is incompatible with key spec RSA_4096.

[reegnz]

This feature ist still desired.

I'd also add one more aspect to it, which is offline encryption (without API access to the KMS key):
https://aws.amazon.com/blogs/security/how-to-use-aws-kms-rsa-keys-for-offline-encryption/

[beachygreg]

+1 on this feature. It would be very advantageous to not have to have AWS credentials and roles in order to encrypt.

[seanorama]

Commenting to keep this from going stale.

This would be a big win.

The need to have the key eliminates KMS as a choice in many scenarios, especially between departments where one team, without privileged access, needs to pass credentials to an operations team.

It also prevents the ability, to work "offline" to encrypt secrets.

[nathanwebsterdotme]

This would be very useful

[peter-leonov-ch]

Something similar to ejson would we awesome.