Menu
AWS Key Management Service
Developer Guide

Encrypting and Decrypting Data

This topic discusses how to encrypt, decrypt, and re-encrypt content.

Encrypting Data

To encrypt data, use the Encrypt operation. For details about the Java implementation, see the encrypt method in the AWS SDK for Java API Reference.

Copy
// Encrypt data // // Replace the fictitious key ARN with a valid key ID String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; ByteBuffer plaintext = ByteBuffer.wrap(new byte[]{1,2,3,4,5,6,7,8,9,0}); EncryptRequest req = new EncryptRequest().withKeyId(keyId).withPlaintext(plaintext); ByteBuffer ciphertext = kms.encrypt(req).getCiphertextBlob();

Decrypting Data

To decrypt ciphertext, use the Decrypt operation. For details about the Java implementation, see the decrypt method in the AWS SDK for Java API Reference.

Copy
// Decrypt data // ByteBuffer ciphertextBlob = Place your ciphertext here; DecryptRequest req = new DecryptRequest().withCiphertextBlob(ciphertextBlob); ByteBuffer plainText = kms.decrypt(req).getPlaintext();

Re-Encrypting Data Under a Different Customer Master Key

To decrypt encrypted data and then immediately re-encrypt data under a new customer master key (CMK), use the ReEncrypt operation. The operations are performed entirely on the server side within AWS KMS, so they never expose your plaintext outside of AWS KMS.

For details about the Java implementation, see the reEncrypt method in the AWS SDK for Java API Reference.

Copy
// Re-encrypt data ByteBuffer sourceCiphertextBlob = Place your ciphertext here; // Replace the fictitious key ARN with a valid key ID String destinationKeyId = "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"; ReEncryptRequest req = new ReEncryptRequest(); req.setCiphertextBlob(sourceCiphertextBlob); req.setDestinationKeyId(destinationKeyId); ByteBuffer destinationCipherTextBlob = kms.reEncrypt(req).getCiphertextBlob();