Menu
AWS Key Management Service
Developer Guide

Working With Keys

This topic discusses how to create, describe, list, enable, and disable keys in Java. For detailed information, see the AWS SDK for Java API Reference.

Creating a Customer Master Key

To create a customer master key, use the CreateKey operation. For details about the Java implementation, see the createKey method in the AWS SDK for Java API Reference.

Copy
// Create a CMK // String desc = "Key for protecting critical data"; CreateKeyRequest req = new CreateKeyRequest().withDescription(desc); CreateKeyResult result = kms.createKey(req);

Creating a Data Key

To generate a data key, use the GenerateDataKey operation. This operation returns plaintext and encrypted copies of the data key that it creates. For details about the Java implementation, see the generateDataKey method in the AWS SDK for Java API Reference.

Copy
// Generate a data key // String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; GenerateDataKeyRequest dataKeyRequest = new GenerateDataKeyRequest(); dataKeyRequest.setKeyId(keyId); dataKeyRequest.setKeySpec("AES_128"); GenerateDataKeyResult dataKeyResult = kmsClient.generateDataKey(dataKeyRequest); ByteBuffer plaintextKey = dataKeyResult.getPlaintext(); ByteBuffer encryptedKey = dataKeyResult.getCiphertextBlob();

Getting Information About a Custom Master Key

To get detailed information about a CMK, including the key ARN and key state, use the DescribeKey operation. For details about the Java implementation of DescribeKey, see the describeKey method in the AWS SDK for Java API Reference.

DescribeKey does not get aliases. To get aliases, use the ListAliases operation.

Copy
// Describe a CMK // // Replace the fictitious key ARN with a valid one. String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; DescribeKeyRequest req = new DescribeKeyRequest().withKeyId(keyId); DescribeKeyResult result = kms.describeKey(req);

Getting Key IDs and Key ARNs of Customer Master Keys

To get the key IDs and key ARNs of the customer master keys, use the ListKeys operation. For details about the Java implementation, see the listKeys method in the AWS SDK for Java API Reference.

Copy
// List CMKs in this account // Integer limit = 10; String marker = null; ListKeysRequest req = new ListKeysRequest().withMarker(marker).withLimit(limit); ListKeysResult result = kms.listKeys(req);

Enabling Customer Master Keys

To enable a disabled CMK, use the EnableKey operation. For details about the Java implementation, see the enableKey method in the AWS SDK for Java API Reference.

Copy
// Enable a CMK // String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; EnableKeyRequest req = new EnableKeyRequest().withKeyId(keyId); kms.enableKey(req);

Disabling Customer Master Keys

To disable a CMK, use the DisableKey operation. Disabling a CMK prevents it from being used. For details about the Java implementation, see the disableKey method in the AWS SDK for Java API Reference.

Copy
// Disable a CMK // String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; DisableKeyRequest req = new DisableKeyRequest().withKeyId(keyId); kms.disableKey(req);