AWS SDK for Go
Developer Guide

Re-encrypting a Data Blob in AWS Key Management Service

The following example uses the AWS SDK for GoReEncrypt method, which implements the ReEncrypt operation, to decrypt encrypted data and then immediately re-encrypt data under a new customer master key (CMK). The operations are performed entirely on the server side within AWS KMS, so they never expose your plaintext outside of AWS KMS. The example displays a readable version of the resulting re-encrypted blob.

import ( "" "" "fmt" "os" ) func main() { // Initialize a session in us-west-2 that the SDK will use to load // credentials from the shared credentials file ~/.aws/credentials. sess, err := session.NewSession(&aws.Config{ Region: aws.String("us-west-2")}, ) // Create KMS service client svc := kms.New(sess) // Encrypt data key // // Replace the fictitious key ARN with a valid key ID keyId := "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" // Encrypted data blob := []byte{...} // Re-encrypt the data key result, err := svc.ReEncrypt(&kms.ReEncryptInput{CiphertextBlob: blob, DestinationKeyId: &keyId}) if err != nil { fmt.Println("Got error re-encrypting data: ", err) os.Exit(1) } fmt.Println("Blob (base-64 byte array):") fmt.Println(result.CiphertextBlob) }

Choose Copy to save the code locally. See the complete example on GitHub.