AWS SDK Version 2 for .NET
API Reference

AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

.NET Framework 4.5
Container for the parameters to the GenerateDataKey operation. Generates a data key that you can use in your application to locally encrypt data. This call returns a plaintext version of the key in the Plaintext field of the response object and an encrypted copy of the key in the CiphertextBlob field. The key is encrypted by using the master key specified by the KeyId field. To decrypt the encrypted key, pass it to the Decrypt API.

We recommend that you use the following pattern to locally encrypt data: call the GenerateDataKey API, use the key returned in the Plaintext response field to locally encrypt data, and then erase the plaintext data key from memory. Store the encrypted data key (contained in the CiphertextBlob field) alongside of the locally encrypted data.

You should not call the Encrypt function to re-encrypt your data keys within a region. GenerateDataKey always returns the data key encrypted and tied to the customer master key that will be used to decrypt it. There is no need to decrypt it twice.

If you decide to use the optional EncryptionContext parameter, you must also store the context in full or at least store enough information along with the encrypted data to be able to reconstruct the context when submitting the ciphertext to the Decrypt API. It is a good practice to choose a context that you can reconstruct on the fly to better secure the ciphertext. For more information about how this parameter is used, see Encryption Context.

To decrypt data, pass the encrypted data key to the Decrypt API. Decrypt uses the associated master key to decrypt the encrypted data key and returns it as plaintext. Use the plaintext data key to locally decrypt your data and then erase the key from memory. You must specify the encryption context, if any, that you specified when you generated the key. The encryption context is logged by CloudTrail, and you can use this log to help track the use of particular data.

Inheritance Hierarchy


Namespace: Amazon.KeyManagementService.Model
Assembly: AWSSDK.dll
Version: (assembly version)


public class GenerateDataKeyRequest : AmazonKeyManagementServiceRequest

The GenerateDataKeyRequest type exposes the following members


Public Method GenerateDataKeyRequest()


Public Property EncryptionContext System.Collections.Generic.Dictionary<System.String, System.String> Gets and sets the property EncryptionContext.

Name/value pair that contains additional data to be authenticated during the encryption and decryption processes that use the key. This value is logged by AWS CloudTrail to provide context around the data encrypted by the key.

Public Property GrantTokens System.Collections.Generic.List<System.String> Gets and sets the property GrantTokens.

A list of grant tokens.

For more information, go to Grant Tokens in the AWS Key Management Service Developer Guide.

Public Property KeyId System.String Gets and sets the property KeyId.

A unique identifier for the customer master key. This value can be a globally unique identifier, a fully specified ARN to either an alias or a key, or an alias name prefixed by "alias/".

  • Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
  • Alias ARN Example - arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
  • Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
  • Alias Name Example - alias/MyAliasName

Public Property KeySpec Amazon.KeyManagementService.DataKeySpec Gets and sets the property KeySpec.

Value that identifies the encryption algorithm and key size to generate a data key for. Currently this can be AES_128 or AES_256.

Public Property NumberOfBytes System.Int32 Gets and sets the property NumberOfBytes.

Integer that contains the number of bytes to generate. Common values are 128, 256, 512, and 1024. 1024 is the current limit. We recommend that you use the KeySpec parameter instead.

Version Information

.NET Framework:
Supported in: 4.5, 4.0, 3.5

.NET for Windows Store apps:
Supported in: Windows 8.1, Windows 8

.NET for Windows Phone:
Supported in: Windows Phone 8.1, Windows Phone 8