AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.
This is the response object from the Decrypt operation.
Namespace: Amazon.KeyManagementService.Model
Assembly: AWSSDK.KeyManagementService.dll
Version: 3.x.y.z
public class DecryptResponse : AmazonWebServiceResponse
The DecryptResponse type exposes the following members
Name | Description | |
---|---|---|
DecryptResponse() |
Name | Type | Description | |
---|---|---|---|
CiphertextForRecipient | System.IO.MemoryStream |
Gets and sets the property CiphertextForRecipient. The plaintext data encrypted with the public key in the attestation document.
This field is included in the response only when the |
|
ContentLength | System.Int64 | Inherited from Amazon.Runtime.AmazonWebServiceResponse. | |
EncryptionAlgorithm | Amazon.KeyManagementService.EncryptionAlgorithmSpec |
Gets and sets the property EncryptionAlgorithm. The encryption algorithm that was used to decrypt the ciphertext. |
|
HttpStatusCode | System.Net.HttpStatusCode | Inherited from Amazon.Runtime.AmazonWebServiceResponse. | |
KeyId | System.String |
Gets and sets the property KeyId. The Amazon Resource Name (key ARN) of the KMS key that was used to decrypt the ciphertext. |
|
Plaintext | System.IO.MemoryStream |
Gets and sets the property Plaintext. Decrypted plaintext data. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
If the response includes the |
|
ResponseMetadata | Amazon.Runtime.ResponseMetadata | Inherited from Amazon.Runtime.AmazonWebServiceResponse. |
The following example decrypts data that was encrypted with a symmetric encryption KMS key. The KeyId is not required when decrypting with a symmetric encryption key, but it is a best practice.
var client = new AmazonKeyManagementServiceClient(); var response = client.Decrypt(new DecryptRequest { CiphertextBlob = new MemoryStream(<binary data>), // The encrypted data (ciphertext). KeyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" // A key identifier for the KMS key to use to decrypt the data. }); string encryptionAlgorithm = response.EncryptionAlgorithm; // The encryption algorithm that was used to decrypt the ciphertext. SYMMETRIC_DEFAULT is the only valid value for symmetric encryption in AWS KMS. string keyId = response.KeyId; // The Amazon Resource Name (ARN) of the KMS key that was used to decrypt the data. MemoryStream plaintext = response.Plaintext; // The decrypted (plaintext) data.
The following example decrypts data that was encrypted with an asymmetric encryption KMS key. When the KMS encryption key is asymmetric, you must specify the KMS key ID and the encryption algorithm that was used to encrypt the data.
var client = new AmazonKeyManagementServiceClient(); var response = client.Decrypt(new DecryptRequest { CiphertextBlob = new MemoryStream(<binary data>), // The encrypted data (ciphertext). EncryptionAlgorithm = "RSAES_OAEP_SHA_256", // The encryption algorithm that was used to encrypt the data. This parameter is required to decrypt with an asymmetric KMS key. KeyId = "0987dcba-09fe-87dc-65ba-ab0987654321" // A key identifier for the KMS key to use to decrypt the data. This parameter is required to decrypt with an asymmetric KMS key. }); string encryptionAlgorithm = response.EncryptionAlgorithm; // The encryption algorithm that was used to decrypt the ciphertext. string keyId = response.KeyId; // The Amazon Resource Name (ARN) of the KMS key that was used to decrypt the data. MemoryStream plaintext = response.Plaintext; // The decrypted (plaintext) data.
The following Decrypt example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave. Instead of returning the decrypted data in plaintext (Plaintext), the operation returns the decrypted data encrypted by the public key from the attestation document (CiphertextForRecipient).
var client = new AmazonKeyManagementServiceClient(); var response = client.Decrypt(new DecryptRequest { CiphertextBlob = new MemoryStream(<binary data>), // The encrypted data. This ciphertext was encrypted with the KMS key KeyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", // The KMS key to use to decrypt the ciphertext Recipient = new RecipientInfo { AttestationDocument = new MemoryStream(<attestation document>), KeyEncryptionAlgorithm = "RSAES_OAEP_SHA_256" } // Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document }); MemoryStream ciphertextForRecipient = response.CiphertextForRecipient; // The decrypted CiphertextBlob encrypted with the public key from the attestation document string keyId = response.KeyId; // The KMS key that was used to decrypt the encrypted data (CiphertextBlob) MemoryStream plaintext = response.Plaintext; // This field is null or empty
.NET Core App:
Supported in: 3.1
.NET Standard:
Supported in: 2.0
.NET Framework:
Supported in: 4.5, 4.0, 3.5