AWS SDK Version 3 for .NET
API Reference

AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

This is the response object from the Decrypt operation.

Inheritance Hierarchy

System.Object
  Amazon.Runtime.AmazonWebServiceResponse
    Amazon.KeyManagementService.Model.DecryptResponse

Namespace: Amazon.KeyManagementService.Model
Assembly: AWSSDK.KeyManagementService.dll
Version: 3.x.y.z

Syntax

C#
public class DecryptResponse : AmazonWebServiceResponse

The DecryptResponse type exposes the following members

Constructors

NameDescription
Public Method DecryptResponse()

Properties

NameTypeDescription
Public Property CiphertextForRecipient System.IO.MemoryStream

Gets and sets the property CiphertextForRecipient.

The plaintext data encrypted with the public key in the attestation document.

This field is included in the response only when the Recipient parameter in the request includes a valid attestation document from an Amazon Web Services Nitro enclave. For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.

Public Property ContentLength System.Int64 Inherited from Amazon.Runtime.AmazonWebServiceResponse.
Public Property EncryptionAlgorithm Amazon.KeyManagementService.EncryptionAlgorithmSpec

Gets and sets the property EncryptionAlgorithm.

The encryption algorithm that was used to decrypt the ciphertext.

Public Property HttpStatusCode System.Net.HttpStatusCode Inherited from Amazon.Runtime.AmazonWebServiceResponse.
Public Property KeyId System.String

Gets and sets the property KeyId.

The Amazon Resource Name (key ARN) of the KMS key that was used to decrypt the ciphertext.

Public Property Plaintext System.IO.MemoryStream

Gets and sets the property Plaintext.

Decrypted plaintext data. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

If the response includes the CiphertextForRecipient field, the Plaintext field is null or empty.

Public Property ResponseMetadata Amazon.Runtime.ResponseMetadata Inherited from Amazon.Runtime.AmazonWebServiceResponse.

Examples

The following example decrypts data that was encrypted with a symmetric encryption KMS key. The KeyId is not required when decrypting with a symmetric encryption key, but it is a best practice.

To decrypt data with a symmetric encryption KMS key


var client = new AmazonKeyManagementServiceClient();
var response = client.Decrypt(new DecryptRequest 
{
    CiphertextBlob = new MemoryStream(<binary data>), // The encrypted data (ciphertext).
    KeyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" // A key identifier for the KMS key to use to decrypt the data.
});

string encryptionAlgorithm = response.EncryptionAlgorithm; // The encryption algorithm that was used to decrypt the ciphertext. SYMMETRIC_DEFAULT is the only valid value for symmetric encryption in AWS KMS.
string keyId = response.KeyId; // The Amazon Resource Name (ARN) of the KMS key that was used to decrypt the data.
MemoryStream plaintext = response.Plaintext; // The decrypted (plaintext) data.

            

The following example decrypts data that was encrypted with an asymmetric encryption KMS key. When the KMS encryption key is asymmetric, you must specify the KMS key ID and the encryption algorithm that was used to encrypt the data.

To decrypt data with an asymmetric encryption KMS key


var client = new AmazonKeyManagementServiceClient();
var response = client.Decrypt(new DecryptRequest 
{
    CiphertextBlob = new MemoryStream(<binary data>), // The encrypted data (ciphertext).
    EncryptionAlgorithm = "RSAES_OAEP_SHA_256", // The encryption algorithm that was used to encrypt the data. This parameter is required to decrypt with an asymmetric KMS key.
    KeyId = "0987dcba-09fe-87dc-65ba-ab0987654321" // A key identifier for the KMS key to use to decrypt the data. This parameter is required to decrypt with an asymmetric KMS key.
});

string encryptionAlgorithm = response.EncryptionAlgorithm; // The encryption algorithm that was used to decrypt the ciphertext.
string keyId = response.KeyId; // The Amazon Resource Name (ARN) of the KMS key that was used to decrypt the data.
MemoryStream plaintext = response.Plaintext; // The decrypted (plaintext) data.

            

The following Decrypt example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave. Instead of returning the decrypted data in plaintext (Plaintext), the operation returns the decrypted data encrypted by the public key from the attestation document (CiphertextForRecipient).

To decrypt data for a Nitro enclave


var client = new AmazonKeyManagementServiceClient();
var response = client.Decrypt(new DecryptRequest 
{
    CiphertextBlob = new MemoryStream(<binary data>), // The encrypted data. This ciphertext was encrypted with the KMS key
    KeyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", // The KMS key to use to decrypt the ciphertext
    Recipient = new RecipientInfo {
        AttestationDocument = new MemoryStream(<attestation document>),
        KeyEncryptionAlgorithm = "RSAES_OAEP_SHA_256"
    } // Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document
});

MemoryStream ciphertextForRecipient = response.CiphertextForRecipient; // The decrypted CiphertextBlob encrypted with the public key from the attestation document
string keyId = response.KeyId; // The KMS key that was used to decrypt the encrypted data (CiphertextBlob)
MemoryStream plaintext = response.Plaintext; // This field is null or empty

            

Version Information

.NET Core App:
Supported in: 3.1

.NET Standard:
Supported in: 2.0

.NET Framework:
Supported in: 4.5, 4.0, 3.5