AWS SDK Version 3 for .NET
API Reference

AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

This is the response object from the GenerateDataKey operation.

Inheritance Hierarchy

System.Object
  Amazon.Runtime.AmazonWebServiceResponse
    Amazon.KeyManagementService.Model.GenerateDataKeyResponse

Namespace: Amazon.KeyManagementService.Model
Assembly: AWSSDK.KeyManagementService.dll
Version: 3.x.y.z

Syntax

C# 
public class GenerateDataKeyResponse : AmazonWebServiceResponse

The GenerateDataKeyResponse type exposes the following members

Constructors

NameDescription
Public Method GenerateDataKeyResponse()

Properties

NameTypeDescription
Public Property CiphertextBlob System.IO.MemoryStream

Gets and sets the property CiphertextBlob.

The encrypted copy of the data key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

Public Property CiphertextForRecipient System.IO.MemoryStream

Gets and sets the property CiphertextForRecipient.

The plaintext data key encrypted with the public key from the Nitro enclave. This ciphertext can be decrypted only by using a private key in the Nitro enclave.

This field is included in the response only when the Recipient parameter in the request includes a valid attestation document from an Amazon Web Services Nitro enclave. For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.

Public Property ContentLength System.Int64 Inherited from Amazon.Runtime.AmazonWebServiceResponse.
Public Property HttpStatusCode System.Net.HttpStatusCode Inherited from Amazon.Runtime.AmazonWebServiceResponse.
Public Property KeyId System.String

Gets and sets the property KeyId.

The Amazon Resource Name (key ARN) of the KMS key that encrypted the data key.

Public Property Plaintext System.IO.MemoryStream

Gets and sets the property Plaintext.

The plaintext data key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. Use this data key to encrypt your data outside of KMS. Then, remove it from memory as soon as possible.

If the response includes the CiphertextForRecipient field, the Plaintext field is null or empty.

Public Property ResponseMetadata Amazon.Runtime.ResponseMetadata Inherited from Amazon.Runtime.AmazonWebServiceResponse.

Examples

The following example generates a 256-bit symmetric data encryption key (data key) in two formats. One is the unencrypted (plainext) data key, and the other is the data key encrypted with the specified KMS key.

To generate a data key


var client = new AmazonKeyManagementServiceClient();
var response = client.GenerateDataKey(new GenerateDataKeyRequest 
{
    KeyId = "alias/ExampleAlias", // The identifier of the KMS key to use to encrypt the data key. You can use the key ID or Amazon Resource Name (ARN) of the KMS key, or the name or ARN of an alias that refers to the KMS key.
    KeySpec = "AES_256" // Specifies the type of data key to return.
});

MemoryStream ciphertextBlob = response.CiphertextBlob; // The encrypted data key.
string keyId = response.KeyId; // The ARN of the KMS key that was used to encrypt the data key.
MemoryStream plaintext = response.Plaintext; // The unencrypted (plaintext) data key.

The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave. Instead of returning a copy of the data key encrypted by the KMS key and a plaintext copy of the data key, GenerateDataKey returns one copy of the data key encrypted by the KMS key (CiphertextBlob) and one copy of the data key encrypted by the public key from the attestation document (CiphertextForRecipient). The operation doesn't return a plaintext data key.

To generate a data key pair for a Nitro enclave


var client = new AmazonKeyManagementServiceClient();
var response = client.GenerateDataKey(new GenerateDataKeyRequest 
{
    KeyId = "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", // Identifies the KMS key used to encrypt the encrypted data key (CiphertextBlob)
    KeySpec = "AES_256", // Specifies the type of data key to return
    Recipient = new RecipientInfo {
        AttestationDocument = new MemoryStream(<attestation document>),
        KeyEncryptionAlgorithm = "RSAES_OAEP_SHA_256"
    } // Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document
});

MemoryStream ciphertextBlob = response.CiphertextBlob; // The data key encrypted by the specified KMS key
MemoryStream ciphertextForRecipient = response.CiphertextForRecipient; // The plaintext data key encrypted by the public key from the attestation document
string keyId = response.KeyId; // The KMS key used to encrypt the CiphertextBlob (encrypted data key)
MemoryStream plaintext = response.Plaintext; // This field is null or empty

Version Information

.NET Core App:
Supported in: 3.1

.NET Standard:
Supported in: 2.0

.NET Framework:
Supported in: 4.5, 4.0, 3.5