Table Of Contents


User Guide

First time using the AWS CLI? See the User Guide for help getting started.

[ aws . kms ]



Encrypts data on the server side with a new customer master key (CMK) without exposing the plaintext of the data on the client side. The data is first decrypted and then reencrypted. You can also use this operation to change the encryption context of a ciphertext.

You can reencrypt data using CMKs in different AWS accounts.

Unlike other operations, re-encrypt is authorized twice, once as ReEncryptFrom on the source CMK and once as ReEncryptTo on the destination CMK. We recommend that you include the "kms:ReEncrypt*" permission in your key policies to permit reencryption from or to the CMK. This permission is automatically included in the key policy when you create a CMK through the console, but you must include it manually when you create a CMK programmatically or when you set a key policy with the put-key-policy operation.

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.


--ciphertext-blob <value>
[--source-encryption-context <value>]
--destination-key-id <value>
[--destination-encryption-context <value>]
[--grant-tokens <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]


--ciphertext-blob (blob)

Ciphertext of the data to reencrypt.

--source-encryption-context (map)

Encryption context used to encrypt and decrypt the data specified in the CiphertextBlob parameter.

Shorthand Syntax:


JSON Syntax:

{"string": "string"

--destination-key-id (string)

A unique identifier for the CMK that is used to reencrypt the data.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

  • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
  • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
  • Alias name: alias/ExampleAlias
  • Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use list-keys or describe-key . To get the alias name and alias ARN, use list-aliases .

--destination-encryption-context (map)

Encryption context to use when the data is reencrypted.

Shorthand Syntax:


JSON Syntax:

{"string": "string"

--grant-tokens (list)

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide .


"string" "string" ...

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.


CiphertextBlob -> (blob)

The reencrypted data. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not encoded.

SourceKeyId -> (string)

Unique identifier of the CMK used to originally encrypt the data.

KeyId -> (string)

Unique identifier of the CMK used to reencrypt the data.