Client-side decryption followed by reencryption is inefficient and can lead to sensitive data leaks. The reencrypt
APIs allow decryption followed by reencryption on the server side. This is more efficient and secure.
1public void withoutReEncryptNoncompliant(KmsClient client, SdkBytes encryptedContent) {
2 DecryptRequest decryptRequest = DecryptRequest.builder()
3 .ciphertextBlob(encryptedContent)
4 .build();
5 SdkBytes plaintext = client.decrypt(decryptRequest).plaintext();
6 // Noncompliant: client-side decrypt immediately followed by encrypt.
7 EncryptRequest encryptRequest = EncryptRequest.builder()
8 .keyId("my-key-id")
9 .plaintext(plaintext)
10 .build();
11 client.encrypt(encryptRequest);
12}
1public void withReEncryptCompliant(KmsClient client, SdkBytes encryptedContent) {
2 // Compliant: uses a ReEncryptRequest which runs server-side.
3 ReEncryptRequest req = ReEncryptRequest.builder()
4 .ciphertextBlob(encryptedContent)
5 .destinationKeyId("my-key-id")
6 .build();
7 client.reEncrypt(req).ciphertextBlob();
8}