Keyring compatibility - AWS Encryption SDK

Keyring compatibility

Although the different language implementations of the AWS Encryption SDK have some architectural differences, they are fully compatible, subject to language constraints. You can encrypt your data using one language implementation and decrypt it with any other language implementation. However, you must use the same or corresponding wrapping keys to encrypt and decrypt your data keys. For information about language constraints, see the topic about each language implementation, such as Compatibility of the AWS Encryption SDK for JavaScript in the AWS Encryption SDK for JavaScript topic.

Varying requirements for encryption keyrings

In AWS Encryption SDK language implementations other than the AWS Encryption SDK for C, all wrapping keys in an encryption keyring (or multi-keyring) or master key provider must be able to encrypt the data key. If any wrapping key fails to encrypt, the encrypt method fails. As a result, the caller must have the required permissions for all keys in the keyring. If you use a discovery keyring to encrypt data, alone or in a multi-keyring, the encrypt operation fails.

The exception is the AWS Encryption SDK for C, where the encrypt operation ignores a standard discovery keyring, but fails if you specify a multi-Region discovery keyring, alone or in a multi-keyring.

Compatible Keyrings and Master Key Providers

The following table shows which master keys and master key providers are compatible with the keyrings that the AWS Encryption SDK supplies. Any minor incompatibility due to language constraints is explained in the topic about the language implementation.

Keyring: Master Key Provider:
AWS KMS keyring

KMSMasterKey (Java)

KMSMasterKeyProvider (Java)

KMSMasterKey (Python)

KMSMasterKeyProvider (Python)


The AWS Encryption SDK for Python and AWS Encryption SDK for Java don't include a master key or master key provider that is equivalent to the AWS KMS regional discovery keyring.

AWS KMS Hierarchical keyring Only available with version 4.x of the AWS Encryption SDK for .NET and version 3.x of the AWS Encryption SDK for Java.
Raw AES keyring

When they are used with symmetric encryption keys:

JceMasterKey (Java)

RawMasterKey (Python)

Raw RSA keyring

When they are used with asymmetric encryption keys:

JceMasterKey (Java)

RawMasterKey (Python)


The Raw RSA keyring does not support asymmetric KMS keys. If you want to use asymmetric RSA KMS keys, version 4.x of the AWS Encryption SDK for .NET supports AWS KMS keyrings that use symmetric encryption (SYMMETRIC_DEFAULT) or asymmetric RSA AWS KMS keys.