Key
Metadata about an AWS Payment Cryptography key.
Contents
- CreateTimestamp
-
The date and time when the key was created.
Type: Timestamp
Required: Yes
- Enabled
-
Specifies whether the key is enabled.
Type: Boolean
Required: Yes
- Exportable
-
Specifies whether the key is exportable. This data is immutable after the key is created.
Type: Boolean
Required: Yes
- KeyArn
-
The Amazon Resource Name (ARN) of the key.
Type: String
Length Constraints: Minimum length of 70. Maximum length of 150.
Pattern:
arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:key/[0-9a-zA-Z]{16,64}
Required: Yes
- KeyAttributes
-
The role of the key, the algorithm it supports, and the cryptographic operations allowed with the key. This data is immutable after the key is created.
Type: KeyAttributes object
Required: Yes
- KeyCheckValue
-
The key check value (KCV) is used to check if all parties holding a given key have the same key or to detect that a key has changed.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 16.
Pattern:
[0-9a-fA-F]+
Required: Yes
- KeyCheckValueAlgorithm
-
The algorithm that AWS Payment Cryptography uses to calculate the key check value (KCV). It is used to validate the key integrity.
For TDES keys, the KCV is computed by encrypting 8 bytes, each with value of zero, with the key to be checked and retaining the 3 highest order bytes of the encrypted result. For AES keys, the KCV is computed using a CMAC algorithm where the input data is 16 bytes of zero and retaining the 3 highest order bytes of the encrypted result.
Type: String
Valid Values:
CMAC | ANSI_X9_24 | HMAC | SHA_1
Required: Yes
- KeyOrigin
-
The source of the key material. For keys created within AWS Payment Cryptography, the value is
AWS_PAYMENT_CRYPTOGRAPHY
. For keys imported into AWS Payment Cryptography, the value isEXTERNAL
.Type: String
Valid Values:
EXTERNAL | AWS_PAYMENT_CRYPTOGRAPHY
Required: Yes
- KeyState
-
The state of key that is being created or deleted.
Type: String
Valid Values:
CREATE_IN_PROGRESS | CREATE_COMPLETE | DELETE_PENDING | DELETE_COMPLETE
Required: Yes
- DeletePendingTimestamp
-
The date and time after which AWS Payment Cryptography will delete the key. This value is present only when
KeyState
isDELETE_PENDING
and the key is scheduled for deletion.Type: Timestamp
Required: No
- DeleteTimestamp
-
The date and time after which AWS Payment Cryptography will delete the key. This value is present only when when the
KeyState
isDELETE_COMPLETE
and the AWS Payment Cryptography key is deleted.Type: Timestamp
Required: No
- DeriveKeyUsage
-
The cryptographic usage of an ECDH derived key as deļ¬ned in section A.5.2 of the TR-31 spec.
Type: String
Valid Values:
TR31_B0_BASE_DERIVATION_KEY | TR31_C0_CARD_VERIFICATION_KEY | TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY | TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS | TR31_E1_EMV_MKEY_CONFIDENTIALITY | TR31_E2_EMV_MKEY_INTEGRITY | TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS | TR31_E5_EMV_MKEY_CARD_PERSONALIZATION | TR31_E6_EMV_MKEY_OTHER | TR31_K0_KEY_ENCRYPTION_KEY | TR31_K1_KEY_BLOCK_PROTECTION_KEY | TR31_M3_ISO_9797_3_MAC_KEY | TR31_M1_ISO_9797_1_MAC_KEY | TR31_M6_ISO_9797_5_CMAC_KEY | TR31_M7_HMAC_KEY | TR31_P0_PIN_ENCRYPTION_KEY | TR31_P1_PIN_GENERATION_KEY | TR31_V1_IBM3624_PIN_VERIFICATION_KEY | TR31_V2_VISA_PIN_VERIFICATION_KEY
Required: No
- MultiRegionKeyType
-
Indicates whether this key is a Multi-Region key and its role in the Multi-Region key hierarchy.
Multi-Region replication keys allow the same key material to be used across multiple AWS Regions. This field specifies whether the key is a Primary Region key (PRK) (which can be replicated to other AWS Regions) or a Replica Region key (RRK) (which is a copy of a PRK in another Region). For more information, see Multi-Region key replication.
Type: String
Valid Values:
PRIMARY | REPLICA
Required: No
- PrimaryRegion
-
An AWS Region identifier in the standard format (e.g.,
us-east-1
,eu-west-1
).Used to specify regions for key replication operations. The region must be a valid AWS Region where AWS Payment Cryptography is available.
Type: String
Pattern:
[a-z]{2}-[a-z]{1,16}-[0-9]+
Required: No
- ReplicationStatus
-
Information about the replication status of the key across different AWS Regions.
This field provides details about the current state of key replication, including any status messages or operational information. It helps track the progress and health of key replication operations.
Type: String to ReplicationStatusType object map
Key Pattern:
[a-z]{2}-[a-z]{1,16}-[0-9]+
Required: No
- UsageStartTimestamp
-
The date and time after which AWS Payment Cryptography will start using the key material for cryptographic operations.
Type: Timestamp
Required: No
- UsageStopTimestamp
-
The date and time after which AWS Payment Cryptography will stop using the key material for cryptographic operations.
Type: Timestamp
Required: No
- UsingDefaultReplicationRegions
-
Indicates whether this key is using the account's default replication regions configuration for Multi-Region key replication.
When set to
true
, the key automatically replicates to the regions specified in the account's default replication settings. When set tofalse
, the key has a custom replication configuration that overrides the account defaults.Type: Boolean
Required: No
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: