AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.
Plaintext
field
of the response object and an encrypted copy of the key in the CiphertextBlob
field. The key is encrypted by using the master key specified by the KeyId
field. To decrypt the encrypted key, pass it to the Decrypt
API.
We recommend that you use the following pattern to locally encrypt data: call the
GenerateDataKey
API, use the key returned in the Plaintext
response field to locally encrypt data, and then erase the plaintext data key from
memory. Store the encrypted data key (contained in the CiphertextBlob
field) alongside of the locally encrypted data.
Encrypt
function to re-encrypt your data
keys within a region. GenerateDataKey
always returns the data key encrypted
and tied to the customer master key that will be used to decrypt it. There is no need
to decrypt it twice.
If you decide to use the optional EncryptionContext
parameter, you must
also store the context in full or at least store enough information along with the
encrypted data to be able to reconstruct the context when submitting the ciphertext
to the Decrypt
API. It is a good practice to choose a context that you
can reconstruct on the fly to better secure the ciphertext. For more information about
how this parameter is used, see Encryption
Context.
To decrypt data, pass the encrypted data key to the Decrypt
API. Decrypt
uses the associated master key to decrypt the encrypted data key and returns it as
plaintext. Use the plaintext data key to locally decrypt your data and then erase
the key from memory. You must specify the encryption context, if any, that you specified
when you generated the key. The encryption context is logged by CloudTrail, and you
can use this log to help track the use of particular data.
Namespace: Amazon.KeyManagementService
Assembly: AWSSDK.dll
Version: (assembly version)
public virtual GenerateDataKeyResponse GenerateDataKey( GenerateDataKeyRequest request )
Container for the necessary parameters to execute the GenerateDataKey service method.
Exception | Condition |
---|---|
DependencyTimeoutException | The system timed out while trying to fulfill the request. The request can be retried. |
DisabledException | The request was rejected because the specified key was marked as disabled. |
InvalidGrantTokenException | The request was rejected because a grant token provided as part of the request is invalid. |
InvalidKeyUsageException | The request was rejected because the specified KeySpec parameter is not valid. The currently supported value is ENCRYPT/DECRYPT. |
KeyUnavailableException | The request was rejected because the key was not available. The request can be retried. |
KMSInternalException | The request was rejected because an internal exception occurred. The request can be retried. |
KMSInvalidStateException | The request was rejected because the state of the specified resource is not valid for this request. For more information about how key state affects the use of a customer master key (CMK), go to How Key State Affects the Use of a Customer Master Key in the AWS Key Management Service Developer Guide. |
NotFoundException | The request was rejected because the specified entity or resource could not be found. |
.NET Framework:
Supported in: 4.5, 4.0, 3.5