This is the response object from the GenerateDataKeyPair operation.
Inheritance Hierarchy
Amazon.Runtime.AmazonWebServiceResponse
Amazon.KeyManagementService.Model.GenerateDataKeyPairResponse
Namespace: Amazon.KeyManagementService.Model
Assembly: AWSSDK.KeyManagementService.dll
Version: 3.x.y.z
Syntax
public class GenerateDataKeyPairResponse : AmazonWebServiceResponse
The GenerateDataKeyPairResponse type exposes the following members
Constructors
| Name | Description | |
|---|---|---|
|
GenerateDataKeyPairResponse() |
Properties
| Name | Type | Description | |
|---|---|---|---|
|
|
CiphertextForRecipient | System.IO.MemoryStream |
Gets and sets the property CiphertextForRecipient. The plaintext private data key encrypted with the public key from the Nitro enclave. This ciphertext can be decrypted only by using a private key in the Nitro enclave.
This field is included in the response only when the |
|
|
ContentLength | System.Int64 | Inherited from Amazon.Runtime.AmazonWebServiceResponse. |
|
|
HttpStatusCode | System.Net.HttpStatusCode | Inherited from Amazon.Runtime.AmazonWebServiceResponse. |
|
|
KeyId | System.String |
Gets and sets the property KeyId. The Amazon Resource Name (key ARN) of the KMS key that encrypted the private key. |
|
|
KeyPairSpec | Amazon.KeyManagementService.DataKeyPairSpec |
Gets and sets the property KeyPairSpec. The type of data key pair that was generated. |
|
|
PrivateKeyCiphertextBlob | System.IO.MemoryStream |
Gets and sets the property PrivateKeyCiphertextBlob. The encrypted copy of the private key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. |
|
|
PrivateKeyPlaintext | System.IO.MemoryStream |
Gets and sets the property PrivateKeyPlaintext. The plaintext copy of the private key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
If the response includes the |
|
|
PublicKey | System.IO.MemoryStream |
Gets and sets the property PublicKey. The public key (in plaintext). When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. |
|
|
ResponseMetadata | Amazon.Runtime.ResponseMetadata | Inherited from Amazon.Runtime.AmazonWebServiceResponse. |
Examples
This example generates an RSA data key pair for encryption and decryption. The operation returns a plaintext public key and private key, and a copy of the private key that is encrypted under a symmetric encryption KMS key that you specify.
To generate an RSA key pair for encryption and decryption
var client = new AmazonKeyManagementServiceClient();
var response = client.GenerateDataKeyPair(new GenerateDataKeyPairRequest
{
KeyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", // The key ID of the symmetric encryption KMS key that encrypts the private RSA key in the data key pair.
KeyPairSpec = "RSA_3072" // The requested key spec of the RSA data key pair.
});
string keyId = response.KeyId; // The key ARN of the symmetric encryption KMS key that was used to encrypt the private key.
string keyPairSpec = response.KeyPairSpec; // The actual key spec of the RSA data key pair.
MemoryStream privateKeyCiphertextBlob = response.PrivateKeyCiphertextBlob; // The encrypted private key of the RSA data key pair.
MemoryStream privateKeyPlaintext = response.PrivateKeyPlaintext; // The plaintext private key of the RSA data key pair.
MemoryStream publicKey = response.PublicKey; // The public key (plaintext) of the RSA data key pair.
The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave. Instead of returning a plaintext copy of the private data key, GenerateDataKeyPair returns a copy of the private data key encrypted by the public key from the attestation document (CiphertextForRecipient). It returns the public data key (PublicKey) and a copy of private data key encrypted under the specified KMS key (PrivateKeyCiphertextBlob), as usual, but plaintext private data key field (PrivateKeyPlaintext) is null or empty.
To generate a data key pair for a Nitro enclave
var client = new AmazonKeyManagementServiceClient();
var response = client.GenerateDataKeyPair(new GenerateDataKeyPairRequest
{
KeyId = "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", // The key ID of the symmetric encryption KMS key that encrypts the private RSA key in the data key pair.
KeyPairSpec = "RSA_3072", // The requested key spec of the RSA data key pair.
Recipient = new RecipientInfo {
AttestationDocument = new MemoryStream(<attestation document>),
KeyEncryptionAlgorithm = "RSAES_OAEP_SHA_256"
} // Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document.
});
MemoryStream ciphertextForRecipient = response.CiphertextForRecipient; // The private key of the RSA data key pair encrypted by the public key from the attestation document
string keyId = response.KeyId; // The key ARN of the symmetric encryption KMS key that was used to encrypt the PrivateKeyCiphertextBlob.
string keyPairSpec = response.KeyPairSpec; // The actual key spec of the RSA data key pair.
MemoryStream privateKeyCiphertextBlob = response.PrivateKeyCiphertextBlob; // The private key of the RSA data key pair encrypted by the KMS key.
MemoryStream privateKeyPlaintext = response.PrivateKeyPlaintext; // This field is null or empty
MemoryStream publicKey = response.PublicKey; // The public key (plaintext) of the RSA data key pair.
Version Information
.NET Core App:
Supported in: 3.1
.NET Standard:
Supported in: 2.0
.NET Framework:
Supported in: 4.5, 4.0, 3.5