com.amazonaws.services.kms.model

Class EncryptRequest

java.lang.Object

com.amazonaws.AmazonWebServiceRequest

com.amazonaws.services.kms.model.EncryptRequest

All Implemented Interfaces:

java.io.Serializable, java.lang.Cloneable

public class EncryptRequest
extends AmazonWebServiceRequest
implements java.io.Serializable

Encrypts plaintext into ciphertext by using a customer master key (CMK). The Encrypt operation has two primary use cases:

• You can encrypt small amounts of arbitrary data, such as a personal identifier or database password, or other sensitive information.

• You can use the Encrypt operation to move encrypted data from one AWS Region to another. For example, in Region A, generate a data key and use the plaintext key to encrypt your data. Then, in Region A, use the Encrypt operation to encrypt the plaintext data key under a CMK in Region B. Now, you can move the encrypted data and the encrypted data key to Region B. When necessary, you can decrypt the encrypted data key and the encrypted data entirely within in Region B.

You don't need to use the Encrypt operation to encrypt a data key. The GenerateDataKey and GenerateDataKeyPair operations return a plaintext data key and an encrypted copy of that data key.

When you encrypt data, you must specify a symmetric or asymmetric CMK to use in the encryption operation. The CMK must have a KeyUsage value of ENCRYPT_DECRYPT. To find the KeyUsage of a CMK, use the DescribeKey operation.

If you use a symmetric CMK, you can use an encryption context to add additional security to your encryption operation. If you specify an EncryptionContext when encrypting data, you must specify the same encryption context (a case-sensitive exact match) when decrypting the data. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

If you specify an asymmetric CMK, you must also specify the encryption algorithm. The algorithm must be compatible with the CMK type.

When you use an asymmetric CMK to encrypt or reencrypt data, be sure to record the CMK and encryption algorithm that you choose. You will be required to provide the same CMK and encryption algorithm when you decrypt the data. If the CMK and algorithm do not match the values used to encrypt the data, the decrypt operation fails.

You are not required to supply the CMK ID and encryption algorithm when you decrypt with symmetric CMKs because AWS KMS stores this information in the ciphertext blob. AWS KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.

The maximum size of the data that you can encrypt varies with the type of CMK and the encryption algorithm that you choose.

• Symmetric CMKs

  • SYMMETRIC_DEFAULT: 4096 bytes

• RSA_2048

  • RSAES_OAEP_SHA_1: 214 bytes

  • RSAES_OAEP_SHA_256: 190 bytes

• RSA_3072

  • RSAES_OAEP_SHA_1: 342 bytes

  • RSAES_OAEP_SHA_256: 318 bytes

• RSA_4096

  • RSAES_OAEP_SHA_1: 470 bytes

  • RSAES_OAEP_SHA_256: 446 bytes

The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.

Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.

Required permissions: kms:Encrypt (key policy)

Related operations:

• Decrypt

• GenerateDataKey

• GenerateDataKeyPair

See Also:

Serialized Form

Constructor Summary

Constructors

Constructor and Description
EncryptRequest()

Method Summary

Modifier and Type	Method and Description
EncryptRequest	addEncryptionContextEntry(java.lang.String key, java.lang.String value) Specifies the encryption context that will be used to encrypt the data.
EncryptRequest	clearEncryptionContextEntries() Removes all the entries added into EncryptionContext.
boolean	equals(java.lang.Object obj)
java.lang.String	getEncryptionAlgorithm() Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext message.
java.util.Map<java.lang.String,java.lang.String>	getEncryptionContext() Specifies the encryption context that will be used to encrypt the data.
java.util.List<java.lang.String>	getGrantTokens() A list of grant tokens.
java.lang.String	getKeyId() A unique identifier for the customer master key (CMK).
java.nio.ByteBuffer	getPlaintext() Data to be encrypted.
int	hashCode()
void	setEncryptionAlgorithm(EncryptionAlgorithmSpec encryptionAlgorithm) Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext message.
void	setEncryptionAlgorithm(java.lang.String encryptionAlgorithm) Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext message.
void	setEncryptionContext(java.util.Map<java.lang.String,java.lang.String> encryptionContext) Specifies the encryption context that will be used to encrypt the data.
void	setGrantTokens(java.util.Collection<java.lang.String> grantTokens) A list of grant tokens.
void	setKeyId(java.lang.String keyId) A unique identifier for the customer master key (CMK).
void	setPlaintext(java.nio.ByteBuffer plaintext) Data to be encrypted.
java.lang.String	toString() Returns a string representation of this object; useful for testing and debugging.
EncryptRequest	withEncryptionAlgorithm(EncryptionAlgorithmSpec encryptionAlgorithm) Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext message.
EncryptRequest	withEncryptionAlgorithm(java.lang.String encryptionAlgorithm) Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext message.
EncryptRequest	withEncryptionContext(java.util.Map<java.lang.String,java.lang.String> encryptionContext) Specifies the encryption context that will be used to encrypt the data.
EncryptRequest	withGrantTokens(java.util.Collection<java.lang.String> grantTokens) A list of grant tokens.
EncryptRequest	withGrantTokens(java.lang.String... grantTokens) A list of grant tokens.
EncryptRequest	withKeyId(java.lang.String keyId) A unique identifier for the customer master key (CMK).
EncryptRequest	withPlaintext(java.nio.ByteBuffer plaintext) Data to be encrypted.

Methods inherited from class com.amazonaws.AmazonWebServiceRequest

clone, getCloneRoot, getCloneSource, getGeneralProgressListener, getRequestClientOptions, getRequestCredentials, getRequestMetricCollector, setGeneralProgressListener, setRequestCredentials, setRequestMetricCollector, withGeneralProgressListener, withRequestMetricCollector

Methods inherited from class java.lang.Object

getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

EncryptRequest

public EncryptRequest()

Method Detail

getKeyId

public java.lang.String getKeyId()

A unique identifier for the customer master key (CMK).

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

Constraints:
Length: 1 - 2048

Returns:

A unique identifier for the customer master key (CMK).

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

setKeyId

public void setKeyId(java.lang.String keyId)

A unique identifier for the customer master key (CMK).

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

Constraints:
Length: 1 - 2048

Parameters:

keyId -

A unique identifier for the customer master key (CMK).

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

withKeyId

public EncryptRequest withKeyId(java.lang.String keyId)

A unique identifier for the customer master key (CMK).

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Length: 1 - 2048

Parameters:

keyId -

A unique identifier for the customer master key (CMK).

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

Returns:

A reference to this updated object so that method calls can be chained together.

getPlaintext

public java.nio.ByteBuffer getPlaintext()

Data to be encrypted.

Constraints:
Length: 1 - 4096

Returns:

Data to be encrypted.

setPlaintext

public void setPlaintext(java.nio.ByteBuffer plaintext)

Data to be encrypted.

Constraints:
Length: 1 - 4096

Parameters:

plaintext -

Data to be encrypted.

withPlaintext

public EncryptRequest withPlaintext(java.nio.ByteBuffer plaintext)

Data to be encrypted.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Length: 1 - 4096

Parameters:

plaintext -

Data to be encrypted.

Returns:

A reference to this updated object so that method calls can be chained together.

getEncryptionContext

public java.util.Map<java.lang.String,java.lang.String> getEncryptionContext()

Specifies the encryption context that will be used to encrypt the data. An encryption context is valid only for cryptographic operations with a symmetric CMK. The standard asymmetric encryption algorithms that AWS KMS uses do not support an encryption context.

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

Returns:

Specifies the encryption context that will be used to encrypt the data. An encryption context is valid only for cryptographic operations with a symmetric CMK. The standard asymmetric encryption algorithms that AWS KMS uses do not support an encryption context.

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

setEncryptionContext

public void setEncryptionContext(java.util.Map<java.lang.String,java.lang.String> encryptionContext)

Specifies the encryption context that will be used to encrypt the data. An encryption context is valid only for cryptographic operations with a symmetric CMK. The standard asymmetric encryption algorithms that AWS KMS uses do not support an encryption context.

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

Parameters:

encryptionContext -

Specifies the encryption context that will be used to encrypt the data. An encryption context is valid only for cryptographic operations with a symmetric CMK. The standard asymmetric encryption algorithms that AWS KMS uses do not support an encryption context.

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

withEncryptionContext

public EncryptRequest withEncryptionContext(java.util.Map<java.lang.String,java.lang.String> encryptionContext)

Specifies the encryption context that will be used to encrypt the data. An encryption context is valid only for cryptographic operations with a symmetric CMK. The standard asymmetric encryption algorithms that AWS KMS uses do not support an encryption context.

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

Returns a reference to this object so that method calls can be chained together.

Parameters:

encryptionContext -

Specifies the encryption context that will be used to encrypt the data. An encryption context is valid only for cryptographic operations with a symmetric CMK. The standard asymmetric encryption algorithms that AWS KMS uses do not support an encryption context.

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

Returns:

A reference to this updated object so that method calls can be chained together.

addEncryptionContextEntry

public EncryptRequest addEncryptionContextEntry(java.lang.String key,
                                                java.lang.String value)

Specifies the encryption context that will be used to encrypt the data. An encryption context is valid only for cryptographic operations with a symmetric CMK. The standard asymmetric encryption algorithms that AWS KMS uses do not support an encryption context.

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

The method adds a new key-value pair into EncryptionContext parameter, and returns a reference to this object so that method calls can be chained together.

Parameters:

key - The key of the entry to be added into EncryptionContext.

value - The corresponding value of the entry to be added into EncryptionContext.

Returns:

A reference to this updated object so that method calls can be chained together.

clearEncryptionContextEntries

public EncryptRequest clearEncryptionContextEntries()

Removes all the entries added into EncryptionContext.

Returns a reference to this object so that method calls can be chained together.

getGrantTokens

public java.util.List<java.lang.String> getGrantTokens()

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Returns:

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

setGrantTokens

public void setGrantTokens(java.util.Collection<java.lang.String> grantTokens)

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Parameters:

grantTokens -

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

withGrantTokens

public EncryptRequest withGrantTokens(java.lang.String... grantTokens)

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Returns a reference to this object so that method calls can be chained together.

Parameters:

grantTokens -

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Returns:

A reference to this updated object so that method calls can be chained together.

withGrantTokens

public EncryptRequest withGrantTokens(java.util.Collection<java.lang.String> grantTokens)

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Returns a reference to this object so that method calls can be chained together.

Parameters:

grantTokens -

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Returns:

A reference to this updated object so that method calls can be chained together.

getEncryptionAlgorithm

public java.lang.String getEncryptionAlgorithm()

Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext message. The algorithm must be compatible with the CMK that you specify.

This parameter is required only for asymmetric CMKs. The default value, SYMMETRIC_DEFAULT, is the algorithm used for symmetric CMKs. If you are using an asymmetric CMK, we recommend RSAES_OAEP_SHA_256.

Constraints:
Allowed Values: SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256

Returns:

Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext message. The algorithm must be compatible with the CMK that you specify.

This parameter is required only for asymmetric CMKs. The default value, SYMMETRIC_DEFAULT, is the algorithm used for symmetric CMKs. If you are using an asymmetric CMK, we recommend RSAES_OAEP_SHA_256.

See Also:

EncryptionAlgorithmSpec

setEncryptionAlgorithm

public void setEncryptionAlgorithm(java.lang.String encryptionAlgorithm)

Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext message. The algorithm must be compatible with the CMK that you specify.

This parameter is required only for asymmetric CMKs. The default value, SYMMETRIC_DEFAULT, is the algorithm used for symmetric CMKs. If you are using an asymmetric CMK, we recommend RSAES_OAEP_SHA_256.

Constraints:
Allowed Values: SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256

Parameters:

encryptionAlgorithm -

Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext message. The algorithm must be compatible with the CMK that you specify.

This parameter is required only for asymmetric CMKs. The default value, SYMMETRIC_DEFAULT, is the algorithm used for symmetric CMKs. If you are using an asymmetric CMK, we recommend RSAES_OAEP_SHA_256.

See Also:

EncryptionAlgorithmSpec

withEncryptionAlgorithm

public EncryptRequest withEncryptionAlgorithm(java.lang.String encryptionAlgorithm)

Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext message. The algorithm must be compatible with the CMK that you specify.

This parameter is required only for asymmetric CMKs. The default value, SYMMETRIC_DEFAULT, is the algorithm used for symmetric CMKs. If you are using an asymmetric CMK, we recommend RSAES_OAEP_SHA_256.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Allowed Values: SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256

Parameters:

encryptionAlgorithm -

Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext message. The algorithm must be compatible with the CMK that you specify.

This parameter is required only for asymmetric CMKs. The default value, SYMMETRIC_DEFAULT, is the algorithm used for symmetric CMKs. If you are using an asymmetric CMK, we recommend RSAES_OAEP_SHA_256.

Returns:

A reference to this updated object so that method calls can be chained together.

See Also:

EncryptionAlgorithmSpec

setEncryptionAlgorithm

public void setEncryptionAlgorithm(EncryptionAlgorithmSpec encryptionAlgorithm)

Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext message. The algorithm must be compatible with the CMK that you specify.

This parameter is required only for asymmetric CMKs. The default value, SYMMETRIC_DEFAULT, is the algorithm used for symmetric CMKs. If you are using an asymmetric CMK, we recommend RSAES_OAEP_SHA_256.

Constraints:
Allowed Values: SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256

Parameters:

encryptionAlgorithm -

Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext message. The algorithm must be compatible with the CMK that you specify.

This parameter is required only for asymmetric CMKs. The default value, SYMMETRIC_DEFAULT, is the algorithm used for symmetric CMKs. If you are using an asymmetric CMK, we recommend RSAES_OAEP_SHA_256.

See Also:

EncryptionAlgorithmSpec

withEncryptionAlgorithm

public EncryptRequest withEncryptionAlgorithm(EncryptionAlgorithmSpec encryptionAlgorithm)

Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext message. The algorithm must be compatible with the CMK that you specify.

This parameter is required only for asymmetric CMKs. The default value, SYMMETRIC_DEFAULT, is the algorithm used for symmetric CMKs. If you are using an asymmetric CMK, we recommend RSAES_OAEP_SHA_256.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Allowed Values: SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256

Parameters:

encryptionAlgorithm -

Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext message. The algorithm must be compatible with the CMK that you specify.

This parameter is required only for asymmetric CMKs. The default value, SYMMETRIC_DEFAULT, is the algorithm used for symmetric CMKs. If you are using an asymmetric CMK, we recommend RSAES_OAEP_SHA_256.

Returns:

A reference to this updated object so that method calls can be chained together.

See Also:

EncryptionAlgorithmSpec

toString

public java.lang.String toString()

Returns a string representation of this object; useful for testing and debugging.

Overrides:

toString in class java.lang.Object

Returns:

A string representation of this object.

See Also:

Object.toString()

hashCode

public int hashCode()

Overrides:

hashCode in class java.lang.Object

equals

public boolean equals(java.lang.Object obj)

Overrides:

equals in class java.lang.Object