com.amazonaws.services.kms.model

Class GenerateDataKeyRequest

java.lang.Object

com.amazonaws.AmazonWebServiceRequest

com.amazonaws.services.kms.model.GenerateDataKeyRequest

All Implemented Interfaces:

java.io.Serializable, java.lang.Cloneable

public class GenerateDataKeyRequest
extends AmazonWebServiceRequest
implements java.io.Serializable

Generates a unique symmetric data key for client-side encryption. This operation returns a plaintext copy of the data key and a copy that is encrypted under a customer master key (CMK) that you specify. You can use the plaintext key to encrypt your data outside of AWS KMS and store the encrypted data key with the encrypted data.

GenerateDataKey returns a unique data key for each request. The bytes in the plaintext key are not related to the caller or the CMK.

To generate a data key, specify the symmetric CMK that will be used to encrypt the data key. You cannot use an asymmetric CMK to generate data keys. To get the type of your CMK, use the DescribeKey operation. You must also specify the length of the data key. Use either the KeySpec or NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use the KeySpec parameter.

To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operation. To get a cryptographically secure random byte string, use GenerateRandom.

You can use the optional encryption context to add additional security to the encryption operation. If you specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.

How to use your data key

We recommend that you use the following pattern to encrypt data locally in your application. You can write your own code or use a client-side encryption library, such as the AWS Encryption SDK, the Amazon DynamoDB Encryption Client, or Amazon S3 client-side encryption to do these tasks for you.

To encrypt data outside of AWS KMS:

1. Use the GenerateDataKey operation to get a data key.

2. Use the plaintext data key (in the Plaintext field of the response) to encrypt your data outside of AWS KMS. Then erase the plaintext data key from memory.

3. Store the encrypted data key (in the CiphertextBlob field of the response) with the encrypted data.

To decrypt data outside of AWS KMS:

1. Use the Decrypt operation to decrypt the encrypted data key. The operation returns a plaintext copy of the data key.

2. Use the plaintext data key to decrypt data outside of AWS KMS, then erase the plaintext data key from memory.

Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.

Required permissions: kms:GenerateDataKey (key policy)

Related operations:

• Decrypt

• Encrypt

• GenerateDataKeyPair

• GenerateDataKeyPairWithoutPlaintext

• GenerateDataKeyWithoutPlaintext

See Also:

Serialized Form

Constructor Summary

Constructors

Constructor and Description
GenerateDataKeyRequest()

Method Summary

Modifier and Type	Method and Description
GenerateDataKeyRequest	addEncryptionContextEntry(java.lang.String key, java.lang.String value) Specifies the encryption context that will be used when encrypting the data key.
GenerateDataKeyRequest	clearEncryptionContextEntries() Removes all the entries added into EncryptionContext.
boolean	equals(java.lang.Object obj)
java.util.Map<java.lang.String,java.lang.String>	getEncryptionContext() Specifies the encryption context that will be used when encrypting the data key.
java.util.List<java.lang.String>	getGrantTokens() A list of grant tokens.
java.lang.String	getKeyId() Identifies the symmetric CMK that encrypts the data key.
java.lang.String	getKeySpec() Specifies the length of the data key.
java.lang.Integer	getNumberOfBytes() Specifies the length of the data key in bytes.
int	hashCode()
void	setEncryptionContext(java.util.Map<java.lang.String,java.lang.String> encryptionContext) Specifies the encryption context that will be used when encrypting the data key.
void	setGrantTokens(java.util.Collection<java.lang.String> grantTokens) A list of grant tokens.
void	setKeyId(java.lang.String keyId) Identifies the symmetric CMK that encrypts the data key.
void	setKeySpec(DataKeySpec keySpec) Specifies the length of the data key.
void	setKeySpec(java.lang.String keySpec) Specifies the length of the data key.
void	setNumberOfBytes(java.lang.Integer numberOfBytes) Specifies the length of the data key in bytes.
java.lang.String	toString() Returns a string representation of this object; useful for testing and debugging.
GenerateDataKeyRequest	withEncryptionContext(java.util.Map<java.lang.String,java.lang.String> encryptionContext) Specifies the encryption context that will be used when encrypting the data key.
GenerateDataKeyRequest	withGrantTokens(java.util.Collection<java.lang.String> grantTokens) A list of grant tokens.
GenerateDataKeyRequest	withGrantTokens(java.lang.String... grantTokens) A list of grant tokens.
GenerateDataKeyRequest	withKeyId(java.lang.String keyId) Identifies the symmetric CMK that encrypts the data key.
GenerateDataKeyRequest	withKeySpec(DataKeySpec keySpec) Specifies the length of the data key.
GenerateDataKeyRequest	withKeySpec(java.lang.String keySpec) Specifies the length of the data key.
GenerateDataKeyRequest	withNumberOfBytes(java.lang.Integer numberOfBytes) Specifies the length of the data key in bytes.

Methods inherited from class com.amazonaws.AmazonWebServiceRequest

clone, getCloneRoot, getCloneSource, getGeneralProgressListener, getRequestClientOptions, getRequestCredentials, getRequestMetricCollector, setGeneralProgressListener, setRequestCredentials, setRequestMetricCollector, withGeneralProgressListener, withRequestMetricCollector

Methods inherited from class java.lang.Object

getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

GenerateDataKeyRequest

public GenerateDataKeyRequest()

Method Detail

getKeyId

public java.lang.String getKeyId()

Identifies the symmetric CMK that encrypts the data key.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

Constraints:
Length: 1 - 2048

Returns:

Identifies the symmetric CMK that encrypts the data key.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

setKeyId

public void setKeyId(java.lang.String keyId)

Identifies the symmetric CMK that encrypts the data key.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

Constraints:
Length: 1 - 2048

Parameters:

keyId -

Identifies the symmetric CMK that encrypts the data key.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

withKeyId

public GenerateDataKeyRequest withKeyId(java.lang.String keyId)

Identifies the symmetric CMK that encrypts the data key.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Length: 1 - 2048

Parameters:

keyId -

Identifies the symmetric CMK that encrypts the data key.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

Returns:

A reference to this updated object so that method calls can be chained together.

getEncryptionContext

public java.util.Map<java.lang.String,java.lang.String> getEncryptionContext()

Specifies the encryption context that will be used when encrypting the data key.

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

Returns:

Specifies the encryption context that will be used when encrypting the data key.

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

setEncryptionContext

public void setEncryptionContext(java.util.Map<java.lang.String,java.lang.String> encryptionContext)

Specifies the encryption context that will be used when encrypting the data key.

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

Parameters:

encryptionContext -

Specifies the encryption context that will be used when encrypting the data key.

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

withEncryptionContext

public GenerateDataKeyRequest withEncryptionContext(java.util.Map<java.lang.String,java.lang.String> encryptionContext)

Specifies the encryption context that will be used when encrypting the data key.

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

Returns a reference to this object so that method calls can be chained together.

Parameters:

encryptionContext -

Specifies the encryption context that will be used when encrypting the data key.

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

Returns:

A reference to this updated object so that method calls can be chained together.

addEncryptionContextEntry

public GenerateDataKeyRequest addEncryptionContextEntry(java.lang.String key,
                                                        java.lang.String value)

Specifies the encryption context that will be used when encrypting the data key.

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

The method adds a new key-value pair into EncryptionContext parameter, and returns a reference to this object so that method calls can be chained together.

Parameters:

key - The key of the entry to be added into EncryptionContext.

value - The corresponding value of the entry to be added into EncryptionContext.

Returns:

A reference to this updated object so that method calls can be chained together.

clearEncryptionContextEntries

public GenerateDataKeyRequest clearEncryptionContextEntries()

Removes all the entries added into EncryptionContext.

Returns a reference to this object so that method calls can be chained together.

getNumberOfBytes

public java.lang.Integer getNumberOfBytes()

Specifies the length of the data key in bytes. For example, use the value 64 to generate a 512-bit data key (64 bytes is 512 bits). For 128-bit (16-byte) and 256-bit (32-byte) data keys, use the KeySpec parameter.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.

Constraints:
Range: 1 - 1024

Returns:

Specifies the length of the data key in bytes. For example, use the value 64 to generate a 512-bit data key (64 bytes is 512 bits). For 128-bit (16-byte) and 256-bit (32-byte) data keys, use the KeySpec parameter.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.

setNumberOfBytes

public void setNumberOfBytes(java.lang.Integer numberOfBytes)

Specifies the length of the data key in bytes. For example, use the value 64 to generate a 512-bit data key (64 bytes is 512 bits). For 128-bit (16-byte) and 256-bit (32-byte) data keys, use the KeySpec parameter.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.

Constraints:
Range: 1 - 1024

Parameters:

numberOfBytes -

Specifies the length of the data key in bytes. For example, use the value 64 to generate a 512-bit data key (64 bytes is 512 bits). For 128-bit (16-byte) and 256-bit (32-byte) data keys, use the KeySpec parameter.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.

withNumberOfBytes

public GenerateDataKeyRequest withNumberOfBytes(java.lang.Integer numberOfBytes)

Specifies the length of the data key in bytes. For example, use the value 64 to generate a 512-bit data key (64 bytes is 512 bits). For 128-bit (16-byte) and 256-bit (32-byte) data keys, use the KeySpec parameter.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Range: 1 - 1024

Parameters:

numberOfBytes -

Specifies the length of the data key in bytes. For example, use the value 64 to generate a 512-bit data key (64 bytes is 512 bits). For 128-bit (16-byte) and 256-bit (32-byte) data keys, use the KeySpec parameter.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.

Returns:

A reference to this updated object so that method calls can be chained together.

getKeySpec

public java.lang.String getKeySpec()

Specifies the length of the data key. Use AES_128 to generate a 128-bit symmetric key, or AES_256 to generate a 256-bit symmetric key.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.

Constraints:
Allowed Values: AES_256, AES_128

Returns:

Specifies the length of the data key. Use AES_128 to generate a 128-bit symmetric key, or AES_256 to generate a 256-bit symmetric key.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.

See Also:

DataKeySpec

setKeySpec

public void setKeySpec(java.lang.String keySpec)

Specifies the length of the data key. Use AES_128 to generate a 128-bit symmetric key, or AES_256 to generate a 256-bit symmetric key.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.

Constraints:
Allowed Values: AES_256, AES_128

Parameters:

keySpec -

Specifies the length of the data key. Use AES_128 to generate a 128-bit symmetric key, or AES_256 to generate a 256-bit symmetric key.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.

See Also:

DataKeySpec

withKeySpec

public GenerateDataKeyRequest withKeySpec(java.lang.String keySpec)

Specifies the length of the data key. Use AES_128 to generate a 128-bit symmetric key, or AES_256 to generate a 256-bit symmetric key.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Allowed Values: AES_256, AES_128

Parameters:

keySpec -

Specifies the length of the data key. Use AES_128 to generate a 128-bit symmetric key, or AES_256 to generate a 256-bit symmetric key.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.

Returns:

A reference to this updated object so that method calls can be chained together.

See Also:

DataKeySpec

setKeySpec

public void setKeySpec(DataKeySpec keySpec)

Specifies the length of the data key. Use AES_128 to generate a 128-bit symmetric key, or AES_256 to generate a 256-bit symmetric key.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.

Constraints:
Allowed Values: AES_256, AES_128

Parameters:

keySpec -

Specifies the length of the data key. Use AES_128 to generate a 128-bit symmetric key, or AES_256 to generate a 256-bit symmetric key.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.

See Also:

DataKeySpec

withKeySpec

public GenerateDataKeyRequest withKeySpec(DataKeySpec keySpec)

Specifies the length of the data key. Use AES_128 to generate a 128-bit symmetric key, or AES_256 to generate a 256-bit symmetric key.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Allowed Values: AES_256, AES_128

Parameters:

keySpec -

Specifies the length of the data key. Use AES_128 to generate a 128-bit symmetric key, or AES_256 to generate a 256-bit symmetric key.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.

Returns:

A reference to this updated object so that method calls can be chained together.

See Also:

DataKeySpec

getGrantTokens

public java.util.List<java.lang.String> getGrantTokens()

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Returns:

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

setGrantTokens

public void setGrantTokens(java.util.Collection<java.lang.String> grantTokens)

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Parameters:

grantTokens -

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

withGrantTokens

public GenerateDataKeyRequest withGrantTokens(java.lang.String... grantTokens)

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Returns a reference to this object so that method calls can be chained together.

Parameters:

grantTokens -

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Returns:

A reference to this updated object so that method calls can be chained together.

withGrantTokens

public GenerateDataKeyRequest withGrantTokens(java.util.Collection<java.lang.String> grantTokens)

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Returns a reference to this object so that method calls can be chained together.

Parameters:

grantTokens -

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Returns:

A reference to this updated object so that method calls can be chained together.

toString

public java.lang.String toString()

Returns a string representation of this object; useful for testing and debugging.

Overrides:

toString in class java.lang.Object

Returns:

A string representation of this object.

See Also:

Object.toString()

hashCode

public int hashCode()

Overrides:

hashCode in class java.lang.Object

equals

public boolean equals(java.lang.Object obj)

Overrides:

equals in class java.lang.Object