AWSKMSReEncryptRequest

Objective-C

@interface AWSKMSReEncryptRequest

Swift

class AWSKMSReEncryptRequest

  • Ciphertext of the data to reencrypt.

    Declaration

    Objective-C

    @property (nonatomic, strong) NSData *_Nullable ciphertextBlob;

    Swift

    var ciphertextBlob: Data? { get set }

  • Specifies the encryption algorithm that AWS KMS will use to reecrypt the data after it has decrypted it. The default value, SYMMETRIC_DEFAULT, represents the encryption algorithm used for symmetric CMKs.

    This parameter is required only when the destination CMK is an asymmetric CMK.

    Declaration

    Objective-C

    @property (nonatomic) AWSKMSEncryptionAlgorithmSpec destinationEncryptionAlgorithm;

    Swift

    var destinationEncryptionAlgorithm: AWSKMSEncryptionAlgorithmSpec { get set }

  • Specifies that encryption context to use when the reencrypting the data.

    A destination encryption context is valid only when the destination CMK is a symmetric CMK. The standard ciphertext format for asymmetric CMKs does not include fields for metadata.

    An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

    For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

    Declaration

    Objective-C

    @property (nonatomic, strong) NSDictionary<NSString *, NSString *> *_Nullable destinationEncryptionContext;

    Swift

    var destinationEncryptionContext: [String : String]? { get set }

  • A unique identifier for the CMK that is used to reencrypt the data. Specify a symmetric or asymmetric CMK with a KeyUsage value of ENCRYPT_DECRYPT. To find the KeyUsage value of a CMK, use the DescribeKey operation.

    To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

    For example:

    • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

    • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

    • Alias name: alias/ExampleAlias

    • Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

    To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

    Declaration

    Objective-C

    @property (nonatomic, strong) NSString *_Nullable destinationKeyId;

    Swift

    var destinationKeyId: String? { get set }

  • A list of grant tokens.

    For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

    Declaration

    Objective-C

    @property (nonatomic, strong) NSArray<NSString *> *_Nullable grantTokens;

    Swift

    var grantTokens: [String]? { get set }

  • Specifies the encryption algorithm that AWS KMS will use to decrypt the ciphertext before it is reencrypted. The default value, SYMMETRIC_DEFAULT, represents the algorithm used for symmetric CMKs.

    Specify the same algorithm that was used to encrypt the ciphertext. If you specify a different algorithm, the decrypt attempt fails.

    This parameter is required only when the ciphertext was encrypted under an asymmetric CMK.

    Declaration

    Objective-C

    @property (nonatomic) AWSKMSEncryptionAlgorithmSpec sourceEncryptionAlgorithm;

    Swift

    var sourceEncryptionAlgorithm: AWSKMSEncryptionAlgorithmSpec { get set }

  • Specifies the encryption context to use to decrypt the ciphertext. Enter the same encryption context that was used to encrypt the ciphertext.

    An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

    For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

    Declaration

    Objective-C

    @property (nonatomic, strong) NSDictionary<NSString *, NSString *> *_Nullable sourceEncryptionContext;

    Swift

    var sourceEncryptionContext: [String : String]? { get set }

  • Specifies the customer master key (CMK) that AWS KMS will use to decrypt the ciphertext before it is re-encrypted. Enter a key ID of the CMK that was used to encrypt the ciphertext.

    This parameter is required only when the ciphertext was encrypted under an asymmetric CMK. If you used a symmetric CMK, AWS KMS can get the CMK from metadata that it adds to the symmetric ciphertext blob. However, it is always recommended as a best practice. This practice ensures that you use the CMK that you intend.

    To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

    For example:

    • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

    • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

    • Alias name: alias/ExampleAlias

    • Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

    To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

    Declaration

    Objective-C

    @property (nonatomic, strong) NSString *_Nullable sourceKeyId;

    Swift

    var sourceKeyId: String? { get set }