com.amazonaws.services.kms.model

Class GenerateDataKeyRequest

java.lang.Object

com.amazonaws.AmazonWebServiceRequest

com.amazonaws.services.kms.model.GenerateDataKeyRequest

All Implemented Interfaces:

ReadLimitInfo, Serializable, Cloneable

public class GenerateDataKeyRequest
extends AmazonWebServiceRequest
implements Serializable, Cloneable

Container for the parameters to the GenerateDataKey operation.

Generates a data key that you can use in your application to locally encrypt data. This call returns a plaintext version of the key in the Plaintext field of the response object and an encrypted copy of the key in the CiphertextBlob field. The key is encrypted by using the master key specified by the KeyId field. To decrypt the encrypted key, pass it to the Decrypt API.

We recommend that you use the following pattern to locally encrypt data: call the GenerateDataKey API, use the key returned in the Plaintext response field to locally encrypt data, and then erase the plaintext data key from memory. Store the encrypted data key (contained in the CiphertextBlob field) alongside of the locally encrypted data.

NOTE:You should not call the Encrypt function to re-encrypt your data keys within a region. GenerateDataKey always returns the data key encrypted and tied to the customer master key that will be used to decrypt it. There is no need to decrypt it twice.

If you decide to use the optional EncryptionContext parameter, you must also store the context in full or at least store enough information along with the encrypted data to be able to reconstruct the context when submitting the ciphertext to the Decrypt API. It is a good practice to choose a context that you can reconstruct on the fly to better secure the ciphertext. For more information about how this parameter is used, see Encryption Context .

To decrypt data, pass the encrypted data key to the Decrypt API. Decrypt uses the associated master key to decrypt the encrypted data key and returns it as plaintext. Use the plaintext data key to locally decrypt your data and then erase the key from memory. You must specify the encryption context, if any, that you specified when you generated the key. The encryption context is logged by CloudTrail, and you can use this log to help track the use of particular data.

See Also:

AWSKMS.generateDataKey(GenerateDataKeyRequest), Serialized Form

Field Summary

Fields inherited from class com.amazonaws.AmazonWebServiceRequest

NOOP

Constructor Summary

Constructors

Constructor and Description
GenerateDataKeyRequest()

Method Summary

Methods

Modifier and Type	Method and Description
GenerateDataKeyRequest	addEncryptionContextEntry(String key, String value) Name/value pair that contains additional data to be authenticated during the encryption and decryption processes that use the key.
GenerateDataKeyRequest	clearEncryptionContextEntries() Removes all the entries added into EncryptionContext.
GenerateDataKeyRequest	clone() Creates a shallow clone of this request.
boolean	equals(Object obj)
Map<String,String>	getEncryptionContext() Name/value pair that contains additional data to be authenticated during the encryption and decryption processes that use the key.
List<String>	getGrantTokens() For more information, see Grant Tokens.
String	getKeyId() A unique identifier for the customer master key.
String	getKeySpec() Value that identifies the encryption algorithm and key size to generate a data key for.
Integer	getNumberOfBytes() Integer that contains the number of bytes to generate.
int	hashCode()
void	setEncryptionContext(Map<String,String> encryptionContext) Name/value pair that contains additional data to be authenticated during the encryption and decryption processes that use the key.
void	setGrantTokens(Collection<String> grantTokens) For more information, see Grant Tokens.
void	setKeyId(String keyId) A unique identifier for the customer master key.
void	setKeySpec(DataKeySpec keySpec) Value that identifies the encryption algorithm and key size to generate a data key for.
void	setKeySpec(String keySpec) Value that identifies the encryption algorithm and key size to generate a data key for.
void	setNumberOfBytes(Integer numberOfBytes) Integer that contains the number of bytes to generate.
String	toString() Returns a string representation of this object; useful for testing and debugging.
GenerateDataKeyRequest	withEncryptionContext(Map<String,String> encryptionContext) Name/value pair that contains additional data to be authenticated during the encryption and decryption processes that use the key.
GenerateDataKeyRequest	withGrantTokens(Collection<String> grantTokens) For more information, see Grant Tokens.
GenerateDataKeyRequest	withGrantTokens(String... grantTokens) For more information, see Grant Tokens.
GenerateDataKeyRequest	withKeyId(String keyId) A unique identifier for the customer master key.
GenerateDataKeyRequest	withKeySpec(DataKeySpec keySpec) Value that identifies the encryption algorithm and key size to generate a data key for.
GenerateDataKeyRequest	withKeySpec(String keySpec) Value that identifies the encryption algorithm and key size to generate a data key for.
GenerateDataKeyRequest	withNumberOfBytes(Integer numberOfBytes) Integer that contains the number of bytes to generate.

Methods inherited from class com.amazonaws.AmazonWebServiceRequest

copyBaseTo, getCustomRequestHeaders, getGeneralProgressListener, getReadLimit, getRequestClientOptions, getRequestCredentials, getRequestMetricCollector, putCustomRequestHeader, setGeneralProgressListener, setRequestCredentials, setRequestMetricCollector, withGeneralProgressListener, withRequestMetricCollector

Methods inherited from class java.lang.Object

finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

GenerateDataKeyRequest

public GenerateDataKeyRequest()

Method Detail

getKeyId

public String getKeyId()

A unique identifier for the customer master key. This value can be a globally unique identifier, a fully specified ARN to either an alias or a key, or an alias name prefixed by "alias/".

• Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
• Alias ARN Example - arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
• Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
• Alias Name Example - alias/MyAliasName

Constraints:
Length: 1 - 256

Returns:

A unique identifier for the customer master key. This value can be a globally unique identifier, a fully specified ARN to either an alias or a key, or an alias name prefixed by "alias/".

• Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
• Alias ARN Example - arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
• Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
• Alias Name Example - alias/MyAliasName

setKeyId

public void setKeyId(String keyId)

A unique identifier for the customer master key. This value can be a globally unique identifier, a fully specified ARN to either an alias or a key, or an alias name prefixed by "alias/".

• Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
• Alias ARN Example - arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
• Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
• Alias Name Example - alias/MyAliasName

Constraints:
Length: 1 - 256

Parameters:

keyId - A unique identifier for the customer master key. This value can be a globally unique identifier, a fully specified ARN to either an alias or a key, or an alias name prefixed by "alias/".

• Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
• Alias ARN Example - arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
• Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
• Alias Name Example - alias/MyAliasName

withKeyId

public GenerateDataKeyRequest withKeyId(String keyId)

A unique identifier for the customer master key. This value can be a globally unique identifier, a fully specified ARN to either an alias or a key, or an alias name prefixed by "alias/".

• Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
• Alias ARN Example - arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
• Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
• Alias Name Example - alias/MyAliasName

Returns a reference to this object so that method calls can be chained together.

Constraints:
Length: 1 - 256

Parameters:

keyId - A unique identifier for the customer master key. This value can be a globally unique identifier, a fully specified ARN to either an alias or a key, or an alias name prefixed by "alias/".

• Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
• Alias ARN Example - arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
• Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
• Alias Name Example - alias/MyAliasName

Returns:

A reference to this updated object so that method calls can be chained together.

getEncryptionContext

public Map<String,String> getEncryptionContext()

Name/value pair that contains additional data to be authenticated during the encryption and decryption processes that use the key. This value is logged by AWS CloudTrail to provide context around the data encrypted by the key.

Returns:

Name/value pair that contains additional data to be authenticated during the encryption and decryption processes that use the key. This value is logged by AWS CloudTrail to provide context around the data encrypted by the key.

setEncryptionContext

public void setEncryptionContext(Map<String,String> encryptionContext)

Name/value pair that contains additional data to be authenticated during the encryption and decryption processes that use the key. This value is logged by AWS CloudTrail to provide context around the data encrypted by the key.

Parameters:

encryptionContext - Name/value pair that contains additional data to be authenticated during the encryption and decryption processes that use the key. This value is logged by AWS CloudTrail to provide context around the data encrypted by the key.

withEncryptionContext

public GenerateDataKeyRequest withEncryptionContext(Map<String,String> encryptionContext)

Name/value pair that contains additional data to be authenticated during the encryption and decryption processes that use the key. This value is logged by AWS CloudTrail to provide context around the data encrypted by the key.

Returns a reference to this object so that method calls can be chained together.

Parameters:

encryptionContext - Name/value pair that contains additional data to be authenticated during the encryption and decryption processes that use the key. This value is logged by AWS CloudTrail to provide context around the data encrypted by the key.

Returns:

A reference to this updated object so that method calls can be chained together.

addEncryptionContextEntry

public GenerateDataKeyRequest addEncryptionContextEntry(String key,
                                               String value)

Name/value pair that contains additional data to be authenticated during the encryption and decryption processes that use the key. This value is logged by AWS CloudTrail to provide context around the data encrypted by the key.

The method adds a new key-value pair into EncryptionContext parameter, and returns a reference to this object so that method calls can be chained together.

Parameters:

key - The key of the entry to be added into EncryptionContext.

value - The corresponding value of the entry to be added into EncryptionContext.

clearEncryptionContextEntries

public GenerateDataKeyRequest clearEncryptionContextEntries()

Removes all the entries added into EncryptionContext.

Returns a reference to this object so that method calls can be chained together.

getNumberOfBytes

public Integer getNumberOfBytes()

Integer that contains the number of bytes to generate. Common values are 128, 256, 512, and 1024. 1024 is the current limit. We recommend that you use the KeySpec parameter instead.

Constraints:
Range: 1 - 1024

Returns:

Integer that contains the number of bytes to generate. Common values are 128, 256, 512, and 1024. 1024 is the current limit. We recommend that you use the KeySpec parameter instead.

setNumberOfBytes

public void setNumberOfBytes(Integer numberOfBytes)

Integer that contains the number of bytes to generate. Common values are 128, 256, 512, and 1024. 1024 is the current limit. We recommend that you use the KeySpec parameter instead.

Constraints:
Range: 1 - 1024

Parameters:

numberOfBytes - Integer that contains the number of bytes to generate. Common values are 128, 256, 512, and 1024. 1024 is the current limit. We recommend that you use the KeySpec parameter instead.

withNumberOfBytes

public GenerateDataKeyRequest withNumberOfBytes(Integer numberOfBytes)

Integer that contains the number of bytes to generate. Common values are 128, 256, 512, and 1024. 1024 is the current limit. We recommend that you use the KeySpec parameter instead.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Range: 1 - 1024

Parameters:

numberOfBytes - Integer that contains the number of bytes to generate. Common values are 128, 256, 512, and 1024. 1024 is the current limit. We recommend that you use the KeySpec parameter instead.

Returns:

A reference to this updated object so that method calls can be chained together.

getKeySpec

public String getKeySpec()

Value that identifies the encryption algorithm and key size to generate a data key for. Currently this can be AES_128 or AES_256.

Constraints:
Allowed Values: AES_256, AES_128

Returns:

Value that identifies the encryption algorithm and key size to generate a data key for. Currently this can be AES_128 or AES_256.

See Also:

DataKeySpec

setKeySpec

public void setKeySpec(String keySpec)

Value that identifies the encryption algorithm and key size to generate a data key for. Currently this can be AES_128 or AES_256.

Constraints:
Allowed Values: AES_256, AES_128

Parameters:

keySpec - Value that identifies the encryption algorithm and key size to generate a data key for. Currently this can be AES_128 or AES_256.

See Also:

DataKeySpec

withKeySpec

public GenerateDataKeyRequest withKeySpec(String keySpec)

Value that identifies the encryption algorithm and key size to generate a data key for. Currently this can be AES_128 or AES_256.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Allowed Values: AES_256, AES_128

Parameters:

keySpec - Value that identifies the encryption algorithm and key size to generate a data key for. Currently this can be AES_128 or AES_256.

Returns:

A reference to this updated object so that method calls can be chained together.

See Also:

DataKeySpec

setKeySpec

public void setKeySpec(DataKeySpec keySpec)

Value that identifies the encryption algorithm and key size to generate a data key for. Currently this can be AES_128 or AES_256.

Constraints:
Allowed Values: AES_256, AES_128

Parameters:

keySpec - Value that identifies the encryption algorithm and key size to generate a data key for. Currently this can be AES_128 or AES_256.

See Also:

DataKeySpec

withKeySpec

public GenerateDataKeyRequest withKeySpec(DataKeySpec keySpec)

Value that identifies the encryption algorithm and key size to generate a data key for. Currently this can be AES_128 or AES_256.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Allowed Values: AES_256, AES_128

Parameters:

keySpec - Value that identifies the encryption algorithm and key size to generate a data key for. Currently this can be AES_128 or AES_256.

Returns:

A reference to this updated object so that method calls can be chained together.

See Also:

DataKeySpec

getGrantTokens

public List<String> getGrantTokens()

For more information, see Grant Tokens.

Constraints:
Length: 0 - 10

Returns:

For more information, see Grant Tokens.

setGrantTokens

public void setGrantTokens(Collection<String> grantTokens)

For more information, see Grant Tokens.

Constraints:
Length: 0 - 10

Parameters:

grantTokens - For more information, see Grant Tokens.

withGrantTokens

public GenerateDataKeyRequest withGrantTokens(String... grantTokens)

For more information, see Grant Tokens.

NOTE: This method appends the values to the existing list (if any). Use setGrantTokens(java.util.Collection) or withGrantTokens(java.util.Collection) if you want to override the existing values.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Length: 0 - 10

Parameters:

grantTokens - For more information, see Grant Tokens.

Returns:

A reference to this updated object so that method calls can be chained together.

withGrantTokens

public GenerateDataKeyRequest withGrantTokens(Collection<String> grantTokens)

For more information, see Grant Tokens.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Length: 0 - 10

Parameters:

grantTokens - For more information, see Grant Tokens.

Returns:

A reference to this updated object so that method calls can be chained together.

toString

public String toString()

Returns a string representation of this object; useful for testing and debugging.

Overrides:

toString in class Object

Returns:

A string representation of this object.

See Also:

Object.toString()

hashCode

public int hashCode()

Overrides:

hashCode in class Object

equals

public boolean equals(Object obj)

Overrides:

equals in class Object

clone

public GenerateDataKeyRequest clone()

Description copied from class: AmazonWebServiceRequest

Creates a shallow clone of this request. Explicitly does not clone the deep structure of the request object.

Overrides:

clone in class AmazonWebServiceRequest

See Also:

Object.clone()