* Decrypts ciphertext that was encrypted by a KMS key using any of the * following operations: *
** Encrypt *
** GenerateDataKey *
** You can use this operation to decrypt ciphertext that was encrypted under a * symmetric encryption KMS key or an asymmetric encryption KMS key. When the * KMS key is asymmetric, you must specify the KMS key and the encryption * algorithm that was used to encrypt the ciphertext. For information about * asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer * Guide. *
*
* The Decrypt operation also decrypts ciphertext that was
* encrypted outside of KMS by the public key in an KMS asymmetric KMS key.
* However, it cannot decrypt symmetric ciphertext produced by other libraries,
* such as the Amazon Web Services Encryption SDK or Amazon S3 client-side encryption. These libraries return a ciphertext
* format that is incompatible with KMS.
*
* If the ciphertext was encrypted under a symmetric encryption KMS key, the
* KeyId parameter is optional. KMS can get this information from
* metadata that it adds to the symmetric ciphertext blob. This feature adds
* durability to your implementation by ensuring that authorized users can
* decrypt ciphertext decades after it was encrypted, even if they've lost track
* of the key ID. However, specifying the KMS key is always recommended as a
* best practice. When you use the KeyId parameter to specify a KMS
* key, KMS only uses the KMS key you specify. If the ciphertext was encrypted
* under a different KMS key, the Decrypt operation fails. This
* practice ensures that you use the KMS key that you intend.
*
* Whenever possible, use key policies to give users permission to call the
* Decrypt operation on a particular KMS key, instead of using
* &IAM; policies. Otherwise, you might create an &IAM; policy that
* gives the user Decrypt permission on all KMS keys. This user
* could decrypt ciphertext that was encrypted by KMS keys in other accounts if
* the key policy for the cross-account KMS key permits it. If you must use an
* IAM policy for Decrypt permissions, limit the user to particular
* KMS keys or particular trusted accounts. For details, see Best practices for IAM policies in the Key Management Service
* Developer Guide.
*
* Decrypt also supports Amazon Web Services Nitro Enclaves, which provide an isolated compute
* environment in Amazon EC2. To call Decrypt for a Nitro enclave,
* use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
* Use the Recipient parameter to provide the attestation document
* for the enclave. Instead of the plaintext data, the response includes the
* plaintext data encrypted with the public key from the attestation document (
* CiphertextForRecipient).For information about the interaction
* between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management
* Service Developer Guide..
*
* The KMS key that you use for this operation must be in a compatible key * state. For details, see Key states of KMS keys in the Key Management Service Developer * Guide. *
*
* Cross-account use: Yes. If you use the KeyId parameter to
* identify a KMS key in a different Amazon Web Services account, specify the
* key ARN or the alias ARN of the KMS key.
*
* Required permissions: kms:Decrypt (key policy) *
** Related operations: *
** Encrypt *
** GenerateDataKey *
** ReEncrypt *
** Ciphertext to be decrypted. The blob includes metadata. *
*
* Constraints:
* Length: 1 - 6144
*/
private java.nio.ByteBuffer ciphertextBlob;
/**
*
* Specifies the encryption context to use when decrypting the data. An * encryption context is valid only for cryptographic operations with a symmetric encryption KMS key. The * standard asymmetric encryption algorithms and HMAC algorithms that KMS * uses do not support an encryption context. *
** An encryption context is a collection of non-secret key-value * pairs that represent additional authenticated data. When you use an * encryption context to encrypt data, you must specify the same (an exact * case-sensitive match) encryption context to decrypt the data. An * encryption context is supported only on operations with symmetric * encryption KMS keys. On operations with symmetric encryption KMS keys, an * encryption context is optional, but it is strongly recommended. *
** For more information, see Encryption context in the Key Management Service Developer * Guide. *
*/ private java.util.Map* A list of grant tokens. *
** Use a grant token when your permission to call this operation comes from * a new grant that has not yet achieved eventual consistency. For * more information, see Grant token and Using a grant token in the Key Management Service Developer * Guide. *
*/ private java.util.List* Specifies the KMS key that KMS uses to decrypt the ciphertext. *
*
* Enter a key ID of the KMS key that was used to encrypt the ciphertext. If
* you identify a different KMS key, the Decrypt operation
* throws an IncorrectKeyException.
*
* This parameter is required only when the ciphertext was encrypted under * an asymmetric KMS key. If you used a symmetric encryption KMS key, KMS * can get the KMS key from metadata that it adds to the symmetric * ciphertext blob. However, it is always recommended as a best practice. * This practice ensures that you use the KMS key that you intend. *
*
* To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
* When using an alias name, prefix it with "alias/". To
* specify a KMS key in a different Amazon Web Services account, you must
* use the key ARN or alias ARN.
*
* For example: *
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
* Key ARN:
* arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
* Alias name: alias/ExampleAlias
*
* Alias ARN:
* arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
*
* To get the key ID and key ARN for a KMS key, use ListKeys or * DescribeKey. To get the alias name and alias ARN, use * ListAliases. *
*
* Constraints:
* Length: 1 - 2048
*/
private String keyId;
/**
*
* Specifies the encryption algorithm that will be used to decrypt the
* ciphertext. Specify the same algorithm that was used to encrypt the data.
* If you specify a different algorithm, the Decrypt operation
* fails.
*
* This parameter is required only when the ciphertext was encrypted under
* an asymmetric KMS key. The default value, SYMMETRIC_DEFAULT,
* represents the only supported algorithm that is valid for symmetric
* encryption KMS keys.
*
* Constraints:
* Allowed Values: SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1,
* RSAES_OAEP_SHA_256, SM2PKE
*/
private String encryptionAlgorithm;
/**
*
* A signed attestation document from an Amazon Web Services Nitro enclave and
* the encryption algorithm to use with the enclave's public key. The only
* valid encryption algorithm is RSAES_OAEP_SHA_256.
*
* This parameter only supports attestation documents for Amazon Web * Services Nitro Enclaves. To include this parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services * SDK. *
*
* When you use this parameter, instead of returning the plaintext data, KMS
* encrypts the plaintext data with the public key in the attestation
* document, and returns the resulting ciphertext in the
* CiphertextForRecipient field in the response. This
* ciphertext can be decrypted only with the private key in the enclave. The
* Plaintext field in the response is null or empty.
*
* For information about the interaction between KMS and Amazon Web Services * Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key * Management Service Developer Guide. *
*/ private RecipientInfo recipient; /** *
* Checks if your request will succeed. DryRun is an optional
* parameter.
*
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service * Developer Guide. *
*/ private Boolean dryRun; /** ** Ciphertext to be decrypted. The blob includes metadata. *
*
* Constraints:
* Length: 1 - 6144
*
* @return
* Ciphertext to be decrypted. The blob includes metadata. *
*/ public java.nio.ByteBuffer getCiphertextBlob() { return ciphertextBlob; } /** ** Ciphertext to be decrypted. The blob includes metadata. *
*
* Constraints:
* Length: 1 - 6144
*
* @param ciphertextBlob
* Ciphertext to be decrypted. The blob includes metadata. *
*/ public void setCiphertextBlob(java.nio.ByteBuffer ciphertextBlob) { this.ciphertextBlob = ciphertextBlob; } /** ** Ciphertext to be decrypted. The blob includes metadata. *
** Returns a reference to this object so that method calls can be chained * together. *
* Constraints:
* Length: 1 - 6144
*
* @param ciphertextBlob
* Ciphertext to be decrypted. The blob includes metadata. *
* @return A reference to this updated object so that method calls can be * chained together. */ public DecryptRequest withCiphertextBlob(java.nio.ByteBuffer ciphertextBlob) { this.ciphertextBlob = ciphertextBlob; return this; } /** ** Specifies the encryption context to use when decrypting the data. An * encryption context is valid only for cryptographic operations with a symmetric encryption KMS key. The * standard asymmetric encryption algorithms and HMAC algorithms that KMS * uses do not support an encryption context. *
** An encryption context is a collection of non-secret key-value * pairs that represent additional authenticated data. When you use an * encryption context to encrypt data, you must specify the same (an exact * case-sensitive match) encryption context to decrypt the data. An * encryption context is supported only on operations with symmetric * encryption KMS keys. On operations with symmetric encryption KMS keys, an * encryption context is optional, but it is strongly recommended. *
** For more information, see Encryption context in the Key Management Service Developer * Guide. *
* * @return* Specifies the encryption context to use when decrypting the data. * An encryption context is valid only for cryptographic operations with a symmetric encryption KMS * key. The standard asymmetric encryption algorithms and HMAC * algorithms that KMS uses do not support an encryption context. *
** An encryption context is a collection of non-secret * key-value pairs that represent additional authenticated data. * When you use an encryption context to encrypt data, you must * specify the same (an exact case-sensitive match) encryption * context to decrypt the data. An encryption context is supported * only on operations with symmetric encryption KMS keys. On * operations with symmetric encryption KMS keys, an encryption * context is optional, but it is strongly recommended. *
** For more information, see Encryption context in the Key Management Service * Developer Guide. *
*/ public java.util.Map* Specifies the encryption context to use when decrypting the data. An * encryption context is valid only for cryptographic operations with a symmetric encryption KMS key. The * standard asymmetric encryption algorithms and HMAC algorithms that KMS * uses do not support an encryption context. *
** An encryption context is a collection of non-secret key-value * pairs that represent additional authenticated data. When you use an * encryption context to encrypt data, you must specify the same (an exact * case-sensitive match) encryption context to decrypt the data. An * encryption context is supported only on operations with symmetric * encryption KMS keys. On operations with symmetric encryption KMS keys, an * encryption context is optional, but it is strongly recommended. *
** For more information, see Encryption context in the Key Management Service Developer * Guide. *
* * @param encryptionContext* Specifies the encryption context to use when decrypting the * data. An encryption context is valid only for cryptographic operations with a symmetric encryption KMS * key. The standard asymmetric encryption algorithms and HMAC * algorithms that KMS uses do not support an encryption context. *
** An encryption context is a collection of non-secret * key-value pairs that represent additional authenticated data. * When you use an encryption context to encrypt data, you must * specify the same (an exact case-sensitive match) encryption * context to decrypt the data. An encryption context is * supported only on operations with symmetric encryption KMS * keys. On operations with symmetric encryption KMS keys, an * encryption context is optional, but it is strongly * recommended. *
** For more information, see Encryption context in the Key Management Service * Developer Guide. *
*/ public void setEncryptionContext(java.util.Map* Specifies the encryption context to use when decrypting the data. An * encryption context is valid only for cryptographic operations with a symmetric encryption KMS key. The * standard asymmetric encryption algorithms and HMAC algorithms that KMS * uses do not support an encryption context. *
** An encryption context is a collection of non-secret key-value * pairs that represent additional authenticated data. When you use an * encryption context to encrypt data, you must specify the same (an exact * case-sensitive match) encryption context to decrypt the data. An * encryption context is supported only on operations with symmetric * encryption KMS keys. On operations with symmetric encryption KMS keys, an * encryption context is optional, but it is strongly recommended. *
** For more information, see Encryption context in the Key Management Service Developer * Guide. *
** Returns a reference to this object so that method calls can be chained * together. * * @param encryptionContext
* Specifies the encryption context to use when decrypting the * data. An encryption context is valid only for cryptographic operations with a symmetric encryption KMS * key. The standard asymmetric encryption algorithms and HMAC * algorithms that KMS uses do not support an encryption context. *
** An encryption context is a collection of non-secret * key-value pairs that represent additional authenticated data. * When you use an encryption context to encrypt data, you must * specify the same (an exact case-sensitive match) encryption * context to decrypt the data. An encryption context is * supported only on operations with symmetric encryption KMS * keys. On operations with symmetric encryption KMS keys, an * encryption context is optional, but it is strongly * recommended. *
** For more information, see Encryption context in the Key Management Service * Developer Guide. *
* @return A reference to this updated object so that method calls can be * chained together. */ public DecryptRequest withEncryptionContext(java.util.Map* Specifies the encryption context to use when decrypting the data. An * encryption context is valid only for cryptographic operations with a symmetric encryption KMS key. The * standard asymmetric encryption algorithms and HMAC algorithms that KMS * uses do not support an encryption context. *
** An encryption context is a collection of non-secret key-value * pairs that represent additional authenticated data. When you use an * encryption context to encrypt data, you must specify the same (an exact * case-sensitive match) encryption context to decrypt the data. An * encryption context is supported only on operations with symmetric * encryption KMS keys. On operations with symmetric encryption KMS keys, an * encryption context is optional, but it is strongly recommended. *
** For more information, see Encryption context in the Key Management Service Developer * Guide. *
*
* The method adds a new key-value pair into EncryptionContext parameter,
* and returns a reference to this object so that method calls can be
* chained together.
*
* @param key The key of the entry to be added into EncryptionContext.
* @param value The corresponding value of the entry to be added into
* EncryptionContext.
* @return A reference to this updated object so that method calls can be
* chained together.
*/
public DecryptRequest addEncryptionContextEntry(String key, String value) {
if (null == this.encryptionContext) {
this.encryptionContext = new java.util.HashMap
* Returns a reference to this object so that method calls can be chained
* together.
*/
public DecryptRequest clearEncryptionContextEntries() {
this.encryptionContext = null;
return this;
}
/**
*
* A list of grant tokens.
*
* Use a grant token when your permission to call this operation comes from
* a new grant that has not yet achieved eventual consistency. For
* more information, see Grant token and Using a grant token in the Key Management Service Developer
* Guide.
*
* A list of grant tokens.
*
* Use a grant token when your permission to call this operation
* comes from a new grant that has not yet achieved eventual
* consistency. For more information, see Grant token and Using a grant token in the Key Management Service
* Developer Guide.
*
* A list of grant tokens.
*
* Use a grant token when your permission to call this operation comes from
* a new grant that has not yet achieved eventual consistency. For
* more information, see Grant token and Using a grant token in the Key Management Service Developer
* Guide.
*
* A list of grant tokens.
*
* Use a grant token when your permission to call this operation
* comes from a new grant that has not yet achieved eventual
* consistency. For more information, see Grant token and Using a grant token in the Key Management Service
* Developer Guide.
*
* A list of grant tokens.
*
* Use a grant token when your permission to call this operation comes from
* a new grant that has not yet achieved eventual consistency. For
* more information, see Grant token and Using a grant token in the Key Management Service Developer
* Guide.
*
* Returns a reference to this object so that method calls can be chained
* together.
*
* @param grantTokens
* A list of grant tokens.
*
* Use a grant token when your permission to call this operation
* comes from a new grant that has not yet achieved eventual
* consistency. For more information, see Grant token and Using a grant token in the Key Management Service
* Developer Guide.
*
* A list of grant tokens.
*
* Use a grant token when your permission to call this operation comes from
* a new grant that has not yet achieved eventual consistency. For
* more information, see Grant token and Using a grant token in the Key Management Service Developer
* Guide.
*
* Returns a reference to this object so that method calls can be chained
* together.
*
* @param grantTokens
* A list of grant tokens.
*
* Use a grant token when your permission to call this operation
* comes from a new grant that has not yet achieved eventual
* consistency. For more information, see Grant token and Using a grant token in the Key Management Service
* Developer Guide.
*
* Specifies the KMS key that KMS uses to decrypt the ciphertext.
*
* Enter a key ID of the KMS key that was used to encrypt the ciphertext. If
* you identify a different KMS key, the
* This parameter is required only when the ciphertext was encrypted under
* an asymmetric KMS key. If you used a symmetric encryption KMS key, KMS
* can get the KMS key from metadata that it adds to the symmetric
* ciphertext blob. However, it is always recommended as a best practice.
* This practice ensures that you use the KMS key that you intend.
*
* To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
* When using an alias name, prefix it with
* For example:
*
* Key ID:
* Key ARN:
*
* Alias name:
* Alias ARN:
*
* To get the key ID and key ARN for a KMS key, use ListKeys or
* DescribeKey. To get the alias name and alias ARN, use
* ListAliases.
*
* Constraints:
* Specifies the KMS key that KMS uses to decrypt the ciphertext.
*
* Enter a key ID of the KMS key that was used to encrypt the
* ciphertext. If you identify a different KMS key, the
*
* This parameter is required only when the ciphertext was encrypted
* under an asymmetric KMS key. If you used a symmetric encryption
* KMS key, KMS can get the KMS key from metadata that it adds to
* the symmetric ciphertext blob. However, it is always recommended
* as a best practice. This practice ensures that you use the KMS
* key that you intend.
*
* To specify a KMS key, use its key ID, key ARN, alias name, or
* alias ARN. When using an alias name, prefix it with
*
* For example:
*
* Key ID:
* Key ARN:
*
* Alias name:
* Alias ARN:
*
* To get the key ID and key ARN for a KMS key, use ListKeys
* or DescribeKey. To get the alias name and alias ARN, use
* ListAliases.
*
* Specifies the KMS key that KMS uses to decrypt the ciphertext.
*
* Enter a key ID of the KMS key that was used to encrypt the ciphertext. If
* you identify a different KMS key, the
* This parameter is required only when the ciphertext was encrypted under
* an asymmetric KMS key. If you used a symmetric encryption KMS key, KMS
* can get the KMS key from metadata that it adds to the symmetric
* ciphertext blob. However, it is always recommended as a best practice.
* This practice ensures that you use the KMS key that you intend.
*
* To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
* When using an alias name, prefix it with
* For example:
*
* Key ID:
* Key ARN:
*
* Alias name:
* Alias ARN:
*
* To get the key ID and key ARN for a KMS key, use ListKeys or
* DescribeKey. To get the alias name and alias ARN, use
* ListAliases.
*
* Constraints:
* Specifies the KMS key that KMS uses to decrypt the ciphertext.
*
* Enter a key ID of the KMS key that was used to encrypt the
* ciphertext. If you identify a different KMS key, the
*
* This parameter is required only when the ciphertext was
* encrypted under an asymmetric KMS key. If you used a symmetric
* encryption KMS key, KMS can get the KMS key from metadata that
* it adds to the symmetric ciphertext blob. However, it is
* always recommended as a best practice. This practice ensures
* that you use the KMS key that you intend.
*
* To specify a KMS key, use its key ID, key ARN, alias name, or
* alias ARN. When using an alias name, prefix it with
*
* For example:
*
* Key ID:
* Key ARN:
*
* Alias name:
* Alias ARN:
*
* To get the key ID and key ARN for a KMS key, use
* ListKeys or DescribeKey. To get the alias name
* and alias ARN, use ListAliases.
*
* Specifies the KMS key that KMS uses to decrypt the ciphertext.
*
* Enter a key ID of the KMS key that was used to encrypt the ciphertext. If
* you identify a different KMS key, the
* This parameter is required only when the ciphertext was encrypted under
* an asymmetric KMS key. If you used a symmetric encryption KMS key, KMS
* can get the KMS key from metadata that it adds to the symmetric
* ciphertext blob. However, it is always recommended as a best practice.
* This practice ensures that you use the KMS key that you intend.
*
* To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
* When using an alias name, prefix it with
* For example:
*
* Key ID:
* Key ARN:
*
* Alias name:
* Alias ARN:
*
* To get the key ID and key ARN for a KMS key, use ListKeys or
* DescribeKey. To get the alias name and alias ARN, use
* ListAliases.
*
* Returns a reference to this object so that method calls can be chained
* together.
*
* Constraints:
* Specifies the KMS key that KMS uses to decrypt the ciphertext.
*
* Enter a key ID of the KMS key that was used to encrypt the
* ciphertext. If you identify a different KMS key, the
*
* This parameter is required only when the ciphertext was
* encrypted under an asymmetric KMS key. If you used a symmetric
* encryption KMS key, KMS can get the KMS key from metadata that
* it adds to the symmetric ciphertext blob. However, it is
* always recommended as a best practice. This practice ensures
* that you use the KMS key that you intend.
*
* To specify a KMS key, use its key ID, key ARN, alias name, or
* alias ARN. When using an alias name, prefix it with
*
* For example:
*
* Key ID:
* Key ARN:
*
* Alias name:
* Alias ARN:
*
* To get the key ID and key ARN for a KMS key, use
* ListKeys or DescribeKey. To get the alias name
* and alias ARN, use ListAliases.
*
* Specifies the encryption algorithm that will be used to decrypt the
* ciphertext. Specify the same algorithm that was used to encrypt the data.
* If you specify a different algorithm, the
* This parameter is required only when the ciphertext was encrypted under
* an asymmetric KMS key. The default value,
* Constraints:
* Specifies the encryption algorithm that will be used to decrypt
* the ciphertext. Specify the same algorithm that was used to
* encrypt the data. If you specify a different algorithm, the
*
* This parameter is required only when the ciphertext was encrypted
* under an asymmetric KMS key. The default value,
*
* Specifies the encryption algorithm that will be used to decrypt the
* ciphertext. Specify the same algorithm that was used to encrypt the data.
* If you specify a different algorithm, the
* This parameter is required only when the ciphertext was encrypted under
* an asymmetric KMS key. The default value,
* Constraints:
* Specifies the encryption algorithm that will be used to
* decrypt the ciphertext. Specify the same algorithm that was
* used to encrypt the data. If you specify a different
* algorithm, the
* This parameter is required only when the ciphertext was
* encrypted under an asymmetric KMS key. The default value,
*
* Specifies the encryption algorithm that will be used to decrypt the
* ciphertext. Specify the same algorithm that was used to encrypt the data.
* If you specify a different algorithm, the
* This parameter is required only when the ciphertext was encrypted under
* an asymmetric KMS key. The default value,
* Returns a reference to this object so that method calls can be chained
* together.
*
* Constraints:
* Specifies the encryption algorithm that will be used to
* decrypt the ciphertext. Specify the same algorithm that was
* used to encrypt the data. If you specify a different
* algorithm, the
* This parameter is required only when the ciphertext was
* encrypted under an asymmetric KMS key. The default value,
*
* Specifies the encryption algorithm that will be used to decrypt the
* ciphertext. Specify the same algorithm that was used to encrypt the data.
* If you specify a different algorithm, the
* This parameter is required only when the ciphertext was encrypted under
* an asymmetric KMS key. The default value,
* Constraints:
* Specifies the encryption algorithm that will be used to
* decrypt the ciphertext. Specify the same algorithm that was
* used to encrypt the data. If you specify a different
* algorithm, the
* This parameter is required only when the ciphertext was
* encrypted under an asymmetric KMS key. The default value,
*
* Specifies the encryption algorithm that will be used to decrypt the
* ciphertext. Specify the same algorithm that was used to encrypt the data.
* If you specify a different algorithm, the
* This parameter is required only when the ciphertext was encrypted under
* an asymmetric KMS key. The default value,
* Returns a reference to this object so that method calls can be chained
* together.
*
* Constraints:
* Specifies the encryption algorithm that will be used to
* decrypt the ciphertext. Specify the same algorithm that was
* used to encrypt the data. If you specify a different
* algorithm, the
* This parameter is required only when the ciphertext was
* encrypted under an asymmetric KMS key. The default value,
*
* A signed attestation document from an Amazon Web Services Nitro enclave and
* the encryption algorithm to use with the enclave's public key. The only
* valid encryption algorithm is
* This parameter only supports attestation documents for Amazon Web
* Services Nitro Enclaves. To include this parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services
* SDK.
*
* When you use this parameter, instead of returning the plaintext data, KMS
* encrypts the plaintext data with the public key in the attestation
* document, and returns the resulting ciphertext in the
*
* For information about the interaction between KMS and Amazon Web Services
* Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key
* Management Service Developer Guide.
*
* A signed attestation document from an Amazon Web Services Nitro
* enclave and the encryption algorithm to use with the enclave's
* public key. The only valid encryption algorithm is
*
* This parameter only supports attestation documents for Amazon Web
* Services Nitro Enclaves. To include this parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web
* Services SDK.
*
* When you use this parameter, instead of returning the plaintext
* data, KMS encrypts the plaintext data with the public key in the
* attestation document, and returns the resulting ciphertext in the
*
* For information about the interaction between KMS and Amazon Web
* Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the
* Key Management Service Developer Guide.
*
* A signed attestation document from an Amazon Web Services Nitro enclave and
* the encryption algorithm to use with the enclave's public key. The only
* valid encryption algorithm is
* This parameter only supports attestation documents for Amazon Web
* Services Nitro Enclaves. To include this parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services
* SDK.
*
* When you use this parameter, instead of returning the plaintext data, KMS
* encrypts the plaintext data with the public key in the attestation
* document, and returns the resulting ciphertext in the
*
* For information about the interaction between KMS and Amazon Web Services
* Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key
* Management Service Developer Guide.
*
* A signed attestation document from an Amazon Web Services Nitro
* enclave and the encryption algorithm to use with the enclave's
* public key. The only valid encryption algorithm is
*
* This parameter only supports attestation documents for Amazon
* Web Services Nitro Enclaves. To include this parameter, use
* the Amazon Web Services Nitro Enclaves SDK or any Amazon Web
* Services SDK.
*
* When you use this parameter, instead of returning the
* plaintext data, KMS encrypts the plaintext data with the
* public key in the attestation document, and returns the
* resulting ciphertext in the
*
* For information about the interaction between KMS and Amazon
* Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the
* Key Management Service Developer Guide.
*
* A signed attestation document from an Amazon Web Services Nitro enclave and
* the encryption algorithm to use with the enclave's public key. The only
* valid encryption algorithm is
* This parameter only supports attestation documents for Amazon Web
* Services Nitro Enclaves. To include this parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services
* SDK.
*
* When you use this parameter, instead of returning the plaintext data, KMS
* encrypts the plaintext data with the public key in the attestation
* document, and returns the resulting ciphertext in the
*
* For information about the interaction between KMS and Amazon Web Services
* Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key
* Management Service Developer Guide.
*
* Returns a reference to this object so that method calls can be chained
* together.
*
* @param recipient
* A signed attestation document from an Amazon Web Services Nitro
* enclave and the encryption algorithm to use with the enclave's
* public key. The only valid encryption algorithm is
*
* This parameter only supports attestation documents for Amazon
* Web Services Nitro Enclaves. To include this parameter, use
* the Amazon Web Services Nitro Enclaves SDK or any Amazon Web
* Services SDK.
*
* When you use this parameter, instead of returning the
* plaintext data, KMS encrypts the plaintext data with the
* public key in the attestation document, and returns the
* resulting ciphertext in the
*
* For information about the interaction between KMS and Amazon
* Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the
* Key Management Service Developer Guide.
*
* Checks if your request will succeed.
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service
* Developer Guide.
*
* Checks if your request will succeed.
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service
* Developer Guide.
*
* Checks if your request will succeed.
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service
* Developer Guide.
*
* Checks if your request will succeed.
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service
* Developer Guide.
*
* Checks if your request will succeed.
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service
* Developer Guide.
*
* Checks if your request will succeed.
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management
* Service Developer Guide.
*
* Checks if your request will succeed.
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service
* Developer Guide.
*
* Returns a reference to this object so that method calls can be chained
* together.
*
* @param dryRun
* Checks if your request will succeed.
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management
* Service Developer Guide.
* Decrypt operation
* throws an IncorrectKeyException.
* "alias/". To
* specify a KMS key in a different Amazon Web Services account, you must
* use the key ARN or alias ARN.
*
*
* 1234abcd-12ab-34cd-56ef-1234567890ab
* arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
* alias/ExampleAlias
* arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
*
* Length: 1 - 2048
*
* @return Decrypt operation throws an
* IncorrectKeyException.
* "alias/". To specify a KMS key in a different Amazon
* Web Services account, you must use the key ARN or alias ARN.
*
*
* 1234abcd-12ab-34cd-56ef-1234567890ab
* arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
* alias/ExampleAlias
* arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
* Decrypt operation
* throws an IncorrectKeyException.
* "alias/". To
* specify a KMS key in a different Amazon Web Services account, you must
* use the key ARN or alias ARN.
*
*
* 1234abcd-12ab-34cd-56ef-1234567890ab
* arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
* alias/ExampleAlias
* arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
*
* Length: 1 - 2048
*
* @param keyId Decrypt operation throws an
* IncorrectKeyException.
* "alias/". To specify a KMS key in a different
* Amazon Web Services account, you must use the key ARN or alias
* ARN.
*
*
* 1234abcd-12ab-34cd-56ef-1234567890ab
* arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
* alias/ExampleAlias
* arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
* Decrypt operation
* throws an IncorrectKeyException.
* "alias/". To
* specify a KMS key in a different Amazon Web Services account, you must
* use the key ARN or alias ARN.
*
*
* 1234abcd-12ab-34cd-56ef-1234567890ab
* arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
* alias/ExampleAlias
* arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
*
* Length: 1 - 2048
*
* @param keyId Decrypt operation throws an
* IncorrectKeyException.
* "alias/". To specify a KMS key in a different
* Amazon Web Services account, you must use the key ARN or alias
* ARN.
*
*
* 1234abcd-12ab-34cd-56ef-1234567890ab
* arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
* alias/ExampleAlias
* arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
* Decrypt operation
* fails.
* SYMMETRIC_DEFAULT,
* represents the only supported algorithm that is valid for symmetric
* encryption KMS keys.
*
* Allowed Values: SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1,
* RSAES_OAEP_SHA_256, SM2PKE
*
* @return Decrypt operation fails.
* SYMMETRIC_DEFAULT, represents the only supported
* algorithm that is valid for symmetric encryption KMS keys.
* Decrypt operation
* fails.
* SYMMETRIC_DEFAULT,
* represents the only supported algorithm that is valid for symmetric
* encryption KMS keys.
*
* Allowed Values: SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1,
* RSAES_OAEP_SHA_256, SM2PKE
*
* @param encryptionAlgorithm Decrypt operation fails.
* SYMMETRIC_DEFAULT, represents the only supported
* algorithm that is valid for symmetric encryption KMS keys.
* Decrypt operation
* fails.
* SYMMETRIC_DEFAULT,
* represents the only supported algorithm that is valid for symmetric
* encryption KMS keys.
*
* Allowed Values: SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1,
* RSAES_OAEP_SHA_256, SM2PKE
*
* @param encryptionAlgorithm Decrypt operation fails.
* SYMMETRIC_DEFAULT, represents the only supported
* algorithm that is valid for symmetric encryption KMS keys.
* Decrypt operation
* fails.
* SYMMETRIC_DEFAULT,
* represents the only supported algorithm that is valid for symmetric
* encryption KMS keys.
*
* Allowed Values: SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1,
* RSAES_OAEP_SHA_256, SM2PKE
*
* @param encryptionAlgorithm Decrypt operation fails.
* SYMMETRIC_DEFAULT, represents the only supported
* algorithm that is valid for symmetric encryption KMS keys.
* Decrypt operation
* fails.
* SYMMETRIC_DEFAULT,
* represents the only supported algorithm that is valid for symmetric
* encryption KMS keys.
*
* Allowed Values: SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1,
* RSAES_OAEP_SHA_256, SM2PKE
*
* @param encryptionAlgorithm Decrypt operation fails.
* SYMMETRIC_DEFAULT, represents the only supported
* algorithm that is valid for symmetric encryption KMS keys.
* RSAES_OAEP_SHA_256.
* CiphertextForRecipient field in the response. This
* ciphertext can be decrypted only with the private key in the enclave. The
* Plaintext field in the response is null or empty.
* RSAES_OAEP_SHA_256.
* CiphertextForRecipient field in the response. This
* ciphertext can be decrypted only with the private key in the
* enclave. The Plaintext field in the response is null
* or empty.
* RSAES_OAEP_SHA_256.
* CiphertextForRecipient field in the response. This
* ciphertext can be decrypted only with the private key in the enclave. The
* Plaintext field in the response is null or empty.
* RSAES_OAEP_SHA_256.
* CiphertextForRecipient field in the response.
* This ciphertext can be decrypted only with the private key in
* the enclave. The Plaintext field in the response
* is null or empty.
* RSAES_OAEP_SHA_256.
* CiphertextForRecipient field in the response. This
* ciphertext can be decrypted only with the private key in the enclave. The
* Plaintext field in the response is null or empty.
* RSAES_OAEP_SHA_256.
* CiphertextForRecipient field in the response.
* This ciphertext can be decrypted only with the private key in
* the enclave. The Plaintext field in the response
* is null or empty.
* DryRun is an optional
* parameter.
* DryRun is an
* optional parameter.
* DryRun is an optional
* parameter.
* DryRun is an
* optional parameter.
* DryRun is an optional
* parameter.
* DryRun is an
* optional parameter.
* DryRun is an optional
* parameter.
* DryRun is an
* optional parameter.
*