/* * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). * You may not use this file except in compliance with the License. * A copy of the License is located at * * http://aws.amazon.com/apache2.0 * * or in the "license" file accompanying this file. This file is distributed * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either * express or implied. See the License for the specific language governing * permissions and limitations under the License. */ /* * Do not modify this file. This file is generated from the kms-2014-11-01.normal.json service model. */ using System; using System.Collections.Generic; using System.Xml.Serialization; using System.Text; using System.IO; using System.Net; using Amazon.Runtime; using Amazon.Runtime.Internal; namespace Amazon.KeyManagementService.Model { /// /// Container for the parameters to the GenerateDataKey operation. /// Returns a unique symmetric data key for use outside of KMS. This operation returns /// a plaintext copy of the data key and a copy that is encrypted under a symmetric encryption /// KMS key that you specify. The bytes in the plaintext key are random; they are not /// related to the caller or the KMS key. You can use the plaintext key to encrypt your /// data outside of KMS and store the encrypted data key with the encrypted data. /// /// /// /// To generate a data key, specify the symmetric encryption KMS key that will be used /// to encrypt the data key. You cannot use an asymmetric KMS key to encrypt data keys. /// To get the type of your KMS key, use the DescribeKey operation. /// /// /// /// You must also specify the length of the data key. Use either the KeySpec /// or NumberOfBytes parameters (but not both). For 128-bit and 256-bit data /// keys, use the KeySpec parameter. /// /// /// /// To generate a 128-bit SM4 data key (China Regions only), specify a KeySpec /// value of AES_128 or a NumberOfBytes value of 16. /// The symmetric encryption key used in China Regions to encrypt your data key is an /// SM4 encryption key. /// /// /// /// To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. /// To generate an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext /// operation. To get a cryptographically secure random byte string, use GenerateRandom. /// /// /// /// You can use an optional encryption context to add additional security to the encryption /// operation. If you specify an EncryptionContext, you must specify the /// same encryption context (a case-sensitive exact match) when decrypting the encrypted /// data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. /// For more information, see Encryption /// Context in the Key Management Service Developer Guide. /// /// /// /// GenerateDataKey also supports Amazon /// Web Services Nitro Enclaves, which provide an isolated compute environment in /// Amazon EC2. To call GenerateDataKey for an Amazon Web Services Nitro /// enclave, use the Amazon /// Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient /// parameter to provide the attestation document for the enclave. GenerateDataKey /// returns a copy of the data key encrypted under the specified KMS key, as usual. But /// instead of a plaintext copy of the data key, the response includes a copy of the data /// key encrypted under the public key from the attestation document (CiphertextForRecipient). /// For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, /// see How /// Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer /// Guide.. /// /// /// /// The KMS key that you use for this operation must be in a compatible key state. For /// details, see Key /// states of KMS keys in the Key Management Service Developer Guide. /// /// /// /// How to use your data key /// /// /// /// We recommend that you use the following pattern to encrypt data locally in your application. /// You can write your own code or use a client-side encryption library, such as the Amazon Web /// Services Encryption SDK, the Amazon /// DynamoDB Encryption Client, or Amazon /// S3 client-side encryption to do these tasks for you. /// /// /// /// To encrypt data outside of KMS: /// ///
  1. /// /// Use the GenerateDataKey operation to get a data key. /// ///
  2. /// /// Use the plaintext data key (in the Plaintext field of the response) to /// encrypt your data outside of KMS. Then erase the plaintext data key from memory. /// ///
  3. /// /// Store the encrypted data key (in the CiphertextBlob field of the response) /// with the encrypted data. /// ///
/// /// To decrypt data outside of KMS: /// ///
  1. /// /// Use the Decrypt operation to decrypt the encrypted data key. The operation /// returns a plaintext copy of the data key. /// ///
  2. /// /// Use the plaintext data key to decrypt data outside of KMS, then erase the plaintext /// data key from memory. /// ///
/// /// Cross-account use: Yes. To perform this operation with a KMS key in a different /// Amazon Web Services account, specify the key ARN or alias ARN in the value of the /// KeyId parameter. /// /// /// /// Required permissions: kms:GenerateDataKey /// (key policy) /// /// /// /// Related operations: /// /// /// public partial class GenerateDataKeyRequest : AmazonKeyManagementServiceRequest { private bool? _dryRun; private Dictionary _encryptionContext = new Dictionary(); private List _grantTokens = new List(); private string _keyId; private DataKeySpec _keySpec; private int? _numberOfBytes; private RecipientInfo _recipient; /// /// Gets and sets the property DryRun. /// /// Checks if your request will succeed. DryRun is an optional parameter. /// /// /// /// /// To learn more about how to use this parameter, see Testing /// your KMS API calls in the Key Management Service Developer Guide. /// /// public bool DryRun { get { return this._dryRun.GetValueOrDefault(); } set { this._dryRun = value; } } // Check to see if DryRun property is set internal bool IsSetDryRun() { return this._dryRun.HasValue; } /// /// Gets and sets the property EncryptionContext. /// /// Specifies the encryption context that will be used when encrypting the data key. /// /// /// /// Do not include confidential or sensitive information in this field. This field may /// be displayed in plaintext in CloudTrail logs and other output. /// /// /// /// An encryption context is a collection of non-secret key-value pairs that represent /// additional authenticated data. When you use an encryption context to encrypt data, /// you must specify the same (an exact case-sensitive match) encryption context to decrypt /// the data. An encryption context is supported only on operations with symmetric encryption /// KMS keys. On operations with symmetric encryption KMS keys, an encryption context /// is optional, but it is strongly recommended. /// /// /// /// For more information, see Encryption /// context in the Key Management Service Developer Guide. /// /// public Dictionary EncryptionContext { get { return this._encryptionContext; } set { this._encryptionContext = value; } } // Check to see if EncryptionContext property is set internal bool IsSetEncryptionContext() { return this._encryptionContext != null && this._encryptionContext.Count > 0; } /// /// Gets and sets the property GrantTokens. /// /// A list of grant tokens. /// /// /// /// Use a grant token when your permission to call this operation comes from a new grant /// that has not yet achieved eventual consistency. For more information, see Grant /// token and Using /// a grant token in the Key Management Service Developer Guide. /// /// [AWSProperty(Min=0, Max=10)] public List GrantTokens { get { return this._grantTokens; } set { this._grantTokens = value; } } // Check to see if GrantTokens property is set internal bool IsSetGrantTokens() { return this._grantTokens != null && this._grantTokens.Count > 0; } /// /// Gets and sets the property KeyId. /// /// Specifies the symmetric encryption KMS key that encrypts the data key. You cannot /// specify an asymmetric KMS key or a KMS key in a custom key store. To get the type /// and origin of your KMS key, use the DescribeKey operation. /// /// /// /// To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using /// an alias name, prefix it with "alias/". To specify a KMS key in a different /// Amazon Web Services account, you must use the key ARN or alias ARN. /// /// /// /// For example: /// ///
  • /// /// Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab /// ///
  • /// /// Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab /// /// ///
  • /// /// Alias name: alias/ExampleAlias /// ///
  • /// /// Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias /// ///
/// /// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. /// To get the alias name and alias ARN, use ListAliases. /// /// [AWSProperty(Required=true, Min=1, Max=2048)] public string KeyId { get { return this._keyId; } set { this._keyId = value; } } // Check to see if KeyId property is set internal bool IsSetKeyId() { return this._keyId != null; } /// /// Gets and sets the property KeySpec. /// /// Specifies the length of the data key. Use AES_128 to generate a 128-bit /// symmetric key, or AES_256 to generate a 256-bit symmetric key. /// /// /// /// You must specify either the KeySpec or the NumberOfBytes /// parameter (but not both) in every GenerateDataKey request. /// /// public DataKeySpec KeySpec { get { return this._keySpec; } set { this._keySpec = value; } } // Check to see if KeySpec property is set internal bool IsSetKeySpec() { return this._keySpec != null; } /// /// Gets and sets the property NumberOfBytes. /// /// Specifies the length of the data key in bytes. For example, use the value 64 to generate /// a 512-bit data key (64 bytes is 512 bits). For 128-bit (16-byte) and 256-bit (32-byte) /// data keys, use the KeySpec parameter. /// /// /// /// You must specify either the KeySpec or the NumberOfBytes /// parameter (but not both) in every GenerateDataKey request. /// /// [AWSProperty(Min=1, Max=1024)] public int NumberOfBytes { get { return this._numberOfBytes.GetValueOrDefault(); } set { this._numberOfBytes = value; } } // Check to see if NumberOfBytes property is set internal bool IsSetNumberOfBytes() { return this._numberOfBytes.HasValue; } /// /// Gets and sets the property Recipient. /// /// A signed attestation /// document from an Amazon Web Services Nitro enclave and the encryption algorithm /// to use with the enclave's public key. The only valid encryption algorithm is RSAES_OAEP_SHA_256. /// /// /// /// /// This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. /// To include this parameter, use the Amazon /// Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. /// /// /// /// When you use this parameter, instead of returning the plaintext data key, KMS encrypts /// the plaintext data key under the public key in the attestation document, and returns /// the resulting ciphertext in the CiphertextForRecipient field in the response. /// This ciphertext can be decrypted only with the private key in the enclave. The CiphertextBlob /// field in the response contains a copy of the data key encrypted under the KMS key /// specified by the KeyId parameter. The Plaintext field in /// the response is null or empty. /// /// /// /// For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, /// see How /// Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer /// Guide. /// /// public RecipientInfo Recipient { get { return this._recipient; } set { this._recipient = value; } } // Check to see if Recipient property is set internal bool IsSetRecipient() { return this._recipient != null; } } }