/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*
* Do not modify this file. This file is generated from the kms-2014-11-01.normal.json service model.
*/
using System;
using System.Collections.Generic;
using System.Xml.Serialization;
using System.Text;
using System.IO;
using System.Net;
using Amazon.Runtime;
using Amazon.Runtime.Internal;
namespace Amazon.KeyManagementService.Model
{
///
/// Container for the parameters to the GenerateDataKeyWithoutPlaintext operation.
/// Returns a unique symmetric data key for use outside of KMS. This operation returns
/// a data key that is encrypted under a symmetric encryption KMS key that you specify.
/// The bytes in the key are random; they are not related to the caller or to the KMS
/// key.
///
///
///
/// GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey
/// operation except that it does not return a plaintext copy of the data key.
///
///
///
/// This operation is useful for systems that need to encrypt data at some point, but
/// not immediately. When you need to encrypt the data, you call the Decrypt operation
/// on the encrypted copy of the key.
///
///
///
/// It's also useful in distributed systems with different levels of trust. For example,
/// you might store encrypted data in containers. One component of your system creates
/// new containers and stores an encrypted data key with each container. Then, a different
/// component puts the data into the containers. That component first decrypts the data
/// key, uses the plaintext data key to encrypt data, puts the encrypted data into the
/// container, and then destroys the plaintext data key. In this system, the component
/// that creates the containers never sees the plaintext data key.
///
///
///
/// To request an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext
/// operations.
///
///
///
/// To generate a data key, you must specify the symmetric encryption KMS key that is
/// used to encrypt the data key. You cannot use an asymmetric KMS key or a key in a custom
/// key store to generate a data key. To get the type of your KMS key, use the DescribeKey
/// operation.
///
///
///
/// You must also specify the length of the data key. Use either the KeySpec
/// or NumberOfBytes parameters (but not both). For 128-bit and 256-bit data
/// keys, use the KeySpec parameter.
///
///
///
/// To generate an SM4 data key (China Regions only), specify a KeySpec value
/// of AES_128 or NumberOfBytes value of 16. The
/// symmetric encryption key used in China Regions to encrypt your data key is an SM4
/// encryption key.
///
///
///
/// If the operation succeeds, you will find the encrypted copy of the data key in the
/// CiphertextBlob field.
///
///
///
/// You can use an optional encryption context to add additional security to the encryption
/// operation. If you specify an EncryptionContext, you must specify the
/// same encryption context (a case-sensitive exact match) when decrypting the encrypted
/// data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException.
/// For more information, see Encryption
/// Context in the Key Management Service Developer Guide.
///
///
///
/// The KMS key that you use for this operation must be in a compatible key state. For
/// details, see Key
/// states of KMS keys in the Key Management Service Developer Guide.
///
///
///
/// Cross-account use: Yes. To perform this operation with a KMS key in a different
/// Amazon Web Services account, specify the key ARN or alias ARN in the value of the
/// KeyId parameter.
///
///
///
/// Required permissions: kms:GenerateDataKeyWithoutPlaintext
/// (key policy)
///
///
///
/// Related operations:
///
///
///
public partial class GenerateDataKeyWithoutPlaintextRequest : AmazonKeyManagementServiceRequest
{
private bool? _dryRun;
private Dictionary _encryptionContext = new Dictionary();
private List _grantTokens = new List();
private string _keyId;
private DataKeySpec _keySpec;
private int? _numberOfBytes;
///
/// Gets and sets the property DryRun.
///
/// Checks if your request will succeed. DryRun is an optional parameter.
///
///
///
///
/// To learn more about how to use this parameter, see Testing
/// your KMS API calls in the Key Management Service Developer Guide.
///
///
public bool DryRun
{
get { return this._dryRun.GetValueOrDefault(); }
set { this._dryRun = value; }
}
// Check to see if DryRun property is set
internal bool IsSetDryRun()
{
return this._dryRun.HasValue;
}
///
/// Gets and sets the property EncryptionContext.
///
/// Specifies the encryption context that will be used when encrypting the data key.
///
///
///
/// Do not include confidential or sensitive information in this field. This field may
/// be displayed in plaintext in CloudTrail logs and other output.
///
///
///
/// An encryption context is a collection of non-secret key-value pairs that represent
/// additional authenticated data. When you use an encryption context to encrypt data,
/// you must specify the same (an exact case-sensitive match) encryption context to decrypt
/// the data. An encryption context is supported only on operations with symmetric encryption
/// KMS keys. On operations with symmetric encryption KMS keys, an encryption context
/// is optional, but it is strongly recommended.
///
///
///
/// For more information, see Encryption
/// context in the Key Management Service Developer Guide.
///
///
public Dictionary EncryptionContext
{
get { return this._encryptionContext; }
set { this._encryptionContext = value; }
}
// Check to see if EncryptionContext property is set
internal bool IsSetEncryptionContext()
{
return this._encryptionContext != null && this._encryptionContext.Count > 0;
}
///
/// Gets and sets the property GrantTokens.
///
/// A list of grant tokens.
///
///
///
/// Use a grant token when your permission to call this operation comes from a new grant
/// that has not yet achieved eventual consistency. For more information, see Grant
/// token and Using
/// a grant token in the Key Management Service Developer Guide.
///
///
[AWSProperty(Min=0, Max=10)]
public List GrantTokens
{
get { return this._grantTokens; }
set { this._grantTokens = value; }
}
// Check to see if GrantTokens property is set
internal bool IsSetGrantTokens()
{
return this._grantTokens != null && this._grantTokens.Count > 0;
}
///
/// Gets and sets the property KeyId.
///
/// Specifies the symmetric encryption KMS key that encrypts the data key. You cannot
/// specify an asymmetric KMS key or a KMS key in a custom key store. To get the type
/// and origin of your KMS key, use the DescribeKey operation.
///
///
///
/// To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using
/// an alias name, prefix it with "alias/". To specify a KMS key in a different
/// Amazon Web Services account, you must use the key ARN or alias ARN.
///
///
///
/// For example:
///
/// -
///
/// Key ID:
1234abcd-12ab-34cd-56ef-1234567890ab
///
/// -
///
/// Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
///
///
/// -
///
/// Alias name:
alias/ExampleAlias
///
/// -
///
/// Alias ARN:
arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
///
///
///
/// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
/// To get the alias name and alias ARN, use ListAliases.
///
///
[AWSProperty(Required=true, Min=1, Max=2048)]
public string KeyId
{
get { return this._keyId; }
set { this._keyId = value; }
}
// Check to see if KeyId property is set
internal bool IsSetKeyId()
{
return this._keyId != null;
}
///
/// Gets and sets the property KeySpec.
///
/// The length of the data key. Use AES_128 to generate a 128-bit symmetric
/// key, or AES_256 to generate a 256-bit symmetric key.
///
///
public DataKeySpec KeySpec
{
get { return this._keySpec; }
set { this._keySpec = value; }
}
// Check to see if KeySpec property is set
internal bool IsSetKeySpec()
{
return this._keySpec != null;
}
///
/// Gets and sets the property NumberOfBytes.
///
/// The length of the data key in bytes. For example, use the value 64 to generate a 512-bit
/// data key (64 bytes is 512 bits). For common key lengths (128-bit and 256-bit symmetric
/// keys), we recommend that you use the KeySpec field instead of this one.
///
///
[AWSProperty(Min=1, Max=1024)]
public int NumberOfBytes
{
get { return this._numberOfBytes.GetValueOrDefault(); }
set { this._numberOfBytes = value; }
}
// Check to see if NumberOfBytes property is set
internal bool IsSetNumberOfBytes()
{
return this._numberOfBytes.HasValue;
}
}
}