/* * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). * You may not use this file except in compliance with the License. * A copy of the License is located at * * http://aws.amazon.com/apache2.0 * * or in the "license" file accompanying this file. This file is distributed * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either * express or implied. See the License for the specific language governing * permissions and limitations under the License. */ /* * Do not modify this file. This file is generated from the kms-2014-11-01.normal.json service model. */ using System; using System.Collections.Generic; using System.Xml.Serialization; using System.Text; using System.IO; using System.Net; using Amazon.Runtime; using Amazon.Runtime.Internal; namespace Amazon.KeyManagementService.Model { /// /// Container for the parameters to the ReEncrypt operation. /// Decrypts ciphertext and then reencrypts it entirely within KMS. You can use this operation /// to change the KMS key under which data is encrypted, such as when you manually /// rotate a KMS key or change the KMS key that protects a ciphertext. You can also /// use it to reencrypt ciphertext under the same KMS key, such as to change the encryption /// context of a ciphertext. /// /// /// /// The ReEncrypt operation can decrypt ciphertext that was encrypted by /// using a KMS key in an KMS operation, such as Encrypt or GenerateDataKey. /// It can also decrypt ciphertext that was encrypted by using the public key of an asymmetric /// KMS key outside of KMS. However, it cannot decrypt ciphertext produced by other /// libraries, such as the Amazon /// Web Services Encryption SDK or Amazon /// S3 client-side encryption. These libraries return a ciphertext format that is /// incompatible with KMS. /// /// /// /// When you use the ReEncrypt operation, you need to provide information /// for the decrypt operation and the subsequent encrypt operation. /// /// /// /// The KMS key that you use for this operation must be in a compatible key state. For /// details, see Key /// states of KMS keys in the Key Management Service Developer Guide. /// /// /// /// Cross-account use: Yes. The source KMS key and destination KMS key can be /// in different Amazon Web Services accounts. Either or both KMS keys can be in a different /// account than the caller. To specify a KMS key in a different account, you must use /// its key ARN or alias ARN. /// /// /// /// Required permissions: /// /// /// /// To permit reencryption from or to a KMS key, include the "kms:ReEncrypt*" /// permission in your key /// policy. This permission is automatically included in the key policy when you use /// the console to create a KMS key. But you must include it manually when you create /// a KMS key programmatically or when you use the PutKeyPolicy operation to set /// a key policy. /// /// /// /// Related operations: /// /// /// public partial class ReEncryptRequest : AmazonKeyManagementServiceRequest { private MemoryStream _ciphertextBlob; private EncryptionAlgorithmSpec _destinationEncryptionAlgorithm; private Dictionary _destinationEncryptionContext = new Dictionary(); private string _destinationKeyId; private bool? _dryRun; private List _grantTokens = new List(); private EncryptionAlgorithmSpec _sourceEncryptionAlgorithm; private Dictionary _sourceEncryptionContext = new Dictionary(); private string _sourceKeyId; /// /// Gets and sets the property CiphertextBlob. /// /// Ciphertext of the data to reencrypt. /// /// [AWSProperty(Required=true, Min=1, Max=6144)] public MemoryStream CiphertextBlob { get { return this._ciphertextBlob; } set { this._ciphertextBlob = value; } } // Check to see if CiphertextBlob property is set internal bool IsSetCiphertextBlob() { return this._ciphertextBlob != null; } /// /// Gets and sets the property DestinationEncryptionAlgorithm. /// /// Specifies the encryption algorithm that KMS will use to reecrypt the data after it /// has decrypted it. The default value, SYMMETRIC_DEFAULT, represents the /// encryption algorithm used for symmetric encryption KMS keys. /// /// /// /// This parameter is required only when the destination KMS key is an asymmetric KMS /// key. /// /// public EncryptionAlgorithmSpec DestinationEncryptionAlgorithm { get { return this._destinationEncryptionAlgorithm; } set { this._destinationEncryptionAlgorithm = value; } } // Check to see if DestinationEncryptionAlgorithm property is set internal bool IsSetDestinationEncryptionAlgorithm() { return this._destinationEncryptionAlgorithm != null; } /// /// Gets and sets the property DestinationEncryptionContext. /// /// Specifies that encryption context to use when the reencrypting the data. /// /// /// /// Do not include confidential or sensitive information in this field. This field may /// be displayed in plaintext in CloudTrail logs and other output. /// /// /// /// A destination encryption context is valid only when the destination KMS key is a symmetric /// encryption KMS key. The standard ciphertext format for asymmetric KMS keys does not /// include fields for metadata. /// /// /// /// An encryption context is a collection of non-secret key-value pairs that represent /// additional authenticated data. When you use an encryption context to encrypt data, /// you must specify the same (an exact case-sensitive match) encryption context to decrypt /// the data. An encryption context is supported only on operations with symmetric encryption /// KMS keys. On operations with symmetric encryption KMS keys, an encryption context /// is optional, but it is strongly recommended. /// /// /// /// For more information, see Encryption /// context in the Key Management Service Developer Guide. /// /// public Dictionary DestinationEncryptionContext { get { return this._destinationEncryptionContext; } set { this._destinationEncryptionContext = value; } } // Check to see if DestinationEncryptionContext property is set internal bool IsSetDestinationEncryptionContext() { return this._destinationEncryptionContext != null && this._destinationEncryptionContext.Count > 0; } /// /// Gets and sets the property DestinationKeyId. /// /// A unique identifier for the KMS key that is used to reencrypt the data. Specify a /// symmetric encryption KMS key or an asymmetric KMS key with a KeyUsage /// value of ENCRYPT_DECRYPT. To find the KeyUsage value of /// a KMS key, use the DescribeKey operation. /// /// /// /// To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using /// an alias name, prefix it with "alias/". To specify a KMS key in a different /// Amazon Web Services account, you must use the key ARN or alias ARN. /// /// /// /// For example: /// ///
  • /// /// Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab /// ///
  • /// /// Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab /// /// ///
  • /// /// Alias name: alias/ExampleAlias /// ///
  • /// /// Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias /// ///
/// /// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. /// To get the alias name and alias ARN, use ListAliases. /// /// [AWSProperty(Required=true, Min=1, Max=2048)] public string DestinationKeyId { get { return this._destinationKeyId; } set { this._destinationKeyId = value; } } // Check to see if DestinationKeyId property is set internal bool IsSetDestinationKeyId() { return this._destinationKeyId != null; } /// /// Gets and sets the property DryRun. /// /// Checks if your request will succeed. DryRun is an optional parameter. /// /// /// /// /// To learn more about how to use this parameter, see Testing /// your KMS API calls in the Key Management Service Developer Guide. /// /// public bool DryRun { get { return this._dryRun.GetValueOrDefault(); } set { this._dryRun = value; } } // Check to see if DryRun property is set internal bool IsSetDryRun() { return this._dryRun.HasValue; } /// /// Gets and sets the property GrantTokens. /// /// A list of grant tokens. /// /// /// /// Use a grant token when your permission to call this operation comes from a new grant /// that has not yet achieved eventual consistency. For more information, see Grant /// token and Using /// a grant token in the Key Management Service Developer Guide. /// /// [AWSProperty(Min=0, Max=10)] public List GrantTokens { get { return this._grantTokens; } set { this._grantTokens = value; } } // Check to see if GrantTokens property is set internal bool IsSetGrantTokens() { return this._grantTokens != null && this._grantTokens.Count > 0; } /// /// Gets and sets the property SourceEncryptionAlgorithm. /// /// Specifies the encryption algorithm that KMS will use to decrypt the ciphertext before /// it is reencrypted. The default value, SYMMETRIC_DEFAULT, represents the /// algorithm used for symmetric encryption KMS keys. /// /// /// /// Specify the same algorithm that was used to encrypt the ciphertext. If you specify /// a different algorithm, the decrypt attempt fails. /// /// /// /// This parameter is required only when the ciphertext was encrypted under an asymmetric /// KMS key. /// /// public EncryptionAlgorithmSpec SourceEncryptionAlgorithm { get { return this._sourceEncryptionAlgorithm; } set { this._sourceEncryptionAlgorithm = value; } } // Check to see if SourceEncryptionAlgorithm property is set internal bool IsSetSourceEncryptionAlgorithm() { return this._sourceEncryptionAlgorithm != null; } /// /// Gets and sets the property SourceEncryptionContext. /// /// Specifies the encryption context to use to decrypt the ciphertext. Enter the same /// encryption context that was used to encrypt the ciphertext. /// /// /// /// An encryption context is a collection of non-secret key-value pairs that represent /// additional authenticated data. When you use an encryption context to encrypt data, /// you must specify the same (an exact case-sensitive match) encryption context to decrypt /// the data. An encryption context is supported only on operations with symmetric encryption /// KMS keys. On operations with symmetric encryption KMS keys, an encryption context /// is optional, but it is strongly recommended. /// /// /// /// For more information, see Encryption /// context in the Key Management Service Developer Guide. /// /// public Dictionary SourceEncryptionContext { get { return this._sourceEncryptionContext; } set { this._sourceEncryptionContext = value; } } // Check to see if SourceEncryptionContext property is set internal bool IsSetSourceEncryptionContext() { return this._sourceEncryptionContext != null && this._sourceEncryptionContext.Count > 0; } /// /// Gets and sets the property SourceKeyId. /// /// Specifies the KMS key that KMS will use to decrypt the ciphertext before it is re-encrypted. /// /// /// /// Enter a key ID of the KMS key that was used to encrypt the ciphertext. If you identify /// a different KMS key, the ReEncrypt operation throws an IncorrectKeyException. /// /// /// /// This parameter is required only when the ciphertext was encrypted under an asymmetric /// KMS key. If you used a symmetric encryption KMS key, KMS can get the KMS key from /// metadata that it adds to the symmetric ciphertext blob. However, it is always recommended /// as a best practice. This practice ensures that you use the KMS key that you intend. /// /// /// /// To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using /// an alias name, prefix it with "alias/". To specify a KMS key in a different /// Amazon Web Services account, you must use the key ARN or alias ARN. /// /// /// /// For example: /// ///
  • /// /// Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab /// ///
  • /// /// Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab /// /// ///
  • /// /// Alias name: alias/ExampleAlias /// ///
  • /// /// Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias /// ///
/// /// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. /// To get the alias name and alias ARN, use ListAliases. /// /// [AWSProperty(Min=1, Max=2048)] public string SourceKeyId { get { return this._sourceKeyId; } set { this._sourceKeyId = value; } } // Check to see if SourceKeyId property is set internal bool IsSetSourceKeyId() { return this._sourceKeyId != null; } } }