encrypt method
Encrypts plaintext of up to 4,096 bytes using a KMS key. You can use a
symmetric or asymmetric KMS key with a KeyUsage of
ENCRYPT_DECRYPT.
You can use this operation to encrypt small amounts of arbitrary data,
such as a personal identifier or database password, or other sensitive
information. You don't need to use the Encrypt operation to
encrypt a data key. The GenerateDataKey and
GenerateDataKeyPair operations return a plaintext data key and an
encrypted copy of that data key.
If you use a symmetric encryption KMS key, you can use an encryption
context to add additional security to your encryption operation. If you
specify an EncryptionContext when encrypting data, you must
specify the same encryption context (a case-sensitive exact match) when
decrypting the data. Otherwise, the request to decrypt fails with an
InvalidCiphertextException. For more information, see Encryption
Context in the Key Management Service Developer Guide.
If you specify an asymmetric KMS key, you must also specify the encryption algorithm. The algorithm must be compatible with the KMS key spec.
You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields. The maximum size of the data that you can encrypt varies with the type of KMS key and the encryption algorithm that you choose.
-
Symmetric encryption KMS keys
-
SYMMETRIC_DEFAULT: 4096 bytes
-
-
RSA_2048-
RSAES_OAEP_SHA_1: 214 bytes -
RSAES_OAEP_SHA_256: 190 bytes
-
-
RSA_3072-
RSAES_OAEP_SHA_1: 342 bytes -
RSAES_OAEP_SHA_256: 318 bytes
-
-
RSA_4096-
RSAES_OAEP_SHA_1: 470 bytes -
RSAES_OAEP_SHA_256: 446 bytes
-
-
SM2PKE: 1024 bytes (China Regions only)
Cross-account use: Yes. To perform this operation with a KMS key in
a different Amazon Web Services account, specify the key ARN or alias ARN
in the value of the KeyId parameter.
Required permissions: kms:Encrypt (key policy)
Related operations:
Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.May throw DependencyTimeoutException.
May throw DisabledException.
May throw DryRunOperationException.
May throw InvalidGrantTokenException.
May throw InvalidKeyUsageException.
May throw KeyUnavailableException.
May throw KMSInternalException.
May throw KMSInvalidStateException.
May throw NotFoundException.
Parameter keyId :
Identifies the KMS key to use in the encryption operation. The KMS key
must have a KeyUsage of ENCRYPT_DECRYPT. To find
the KeyUsage of a KMS key, use the DescribeKey
operation.
To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
When using an alias name, prefix it with "alias/". To specify
a KMS key in a different Amazon Web Services account, you must use the key
ARN or alias ARN.
For example:
-
Key ID:
1234abcd-12ab-34cd-56ef-1234567890ab -
Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab -
Alias name:
alias/ExampleAlias -
Alias ARN:
arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
Parameter plaintext :
Data to be encrypted.
Parameter dryRun :
Checks if your request will succeed. DryRun is an optional
parameter.
To learn more about how to use this parameter, see Testing your permissions in the Key Management Service Developer Guide.
Parameter encryptionAlgorithm :
Specifies the encryption algorithm that KMS will use to encrypt the
plaintext message. The algorithm must be compatible with the KMS key that
you specify.
This parameter is required only for asymmetric KMS keys. The default
value, SYMMETRIC_DEFAULT, is the algorithm used for symmetric
encryption KMS keys. If you are using an asymmetric KMS key, we recommend
RSAES_OAEP_SHA_256.
The SM2PKE algorithm is only available in China Regions.
Parameter encryptionContext :
Specifies the encryption context that will be used to encrypt the data. An
encryption context is valid only for cryptographic
operations with a symmetric encryption KMS key. The standard
asymmetric encryption algorithms and HMAC algorithms that KMS uses do not
support an encryption context.
An encryption context is a collection of non-secret key-value pairs
that represent additional authenticated data. When you use an encryption
context to encrypt data, you must specify the same (an exact
case-sensitive match) encryption context to decrypt the data. An
encryption context is supported only on operations with symmetric
encryption KMS keys. On operations with symmetric encryption KMS keys, an
encryption context is optional, but it is strongly recommended.
For more information, see Encryption context in the Key Management Service Developer Guide.
Parameter grantTokens :
A list of grant tokens.
Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the Key Management Service Developer Guide.
Implementation
Future<EncryptResponse> encrypt({
required String keyId,
required Uint8List plaintext,
bool? dryRun,
EncryptionAlgorithmSpec? encryptionAlgorithm,
Map<String, String>? encryptionContext,
List<String>? grantTokens,
}) async {
final headers = <String, String>{
'Content-Type': 'application/x-amz-json-1.1',
'X-Amz-Target': 'TrentService.Encrypt'
};
final jsonResponse = await _protocol.send(
method: 'POST',
requestUri: '/',
exceptionFnMap: _exceptionFns,
// TODO queryParams
headers: headers,
payload: {
'KeyId': keyId,
'Plaintext': base64Encode(plaintext),
if (dryRun != null) 'DryRun': dryRun,
if (encryptionAlgorithm != null)
'EncryptionAlgorithm': encryptionAlgorithm.value,
if (encryptionContext != null) 'EncryptionContext': encryptionContext,
if (grantTokens != null) 'GrantTokens': grantTokens,
},
);
return EncryptResponse.fromJson(jsonResponse.body);
}