KMS class

AWS Key Management Service (AWS KMS) is an encryption and key management web service. This guide describes the AWS KMS operations that you can call programmatically. For general information about AWS KMS, see the AWS Key Management Service Developer Guide . We recommend that you use the AWS SDKs to make programmatic API calls to AWS KMS.

Constructors

KMS({required String region, AwsClientCredentials? credentials, AwsClientCredentialsProvider? credentialsProvider, Client? client, String? endpointUrl})

Properties

hashCode int
The hash code for this object.
no setterinherited
runtimeType Type
A representation of the runtime type of the object.
no setterinherited

Methods

cancelKeyDeletion({required String keyId}) Future<CancelKeyDeletionResponse>
Cancels the deletion of a customer master key (CMK). When this operation succeeds, the key state of the CMK is Disabled. To enable the CMK, use EnableKey.
close() → void
Closes the internal HTTP client if none was provided at creation. If a client was passed as a constructor argument, this becomes a noop.
connectCustomKeyStore({required String customKeyStoreId}) Future<void>
Connects or reconnects a custom key store to its associated AWS CloudHSM cluster.
createAlias({required String aliasName, required String targetKeyId}) Future<void>
Creates a friendly name for a customer master key (CMK). You can use an alias to identify a CMK in the AWS KMS console, in the DescribeKey operation and in cryptographic operations, such as Encrypt and GenerateDataKey.
createCustomKeyStore({required String cloudHsmClusterId, required String customKeyStoreName, required String keyStorePassword, required String trustAnchorCertificate}) Future<CreateCustomKeyStoreResponse>
Creates a custom key store that is associated with an AWS CloudHSM cluster that you own and manage.
createGrant({required String granteePrincipal, required String keyId, required List<GrantOperation> operations, GrantConstraints? constraints, List<String>? grantTokens, String? name, String? retiringPrincipal}) Future<CreateGrantResponse>
Adds a grant to a customer master key (CMK). The grant allows the grantee principal to use the CMK when the conditions specified in the grant are met. When setting permissions, grants are an alternative to key policies.
createKey({bool? bypassPolicyLockoutSafetyCheck, String? customKeyStoreId, CustomerMasterKeySpec? customerMasterKeySpec, String? description, KeyUsageType? keyUsage, OriginType? origin, String? policy, List<Tag>? tags}) Future<CreateKeyResponse>
Creates a unique customer managed customer master key (CMK) in your AWS account and Region.
decrypt({required Uint8List ciphertextBlob, EncryptionAlgorithmSpec? encryptionAlgorithm, Map<String, String>? encryptionContext, List<String>? grantTokens, String? keyId}) Future<DecryptResponse>
Decrypts ciphertext that was encrypted by a AWS KMS customer master key (CMK) using any of the following operations:
deleteAlias({required String aliasName}) Future<void>
Deletes the specified alias.
deleteCustomKeyStore({required String customKeyStoreId}) Future<void>
Deletes a custom key store. This operation does not delete the AWS CloudHSM cluster that is associated with the custom key store, or affect any users or keys in the cluster.
deleteImportedKeyMaterial({required String keyId}) Future<void>
Deletes key material that you previously imported. This operation makes the specified customer master key (CMK) unusable. For more information about importing key material into AWS KMS, see Importing Key Material in the AWS Key Management Service Developer Guide.
describeCustomKeyStores({String? customKeyStoreId, String? customKeyStoreName, int? limit, String? marker}) Future<DescribeCustomKeyStoresResponse>
Gets information about custom key stores in the account and region.
describeKey({required String keyId, List<String>? grantTokens}) Future<DescribeKeyResponse>
Provides detailed information about a customer master key (CMK). You can run DescribeKey on a customer managed CMK or an AWS managed CMK.
disableKey({required String keyId}) Future<void>
Sets the state of a customer master key (CMK) to disabled. This change temporarily prevents use of the CMK for cryptographic operations.
disableKeyRotation({required String keyId}) Future<void>
Disables automatic rotation of the key material for the specified symmetric customer master key (CMK).
disconnectCustomKeyStore({required String customKeyStoreId}) Future<void>
Disconnects the custom key store from its associated AWS CloudHSM cluster. While a custom key store is disconnected, you can manage the custom key store and its customer master keys (CMKs), but you cannot create or use CMKs in the custom key store. You can reconnect the custom key store at any time.
enableKey({required String keyId}) Future<void>
Sets the key state of a customer master key (CMK) to enabled. This allows you to use the CMK for cryptographic operations.
enableKeyRotation({required String keyId}) Future<void>
Enables automatic rotation of the key material for the specified symmetric customer master key (CMK).
encrypt({required String keyId, required Uint8List plaintext, EncryptionAlgorithmSpec? encryptionAlgorithm, Map<String, String>? encryptionContext, List<String>? grantTokens}) Future<EncryptResponse>
Encrypts plaintext into ciphertext by using a customer master key (CMK). The Encrypt operation has two primary use cases:
generateDataKey({required String keyId, Map<String, String>? encryptionContext, List<String>? grantTokens, DataKeySpec? keySpec, int? numberOfBytes}) Future<GenerateDataKeyResponse>
Generates a unique symmetric data key for client-side encryption. This operation returns a plaintext copy of the data key and a copy that is encrypted under a customer master key (CMK) that you specify. You can use the plaintext key to encrypt your data outside of AWS KMS and store the encrypted data key with the encrypted data.
generateDataKeyPair({required String keyId, required DataKeyPairSpec keyPairSpec, Map<String, String>? encryptionContext, List<String>? grantTokens}) Future<GenerateDataKeyPairResponse>
Generates a unique asymmetric data key pair. The GenerateDataKeyPair operation returns a plaintext public key, a plaintext private key, and a copy of the private key that is encrypted under the symmetric CMK you specify. You can use the data key pair to perform asymmetric cryptography outside of AWS KMS.
generateDataKeyPairWithoutPlaintext({required String keyId, required DataKeyPairSpec keyPairSpec, Map<String, String>? encryptionContext, List<String>? grantTokens}) Future<GenerateDataKeyPairWithoutPlaintextResponse>
Generates a unique asymmetric data key pair. The GenerateDataKeyPairWithoutPlaintext operation returns a plaintext public key and a copy of the private key that is encrypted under the symmetric CMK you specify. Unlike GenerateDataKeyPair, this operation does not return a plaintext private key.
generateDataKeyWithoutPlaintext({required String keyId, Map<String, String>? encryptionContext, List<String>? grantTokens, DataKeySpec? keySpec, int? numberOfBytes}) Future<GenerateDataKeyWithoutPlaintextResponse>
Generates a unique symmetric data key. This operation returns a data key that is encrypted under a customer master key (CMK) that you specify. To request an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operations.
generateRandom({String? customKeyStoreId, int? numberOfBytes}) Future<GenerateRandomResponse>
Returns a random byte string that is cryptographically secure.
getKeyPolicy({required String keyId, required String policyName}) Future<GetKeyPolicyResponse>
Gets a key policy attached to the specified customer master key (CMK).
getKeyRotationStatus({required String keyId}) Future<GetKeyRotationStatusResponse>
Gets a Boolean value that indicates whether automatic rotation of the key material is enabled for the specified customer master key (CMK).
getParametersForImport({required String keyId, required AlgorithmSpec wrappingAlgorithm, required WrappingKeySpec wrappingKeySpec}) Future<GetParametersForImportResponse>
Returns the items you need to import key material into a symmetric, customer managed customer master key (CMK). For more information about importing key material into AWS KMS, see Importing Key Material in the AWS Key Management Service Developer Guide.
getPublicKey({required String keyId, List<String>? grantTokens}) Future<GetPublicKeyResponse>
Returns the public key of an asymmetric CMK. Unlike the private key of a asymmetric CMK, which never leaves AWS KMS unencrypted, callers with kms:GetPublicKey permission can download the public key of an asymmetric CMK. You can share the public key to allow others to encrypt messages and verify signatures outside of AWS KMS. For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.
importKeyMaterial({required Uint8List encryptedKeyMaterial, required Uint8List importToken, required String keyId, ExpirationModelType? expirationModel, DateTime? validTo}) Future<void>
Imports key material into an existing symmetric AWS KMS customer master key (CMK) that was created without key material. After you successfully import key material into a CMK, you can reimport the same key material into that CMK, but you cannot import different key material.
listAliases({String? keyId, int? limit, String? marker}) Future<ListAliasesResponse>
Gets a list of aliases in the caller's AWS account and region. For more information about aliases, see CreateAlias.
listGrants({required String keyId, int? limit, String? marker}) Future<ListGrantsResponse>
Gets a list of all grants for the specified customer master key (CMK). Cross-account use: Yes. To perform this operation on a CMK in a different AWS account, specify the key ARN in the value of the KeyId parameter.
listKeyPolicies({required String keyId, int? limit, String? marker}) Future<ListKeyPoliciesResponse>
Gets the names of the key policies that are attached to a customer master key (CMK). This operation is designed to get policy names that you can use in a GetKeyPolicy operation. However, the only valid policy name is default.
listKeys({int? limit, String? marker}) Future<ListKeysResponse>
Gets a list of all customer master keys (CMKs) in the caller's AWS account and Region.
listResourceTags({required String keyId, int? limit, String? marker}) Future<ListResourceTagsResponse>
Returns all tags on the specified customer master key (CMK).
listRetirableGrants({required String retiringPrincipal, int? limit, String? marker}) Future<ListGrantsResponse>
Returns all grants in which the specified principal is the RetiringPrincipal in the grant.
noSuchMethod(Invocation invocation) → dynamic
Invoked when a nonexistent method or property is accessed.
inherited
putKeyPolicy({required String keyId, required String policy, required String policyName, bool? bypassPolicyLockoutSafetyCheck}) Future<void>
Attaches a key policy to the specified customer master key (CMK).
reEncrypt({required Uint8List ciphertextBlob, required String destinationKeyId, EncryptionAlgorithmSpec? destinationEncryptionAlgorithm, Map<String, String>? destinationEncryptionContext, List<String>? grantTokens, EncryptionAlgorithmSpec? sourceEncryptionAlgorithm, Map<String, String>? sourceEncryptionContext, String? sourceKeyId}) Future<ReEncryptResponse>
Decrypts ciphertext and then reencrypts it entirely within AWS KMS. You can use this operation to change the customer master key (CMK) under which data is encrypted, such as when you manually rotate a CMK or change the CMK that protects a ciphertext. You can also use it to reencrypt ciphertext under the same CMK, such as to change the encryption context of a ciphertext.
retireGrant({String? grantId, String? grantToken, String? keyId}) Future<void>
Retires a grant. To clean up, you can retire a grant when you're done using it. You should revoke a grant when you intend to actively deny operations that depend on it. The following are permitted to call this API:
revokeGrant({required String grantId, required String keyId}) Future<void>
Revokes the specified grant for the specified customer master key (CMK). You can revoke a grant to actively deny operations that depend on it.
scheduleKeyDeletion({required String keyId, int? pendingWindowInDays}) Future<ScheduleKeyDeletionResponse>
Schedules the deletion of a customer master key (CMK). You may provide a waiting period, specified in days, before deletion occurs. If you do not provide a waiting period, the default period of 30 days is used. When this operation is successful, the key state of the CMK changes to PendingDeletion. Before the waiting period ends, you can use CancelKeyDeletion to cancel the deletion of the CMK. After the waiting period ends, AWS KMS deletes the CMK and all AWS KMS data associated with it, including all aliases that refer to it. If you schedule deletion of a CMK from a custom key store, when the waiting period expires, ScheduleKeyDeletion deletes the CMK from AWS KMS. Then AWS KMS makes a best effort to delete the key material from the associated AWS CloudHSM cluster. However, you might need to manually delete the orphaned key material from the cluster and its backups.
sign({required String keyId, required Uint8List message, required SigningAlgorithmSpec signingAlgorithm, List<String>? grantTokens, MessageType? messageType}) Future<SignResponse>
Creates a digital signature for a message or message digest by using the private key in an asymmetric CMK. To verify the signature, use the Verify operation, or use the public key in the same asymmetric CMK outside of AWS KMS. For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.
tagResource({required String keyId, required List<Tag> tags}) Future<void>
Adds or edits tags on a customer managed CMK.
toString() String
A string representation of this object.
inherited
untagResource({required String keyId, required List<String> tagKeys}) Future<void>
Deletes tags from a customer managed CMK. To delete a tag, specify the tag key and the CMK.
updateAlias({required String aliasName, required String targetKeyId}) Future<void>
Associates an existing AWS KMS alias with a different customer master key (CMK). Each alias is associated with only one CMK at a time, although a CMK can have multiple aliases. The alias and the CMK must be in the same AWS account and region.
updateCustomKeyStore({required String customKeyStoreId, String? cloudHsmClusterId, String? keyStorePassword, String? newCustomKeyStoreName}) Future<void>
Changes the properties of a custom key store. Use the CustomKeyStoreId parameter to identify the custom key store you want to edit. Use the remaining parameters to change the properties of the custom key store.
updateKeyDescription({required String description, required String keyId}) Future<void>
Updates the description of a customer master key (CMK). To see the description of a CMK, use DescribeKey.
verify({required String keyId, required Uint8List message, required Uint8List signature, required SigningAlgorithmSpec signingAlgorithm, List<String>? grantTokens, MessageType? messageType}) Future<VerifyResponse>
Verifies a digital signature that was generated by the Sign operation.

Operators

operator ==(Object other) bool
The equality operator.
inherited