encrypt method
Encrypts plaintext into ciphertext by using a customer master key (CMK).
The Encrypt operation has two primary use cases:
- You can encrypt small amounts of arbitrary data, such as a personal identifier or database password, or other sensitive information.
-
You can use the
Encryptoperation to move encrypted data from one AWS Region to another. For example, in Region A, generate a data key and use the plaintext key to encrypt your data. Then, in Region A, use theEncryptoperation to encrypt the plaintext data key under a CMK in Region B. Now, you can move the encrypted data and the encrypted data key to Region B. When necessary, you can decrypt the encrypted data key and the encrypted data entirely within in Region B.
Encrypt operation to encrypt a data
key. The GenerateDataKey and GenerateDataKeyPair operations
return a plaintext data key and an encrypted copy of that data key.
When you encrypt data, you must specify a symmetric or asymmetric CMK to
use in the encryption operation. The CMK must have a KeyUsage
value of ENCRYPT_DECRYPT. To find the KeyUsage
of a CMK, use the DescribeKey operation.
If you use a symmetric CMK, you can use an encryption context to add
additional security to your encryption operation. If you specify an
EncryptionContext when encrypting data, you must specify the
same encryption context (a case-sensitive exact match) when decrypting the
data. Otherwise, the request to decrypt fails with an
InvalidCiphertextException. For more information, see Encryption
Context in the AWS Key Management Service Developer Guide.
If you specify an asymmetric CMK, you must also specify the encryption algorithm. The algorithm must be compatible with the CMK type.
You are not required to supply the CMK ID and encryption algorithm when you decrypt with symmetric CMKs because AWS KMS stores this information in the ciphertext blob. AWS KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields. The maximum size of the data that you can encrypt varies with the type of CMK and the encryption algorithm that you choose.
-
Symmetric CMKs
-
SYMMETRIC_DEFAULT: 4096 bytes
-
-
RSA_2048-
RSAES_OAEP_SHA_1: 214 bytes -
RSAES_OAEP_SHA_256: 190 bytes
-
-
RSA_3072-
RSAES_OAEP_SHA_1: 342 bytes -
RSAES_OAEP_SHA_256: 318 bytes
-
-
RSA_4096-
RSAES_OAEP_SHA_1: 470 bytes -
RSAES_OAEP_SHA_256: 446 bytes
-
Cross-account use: Yes. To perform this operation with a CMK in a
different AWS account, specify the key ARN or alias ARN in the value of
the KeyId parameter.
Required permissions: kms:Encrypt (key policy)
Related operations:
May throw NotFoundException. May throw DisabledException. May throw KeyUnavailableException. May throw DependencyTimeoutException. May throw InvalidKeyUsageException. May throw InvalidGrantTokenException. May throw KMSInternalException. May throw KMSInvalidStateException.
Parameter keyId :
A unique identifier for the customer master key (CMK).
To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name,
or alias ARN. When using an alias name, prefix it with
"alias/". To specify a CMK in a different AWS account, you
must use the key ARN or alias ARN.
For example:
-
Key ID:
1234abcd-12ab-34cd-56ef-1234567890ab -
Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab -
Alias name:
alias/ExampleAlias -
Alias ARN:
arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
Parameter plaintext :
Data to be encrypted.
Parameter encryptionAlgorithm :
Specifies the encryption algorithm that AWS KMS will use to encrypt the
plaintext message. The algorithm must be compatible with the CMK that you
specify.
This parameter is required only for asymmetric CMKs. The default value,
SYMMETRIC_DEFAULT, is the algorithm used for symmetric CMKs.
If you are using an asymmetric CMK, we recommend RSAES_OAEP_SHA_256.
Parameter encryptionContext :
Specifies the encryption context that will be used to encrypt the data. An
encryption context is valid only for cryptographic
operations with a symmetric CMK. The standard asymmetric encryption
algorithms that AWS KMS uses do not support an encryption context.
An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.
For more information, see Encryption Context in the AWS Key Management Service Developer Guide.
Parameter grantTokens :
A list of grant tokens.
For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.
Implementation
Future<EncryptResponse> encrypt({
required String keyId,
required Uint8List plaintext,
EncryptionAlgorithmSpec? encryptionAlgorithm,
Map<String, String>? encryptionContext,
List<String>? grantTokens,
}) async {
ArgumentError.checkNotNull(keyId, 'keyId');
_s.validateStringLength(
'keyId',
keyId,
1,
2048,
isRequired: true,
);
ArgumentError.checkNotNull(plaintext, 'plaintext');
final headers = <String, String>{
'Content-Type': 'application/x-amz-json-1.1',
'X-Amz-Target': 'TrentService.Encrypt'
};
final jsonResponse = await _protocol.send(
method: 'POST',
requestUri: '/',
exceptionFnMap: _exceptionFns,
// TODO queryParams
headers: headers,
payload: {
'KeyId': keyId,
'Plaintext': base64Encode(plaintext),
if (encryptionAlgorithm != null)
'EncryptionAlgorithm': encryptionAlgorithm.toValue(),
if (encryptionContext != null) 'EncryptionContext': encryptionContext,
if (grantTokens != null) 'GrantTokens': grantTokens,
},
);
return EncryptResponse.fromJson(jsonResponse.body);
}