Learn R
paws.security.identity (version 0.1.0)

kms_re_encrypt: Encrypts data on the server side with a new customer master key (CMK) without exposing the plaintext of the data on the client side

Description

Encrypts data on the server side with a new customer master key (CMK) without exposing the plaintext of the data on the client side. The data is first decrypted and then reencrypted. You can also use this operation to change the encryption context of a ciphertext.

Usage

kms_re_encrypt(CiphertextBlob, SourceEncryptionContext,
  DestinationKeyId, DestinationEncryptionContext, GrantTokens)

Arguments

CiphertextBlob

[required] Ciphertext of the data to reencrypt.

SourceEncryptionContext

Encryption context used to encrypt and decrypt the data specified in the CiphertextBlob parameter.

DestinationKeyId

[required] A unique identifier for the CMK that is used to reencrypt the data.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

  • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

  • Alias name: alias/ExampleAlias

  • Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

DestinationEncryptionContext

Encryption context to use when the data is reencrypted.

GrantTokens

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Request syntax

svc$re_encrypt(
  CiphertextBlob = raw,
  SourceEncryptionContext = list(
    "string"
  ),
  DestinationKeyId = "string",
  DestinationEncryptionContext = list(
    "string"
  ),
  GrantTokens = list(
    "string"
  )
)

Details

You can reencrypt data using CMKs in different AWS accounts.

Unlike other operations, ReEncrypt is authorized twice, once as ReEncryptFrom on the source CMK and once as ReEncryptTo on the destination CMK. We recommend that you include the "kms:ReEncrypt*" permission in your key policies to permit reencryption from or to the CMK. This permission is automatically included in the key policy when you create a CMK through the console, but you must include it manually when you create a CMK programmatically or when you set a key policy with the PutKeyPolicy operation.

The result of this operation varies with the key state of the CMK. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.

Examples

Run this code
# NOT RUN {
# The following example reencrypts data with the specified CMK.
# }
# NOT RUN {
svc$re_encrypt(
  CiphertextBlob = "<binary data>",
  DestinationKeyId = "0987dcba-09fe-87dc-65ba-ab0987654321"
)
# }
# NOT RUN {
# }

Run the code above in your browser using DataCamp Workspace