1// Code generated by smithy-go-codegen DO NOT EDIT. 2 3package kms 4 5import ( 6 "context" 7 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" 8 "github.com/aws/aws-sdk-go-v2/aws/signer/v4" 9 "github.com/aws/aws-sdk-go-v2/service/kms/types" 10 "github.com/aws/smithy-go/middleware" 11 smithyhttp "github.com/aws/smithy-go/transport/http" 12) 13 14// Decrypts ciphertext and then reencrypts it entirely within AWS KMS. You can use 15// this operation to change the customer master key (CMK) under which data is 16// encrypted, such as when you manually rotate 17// (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually) 18// a CMK or change the CMK that protects a ciphertext. You can also use it to 19// reencrypt ciphertext under the same CMK, such as to change the encryption 20// context 21// (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 22// of a ciphertext. The ReEncrypt operation can decrypt ciphertext that was 23// encrypted by using an AWS KMS CMK in an AWS KMS operation, such as Encrypt or 24// GenerateDataKey. It can also decrypt ciphertext that was encrypted by using the 25// public key of an asymmetric CMK 26// (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks) 27// outside of AWS KMS. However, it cannot decrypt ciphertext produced by other 28// libraries, such as the AWS Encryption SDK 29// (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/) or Amazon 30// S3 client-side encryption 31// (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html). 32// These libraries return a ciphertext format that is incompatible with AWS KMS. 33// When you use the ReEncrypt operation, you need to provide information for the 34// decrypt operation and the subsequent encrypt operation. 35// 36// * If your ciphertext 37// was encrypted under an asymmetric CMK, you must use the SourceKeyId parameter to 38// identify the CMK that encrypted the ciphertext. You must also supply the 39// encryption algorithm that was used. This information is required to decrypt the 40// data. 41// 42// * If your ciphertext was encrypted under a symmetric CMK, the SourceKeyId 43// parameter is optional. AWS KMS can get this information from metadata that it 44// adds to the symmetric ciphertext blob. This feature adds durability to your 45// implementation by ensuring that authorized users can decrypt ciphertext decades 46// after it was encrypted, even if they've lost track of the CMK ID. However, 47// specifying the source CMK is always recommended as a best practice. When you use 48// the SourceKeyId parameter to specify a CMK, AWS KMS uses only the CMK you 49// specify. If the ciphertext was encrypted under a different CMK, the ReEncrypt 50// operation fails. This practice ensures that you use the CMK that you intend. 51// 52// * 53// To reencrypt the data, you must use the DestinationKeyId parameter specify the 54// CMK that re-encrypts the data after it is decrypted. You can select a symmetric 55// or asymmetric CMK. If the destination CMK is an asymmetric CMK, you must also 56// provide the encryption algorithm. The algorithm that you choose must be 57// compatible with the CMK. When you use an asymmetric CMK to encrypt or reencrypt 58// data, be sure to record the CMK and encryption algorithm that you choose. You 59// will be required to provide the same CMK and encryption algorithm when you 60// decrypt the data. If the CMK and algorithm do not match the values used to 61// encrypt the data, the decrypt operation fails. You are not required to supply 62// the CMK ID and encryption algorithm when you decrypt with symmetric CMKs because 63// AWS KMS stores this information in the ciphertext blob. AWS KMS cannot store 64// metadata in ciphertext generated with asymmetric keys. The standard format for 65// asymmetric key ciphertext does not include configurable fields. 66// 67// The CMK that 68// you use for this operation must be in a compatible key state. For details, see 69// How Key State Affects Use of a Customer Master Key 70// (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the 71// AWS Key Management Service Developer Guide. Cross-account use: Yes. The source 72// CMK and destination CMK can be in different AWS accounts. Either or both CMKs 73// can be in a different account than the caller. Required permissions: 74// 75// * 76// kms:ReEncryptFrom 77// (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 78// permission on the source CMK (key policy) 79// 80// * kms:ReEncryptTo 81// (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 82// permission on the destination CMK (key policy) 83// 84// To permit reencryption from or 85// to a CMK, include the "kms:ReEncrypt*" permission in your key policy 86// (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html). This 87// permission is automatically included in the key policy when you use the console 88// to create a CMK. But you must include it manually when you create a CMK 89// programmatically or when you use the PutKeyPolicy operation to set a key policy. 90// Related operations: 91// 92// * Decrypt 93// 94// * Encrypt 95// 96// * GenerateDataKey 97// 98// * 99// GenerateDataKeyPair 100func (c *Client) ReEncrypt(ctx context.Context, params *ReEncryptInput, optFns ...func(*Options)) (*ReEncryptOutput, error) { 101 if params == nil { 102 params = &ReEncryptInput{} 103 } 104 105 result, metadata, err := c.invokeOperation(ctx, "ReEncrypt", params, optFns, addOperationReEncryptMiddlewares) 106 if err != nil { 107 return nil, err 108 } 109 110 out := result.(*ReEncryptOutput) 111 out.ResultMetadata = metadata 112 return out, nil 113} 114 115type ReEncryptInput struct { 116 117 // Ciphertext of the data to reencrypt. 118 // 119 // This member is required. 120 CiphertextBlob []byte 121 122 // A unique identifier for the CMK that is used to reencrypt the data. Specify a 123 // symmetric or asymmetric CMK with a KeyUsage value of ENCRYPT_DECRYPT. To find 124 // the KeyUsage value of a CMK, use the DescribeKey operation. To specify a CMK, 125 // use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using 126 // an alias name, prefix it with "alias/". To specify a CMK in a different AWS 127 // account, you must use the key ARN or alias ARN. For example: 128 // 129 // * Key ID: 130 // 1234abcd-12ab-34cd-56ef-1234567890ab 131 // 132 // * Key ARN: 133 // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 134 // 135 // * 136 // Alias name: alias/ExampleAlias 137 // 138 // * Alias ARN: 139 // arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 140 // 141 // To get the key ID and key 142 // ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, 143 // use ListAliases. 144 // 145 // This member is required. 146 DestinationKeyId *string 147 148 // Specifies the encryption algorithm that AWS KMS will use to reecrypt the data 149 // after it has decrypted it. The default value, SYMMETRIC_DEFAULT, represents the 150 // encryption algorithm used for symmetric CMKs. This parameter is required only 151 // when the destination CMK is an asymmetric CMK. 152 DestinationEncryptionAlgorithm types.EncryptionAlgorithmSpec 153 154 // Specifies that encryption context to use when the reencrypting the data. A 155 // destination encryption context is valid only when the destination CMK is a 156 // symmetric CMK. The standard ciphertext format for asymmetric CMKs does not 157 // include fields for metadata. An encryption context is a collection of non-secret 158 // key-value pairs that represents additional authenticated data. When you use an 159 // encryption context to encrypt data, you must specify the same (an exact 160 // case-sensitive match) encryption context to decrypt the data. An encryption 161 // context is optional when encrypting with a symmetric CMK, but it is highly 162 // recommended. For more information, see Encryption Context 163 // (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 164 // in the AWS Key Management Service Developer Guide. 165 DestinationEncryptionContext map[string]string 166 167 // A list of grant tokens. For more information, see Grant Tokens 168 // (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 169 // in the AWS Key Management Service Developer Guide. 170 GrantTokens []string 171 172 // Specifies the encryption algorithm that AWS KMS will use to decrypt the 173 // ciphertext before it is reencrypted. The default value, SYMMETRIC_DEFAULT, 174 // represents the algorithm used for symmetric CMKs. Specify the same algorithm 175 // that was used to encrypt the ciphertext. If you specify a different algorithm, 176 // the decrypt attempt fails. This parameter is required only when the ciphertext 177 // was encrypted under an asymmetric CMK. 178 SourceEncryptionAlgorithm types.EncryptionAlgorithmSpec 179 180 // Specifies the encryption context to use to decrypt the ciphertext. Enter the 181 // same encryption context that was used to encrypt the ciphertext. An encryption 182 // context is a collection of non-secret key-value pairs that represents additional 183 // authenticated data. When you use an encryption context to encrypt data, you must 184 // specify the same (an exact case-sensitive match) encryption context to decrypt 185 // the data. An encryption context is optional when encrypting with a symmetric 186 // CMK, but it is highly recommended. For more information, see Encryption Context 187 // (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 188 // in the AWS Key Management Service Developer Guide. 189 SourceEncryptionContext map[string]string 190 191 // Specifies the customer master key (CMK) that AWS KMS will use to decrypt the 192 // ciphertext before it is re-encrypted. Enter a key ID of the CMK that was used to 193 // encrypt the ciphertext. This parameter is required only when the ciphertext was 194 // encrypted under an asymmetric CMK. If you used a symmetric CMK, AWS KMS can get 195 // the CMK from metadata that it adds to the symmetric ciphertext blob. However, it 196 // is always recommended as a best practice. This practice ensures that you use the 197 // CMK that you intend. To specify a CMK, use its key ID, Amazon Resource Name 198 // (ARN), alias name, or alias ARN. When using an alias name, prefix it with 199 // "alias/". To specify a CMK in a different AWS account, you must use the key ARN 200 // or alias ARN. For example: 201 // 202 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 203 // 204 // * 205 // Key ARN: 206 // arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 207 // 208 // * 209 // Alias name: alias/ExampleAlias 210 // 211 // * Alias ARN: 212 // arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 213 // 214 // To get the key ID and key 215 // ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, 216 // use ListAliases. 217 SourceKeyId *string 218} 219 220type ReEncryptOutput struct { 221 222 // The reencrypted data. When you use the HTTP API or the AWS CLI, the value is 223 // Base64-encoded. Otherwise, it is not Base64-encoded. 224 CiphertextBlob []byte 225 226 // The encryption algorithm that was used to reencrypt the data. 227 DestinationEncryptionAlgorithm types.EncryptionAlgorithmSpec 228 229 // The Amazon Resource Name (key ARN 230 // (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) 231 // of the CMK that was used to reencrypt the data. 232 KeyId *string 233 234 // The encryption algorithm that was used to decrypt the ciphertext before it was 235 // reencrypted. 236 SourceEncryptionAlgorithm types.EncryptionAlgorithmSpec 237 238 // Unique identifier of the CMK used to originally encrypt the data. 239 SourceKeyId *string 240 241 // Metadata pertaining to the operation's result. 242 ResultMetadata middleware.Metadata 243} 244 245func addOperationReEncryptMiddlewares(stack *middleware.Stack, options Options) (err error) { 246 err = stack.Serialize.Add(&awsAwsjson11_serializeOpReEncrypt{}, middleware.After) 247 if err != nil { 248 return err 249 } 250 err = stack.Deserialize.Add(&awsAwsjson11_deserializeOpReEncrypt{}, middleware.After) 251 if err != nil { 252 return err 253 } 254 if err = addSetLoggerMiddleware(stack, options); err != nil { 255 return err 256 } 257 if err = awsmiddleware.AddClientRequestIDMiddleware(stack); err != nil { 258 return err 259 } 260 if err = smithyhttp.AddComputeContentLengthMiddleware(stack); err != nil { 261 return err 262 } 263 if err = addResolveEndpointMiddleware(stack, options); err != nil { 264 return err 265 } 266 if err = v4.AddComputePayloadSHA256Middleware(stack); err != nil { 267 return err 268 } 269 if err = addRetryMiddlewares(stack, options); err != nil { 270 return err 271 } 272 if err = addHTTPSignerV4Middleware(stack, options); err != nil { 273 return err 274 } 275 if err = awsmiddleware.AddRawResponseToMetadata(stack); err != nil { 276 return err 277 } 278 if err = awsmiddleware.AddRecordResponseTiming(stack); err != nil { 279 return err 280 } 281 if err = addClientUserAgent(stack); err != nil { 282 return err 283 } 284 if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { 285 return err 286 } 287 if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { 288 return err 289 } 290 if err = addOpReEncryptValidationMiddleware(stack); err != nil { 291 return err 292 } 293 if err = stack.Initialize.Add(newServiceMetadataMiddleware_opReEncrypt(options.Region), middleware.Before); err != nil { 294 return err 295 } 296 if err = addRequestIDRetrieverMiddleware(stack); err != nil { 297 return err 298 } 299 if err = addResponseErrorMiddleware(stack); err != nil { 300 return err 301 } 302 if err = addRequestResponseLogging(stack, options); err != nil { 303 return err 304 } 305 return nil 306} 307 308func newServiceMetadataMiddleware_opReEncrypt(region string) *awsmiddleware.RegisterServiceMetadata { 309 return &awsmiddleware.RegisterServiceMetadata{ 310 Region: region, 311 ServiceID: ServiceID, 312 SigningName: "kms", 313 OperationName: "ReEncrypt", 314 } 315} 316