Package com.amazonaws.encryptionsdk.kms

Class AwsKmsMrkAwareMasterKey

java.lang.Object

com.amazonaws.encryptionsdk.MasterKeyProvider<K>

com.amazonaws.encryptionsdk.MasterKey<AwsKmsMrkAwareMasterKey>

com.amazonaws.encryptionsdk.kms.AwsKmsMrkAwareMasterKey

All Implemented Interfaces:

KmsMethods

public final class AwsKmsMrkAwareMasterKey
extends MasterKey<AwsKmsMrkAwareMasterKey>
implements KmsMethods

Represents a single Aws KMS key and is used to encrypt/decrypt data with AwsCrypto. This key may be a multi region key, in which case this component is able to recognize different regional replicas of this multi region key as the same.

Method Summary

Modifier and Type	Method	Description
void	addGrantToken(String grantToken)	Adds grantToken to the list of grantTokens sent to KMS when this class calls it.
DataKey<AwsKmsMrkAwareMasterKey>	decryptDataKey(CryptoAlgorithm algorithm, Collection<? extends EncryptedDataKey> encryptedDataKeys, Map<String,String> encryptionContext)	Will attempt to decrypt if awsKmsArnMatchForDecrypt returns true in AwsKmsMrkAwareMasterKey#filterEncryptedDataKeys(String, AwsKmsCmkArnInfo, EncryptedDataKey).
DataKey<AwsKmsMrkAwareMasterKey>	encryptDataKey(CryptoAlgorithm algorithm, Map<String,String> encryptionContext, DataKey<?> dataKey)	Returns a new copy of the provided dataKey which is protected by this MasterKey for use with algorithm and associated with the provided encryptionContext.
DataKey<AwsKmsMrkAwareMasterKey>	generateDataKey(CryptoAlgorithm algorithm, Map<String,String> encryptionContext)	This is identical behavior to
List<String>	getGrantTokens()	Returns the grantTokens which this object sends to KMS when calling it.
String	getKeyId()
String	getProviderId()
void	setGrantTokens(List<String> grantTokens)	Clears and sets all grant tokens on this instance.

Methods inherited from class com.amazonaws.encryptionsdk.MasterKey

canProvide, equals, getDefaultProviderId, getMasterKey, getMasterKeysForEncryption, hashCode, toString

Methods inherited from class com.amazonaws.encryptionsdk.MasterKeyProvider

buildCannotDecryptDksException, buildCannotDecryptDksException, buildCannotDecryptDksException, getMasterKey

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Method Details

getProviderId

public String getProviderId()

Specified by:

getProviderId in class MasterKey<AwsKmsMrkAwareMasterKey>

getKeyId

public String getKeyId()

Specified by:

getKeyId in class MasterKey<AwsKmsMrkAwareMasterKey>

setGrantTokens

public void setGrantTokens(List<String> grantTokens)

Clears and sets all grant tokens on this instance. This is not thread safe.

Specified by:

setGrantTokens in interface KmsMethods

getGrantTokens

public List<String> getGrantTokens()

Description copied from interface: KmsMethods

Returns the grantTokens which this object sends to KMS when calling it.

Specified by:

getGrantTokens in interface KmsMethods

addGrantToken

public void addGrantToken(String grantToken)

Description copied from interface: KmsMethods

Adds grantToken to the list of grantTokens sent to KMS when this class calls it.

Specified by:

addGrantToken in interface KmsMethods

generateDataKey

public DataKey<AwsKmsMrkAwareMasterKey> generateDataKey(CryptoAlgorithm algorithm,
 Map<String,String> encryptionContext)

This is identical behavior to

Specified by:

generateDataKey in class MasterKey<AwsKmsMrkAwareMasterKey>

See Also:

KmsMasterKey.generateDataKey(CryptoAlgorithm, Map)

encryptDataKey

public DataKey<AwsKmsMrkAwareMasterKey> encryptDataKey(CryptoAlgorithm algorithm,
 Map<String,String> encryptionContext,
 DataKey<?> dataKey)

Description copied from class: MasterKey

Returns a new copy of the provided dataKey which is protected by this MasterKey for use with algorithm and associated with the provided encryptionContext.

Specified by:

encryptDataKey in class MasterKey<AwsKmsMrkAwareMasterKey>

See Also:

KmsMasterKey.encryptDataKey(CryptoAlgorithm, Map, DataKey)

decryptDataKey

public DataKey<AwsKmsMrkAwareMasterKey> decryptDataKey(CryptoAlgorithm algorithm,
 Collection<? extends EncryptedDataKey> encryptedDataKeys,
 Map<String,String> encryptionContext)
                                                throws AwsCryptoException

Will attempt to decrypt if awsKmsArnMatchForDecrypt returns true in AwsKmsMrkAwareMasterKey#filterEncryptedDataKeys(String, AwsKmsCmkArnInfo, EncryptedDataKey). An extension of KmsMasterKey.decryptDataKey(CryptoAlgorithm, Collection, Map) but with an awareness of the properties of multi-Region keys.

Specified by:

decryptDataKey in class MasterKeyProvider<AwsKmsMrkAwareMasterKey>

Returns:

a DataKey if one can be decrypted, otherwise returns null

Throws:

UnsupportedProviderException - if the encryptedDataKey is associated with an unsupported provider

CannotUnwrapDataKeyException - if the encryptedDataKey cannot be decrypted

AwsCryptoException