java.lang.Object
com.amazonaws.services.dynamodbv2.datamodeling.encryption.DynamoDBEncryptor

public class DynamoDBEncryptor extends Object
The low-level API used by AttributeEncryptor to perform crypto operations on the record attributes.

For guidance on performing a safe data model change procedure, please see DynamoDB Encryption Client Developer Guide: Changing your data model

Author:
Greg Rubin
  • Field Details

  • Constructor Details

  • Method Details

    • getInstance

      public static DynamoDBEncryptor getInstance(EncryptionMaterialsProvider provider, String descriptionbase)
    • getInstance

      public static DynamoDBEncryptor getInstance(EncryptionMaterialsProvider provider)
    • decryptAllFieldsExcept

      public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> decryptAllFieldsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, String... doNotDecrypt) throws GeneralSecurityException
      Returns a decrypted version of the provided DynamoDb record. The signature is verified across all provided fields. All fields (except those listed in doNotEncrypt are decrypted.
      Parameters:
      itemAttributes - the DynamoDbRecord
      context - additional information used to successfully select the encryption materials and decrypt the data. This should include (at least) the tableName and the materialDescription.
      doNotDecrypt - those fields which should not be encrypted
      Returns:
      a plaintext version of the DynamoDb record
      Throws:
      SignatureException - if the signature is invalid or cannot be verified
      GeneralSecurityException
    • decryptAllFieldsExcept

      public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> decryptAllFieldsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, Collection<String> doNotDecrypt) throws GeneralSecurityException
      Throws:
      GeneralSecurityException
      See Also:
    • allDecryptionFlagsExcept

      public Map<String,Set<EncryptionFlags>> allDecryptionFlagsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, String... doNotDecrypt)
      Returns the decryption flags for all item attributes except for those explicitly specified to be excluded.
      Parameters:
      doNotDecrypt - fields to be excluded
    • allDecryptionFlagsExcept

      public Map<String,Set<EncryptionFlags>> allDecryptionFlagsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, Collection<String> doNotDecrypt)
      Returns the decryption flags for all item attributes except for those explicitly specified to be excluded.
      Parameters:
      doNotDecrypt - fields to be excluded
    • encryptAllFieldsExcept

      public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> encryptAllFieldsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, String... doNotEncrypt) throws GeneralSecurityException
      Returns an encrypted version of the provided DynamoDb record. All fields are signed. All fields (except those listed in doNotEncrypt) are encrypted.
      Parameters:
      itemAttributes - a DynamoDb Record
      context - additional information used to successfully select the encryption materials and encrypt the data. This should include (at least) the tableName.
      doNotEncrypt - those fields which should not be encrypted
      Returns:
      a ciphertext version of the DynamoDb record
      Throws:
      GeneralSecurityException
    • encryptAllFieldsExcept

      public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> encryptAllFieldsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, Collection<String> doNotEncrypt) throws GeneralSecurityException
      Throws:
      GeneralSecurityException
    • allEncryptionFlagsExcept

      public Map<String,Set<EncryptionFlags>> allEncryptionFlagsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, String... doNotEncrypt)
      Returns the encryption flags for all item attributes except for those explicitly specified to be excluded.
      Parameters:
      doNotEncrypt - fields to be excluded
    • allEncryptionFlagsExcept

      public Map<String,Set<EncryptionFlags>> allEncryptionFlagsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, Collection<String> doNotEncrypt)
      Returns the encryption flags for all item attributes except for those explicitly specified to be excluded.
      Parameters:
      doNotEncrypt - fields to be excluded
    • decryptRecord

      public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> decryptRecord(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, Map<String,Set<EncryptionFlags>> attributeFlags, EncryptionContext context) throws GeneralSecurityException
      Throws:
      GeneralSecurityException
    • encryptRecord

      public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> encryptRecord(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, Map<String,Set<EncryptionFlags>> attributeFlags, EncryptionContext context) throws GeneralSecurityException
      Returns the encrypted (and signed) record, which is a map of item attributes. There is no side effect on the input parameters upon calling this method.
      Parameters:
      itemAttributes - the input record
      attributeFlags - the corresponding encryption flags
      context - encryption context
      Returns:
      a new instance of item attributes encrypted as necessary
      Throws:
      GeneralSecurityException - if failed to encrypt the record
    • getBlockSize

      protected static int getBlockSize(String encryptionMode)
    • getSignatureFieldName

      public String getSignatureFieldName()
      Get the name of the DynamoDB field used to store the signature. Defaults to DEFAULT_SIGNATURE_FIELD.
      Returns:
      the name of the DynamoDB field used to store the signature
    • setSignatureFieldName

      public void setSignatureFieldName(String signatureFieldName)
      Set the name of the DynamoDB field used to store the signature.
      Parameters:
      signatureFieldName -
    • getMaterialDescriptionFieldName

      public String getMaterialDescriptionFieldName()
      Get the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper. Defaults to DEFAULT_METADATA_FIELD.
      Returns:
      the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper
    • setMaterialDescriptionFieldName

      public void setMaterialDescriptionFieldName(String materialDescriptionFieldName)
      Set the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper
      Parameters:
      materialDescriptionFieldName -
    • marshallDescription

      protected static com.amazonaws.services.dynamodbv2.model.AttributeValue marshallDescription(Map<String,String> description)
      Marshalls the description into a ByteBuffer by outputting each key (modified UTF-8) followed by its value (also in modified UTF-8).
      Parameters:
      description -
      Returns:
      the description encoded as an AttributeValue with a ByteBuffer value
      See Also:
    • getSigningAlgorithmHeader

      public String getSigningAlgorithmHeader()
    • unmarshallDescription

      protected static Map<String,String> unmarshallDescription(com.amazonaws.services.dynamodbv2.model.AttributeValue attributeValue)
      See Also:
    • setEncryptionContextOverrideOperator

      public final void setEncryptionContextOverrideOperator(Function<EncryptionContext,EncryptionContext> encryptionContextOverrideOperator)
      Parameters:
      encryptionContextOverrideOperator - the nullable operator which will be used to override the EncryptionContext.
      See Also:
    • getEncryptionContextOverrideOperator

      public final Function<EncryptionContext,EncryptionContext> getEncryptionContextOverrideOperator()
      Returns:
      the operator used to override the EncryptionContext
      See Also: