Class DynamoDBEncryptor
java.lang.Object
com.amazonaws.services.dynamodbv2.datamodeling.encryption.DynamoDBEncryptor
The low-level API used by
AttributeEncryptor
to perform crypto operations on the record
attributes.
For guidance on performing a safe data model change procedure, please see DynamoDB Encryption Client Developer Guide: Changing your data model
- Author:
- Greg Rubin
-
Field Summary
-
Constructor Summary
ModifierConstructorDescriptionprotected
DynamoDBEncryptor
(EncryptionMaterialsProvider provider, String descriptionBase) -
Method Summary
Modifier and TypeMethodDescriptionallDecryptionFlagsExcept
(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, String... doNotDecrypt) Returns the decryption flags for all item attributes except for those explicitly specified to be excluded.allDecryptionFlagsExcept
(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, Collection<String> doNotDecrypt) Returns the decryption flags for all item attributes except for those explicitly specified to be excluded.allEncryptionFlagsExcept
(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, String... doNotEncrypt) Returns the encryption flags for all item attributes except for those explicitly specified to be excluded.allEncryptionFlagsExcept
(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, Collection<String> doNotEncrypt) Returns the encryption flags for all item attributes except for those explicitly specified to be excluded.decryptAllFieldsExcept
(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, String... doNotDecrypt) Returns a decrypted version of the provided DynamoDb record.decryptAllFieldsExcept
(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, Collection<String> doNotDecrypt) decryptRecord
(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, Map<String, Set<EncryptionFlags>> attributeFlags, EncryptionContext context) encryptAllFieldsExcept
(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, String... doNotEncrypt) Returns an encrypted version of the provided DynamoDb record.encryptAllFieldsExcept
(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, Collection<String> doNotEncrypt) encryptRecord
(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, Map<String, Set<EncryptionFlags>> attributeFlags, EncryptionContext context) Returns the encrypted (and signed) record, which is a map of item attributes.protected static int
getBlockSize
(String encryptionMode) static DynamoDBEncryptor
getInstance
(EncryptionMaterialsProvider provider) static DynamoDBEncryptor
getInstance
(EncryptionMaterialsProvider provider, String descriptionbase) Get the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper.Get the name of the DynamoDB field used to store the signature.protected static com.amazonaws.services.dynamodbv2.model.AttributeValue
marshallDescription
(Map<String, String> description) Marshalls thedescription
into a ByteBuffer by outputting each key (modified UTF-8) followed by its value (also in modified UTF-8).final void
setEncryptionContextOverrideOperator
(Function<EncryptionContext, EncryptionContext> encryptionContextOverrideOperator) void
setMaterialDescriptionFieldName
(String materialDescriptionFieldName) Set the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMappervoid
setSignatureFieldName
(String signatureFieldName) Set the name of the DynamoDB field used to store the signature.unmarshallDescription
(com.amazonaws.services.dynamodbv2.model.AttributeValue attributeValue)
-
Field Details
-
DEFAULT_SIGNING_ALGORITHM_HEADER
- See Also:
-
-
Constructor Details
-
DynamoDBEncryptor
-
-
Method Details
-
getInstance
public static DynamoDBEncryptor getInstance(EncryptionMaterialsProvider provider, String descriptionbase) -
getInstance
-
decryptAllFieldsExcept
public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> decryptAllFieldsExcept(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, String... doNotDecrypt) throws GeneralSecurityExceptionReturns a decrypted version of the provided DynamoDb record. The signature is verified across all provided fields. All fields (except those listed indoNotEncrypt
are decrypted.- Parameters:
itemAttributes
- the DynamoDbRecordcontext
- additional information used to successfully select the encryption materials and decrypt the data. This should include (at least) the tableName and the materialDescription.doNotDecrypt
- those fields which should not be encrypted- Returns:
- a plaintext version of the DynamoDb record
- Throws:
SignatureException
- if the signature is invalid or cannot be verifiedGeneralSecurityException
-
decryptAllFieldsExcept
public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> decryptAllFieldsExcept(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, Collection<String> doNotDecrypt) throws GeneralSecurityException -
allDecryptionFlagsExcept
public Map<String,Set<EncryptionFlags>> allDecryptionFlagsExcept(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, String... doNotDecrypt) Returns the decryption flags for all item attributes except for those explicitly specified to be excluded.- Parameters:
doNotDecrypt
- fields to be excluded
-
allDecryptionFlagsExcept
public Map<String,Set<EncryptionFlags>> allDecryptionFlagsExcept(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, Collection<String> doNotDecrypt) Returns the decryption flags for all item attributes except for those explicitly specified to be excluded.- Parameters:
doNotDecrypt
- fields to be excluded
-
encryptAllFieldsExcept
public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> encryptAllFieldsExcept(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, String... doNotEncrypt) throws GeneralSecurityExceptionReturns an encrypted version of the provided DynamoDb record. All fields are signed. All fields (except those listed indoNotEncrypt
) are encrypted.- Parameters:
itemAttributes
- a DynamoDb Recordcontext
- additional information used to successfully select the encryption materials and encrypt the data. This should include (at least) the tableName.doNotEncrypt
- those fields which should not be encrypted- Returns:
- a ciphertext version of the DynamoDb record
- Throws:
GeneralSecurityException
-
encryptAllFieldsExcept
public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> encryptAllFieldsExcept(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, Collection<String> doNotEncrypt) throws GeneralSecurityException- Throws:
GeneralSecurityException
-
allEncryptionFlagsExcept
public Map<String,Set<EncryptionFlags>> allEncryptionFlagsExcept(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, String... doNotEncrypt) Returns the encryption flags for all item attributes except for those explicitly specified to be excluded.- Parameters:
doNotEncrypt
- fields to be excluded
-
allEncryptionFlagsExcept
public Map<String,Set<EncryptionFlags>> allEncryptionFlagsExcept(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, Collection<String> doNotEncrypt) Returns the encryption flags for all item attributes except for those explicitly specified to be excluded.- Parameters:
doNotEncrypt
- fields to be excluded
-
decryptRecord
public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> decryptRecord(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, Map<String, throws GeneralSecurityExceptionSet<EncryptionFlags>> attributeFlags, EncryptionContext context) - Throws:
GeneralSecurityException
-
encryptRecord
public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> encryptRecord(Map<String, com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, Map<String, throws GeneralSecurityExceptionSet<EncryptionFlags>> attributeFlags, EncryptionContext context) Returns the encrypted (and signed) record, which is a map of item attributes. There is no side effect on the input parameters upon calling this method.- Parameters:
itemAttributes
- the input recordattributeFlags
- the corresponding encryption flagscontext
- encryption context- Returns:
- a new instance of item attributes encrypted as necessary
- Throws:
GeneralSecurityException
- if failed to encrypt the record
-
getBlockSize
-
getSignatureFieldName
Get the name of the DynamoDB field used to store the signature. Defaults toDEFAULT_SIGNATURE_FIELD
.- Returns:
- the name of the DynamoDB field used to store the signature
-
setSignatureFieldName
Set the name of the DynamoDB field used to store the signature.- Parameters:
signatureFieldName
-
-
getMaterialDescriptionFieldName
Get the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper. Defaults toDEFAULT_METADATA_FIELD
.- Returns:
- the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper
-
setMaterialDescriptionFieldName
Set the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper- Parameters:
materialDescriptionFieldName
-
-
marshallDescription
protected static com.amazonaws.services.dynamodbv2.model.AttributeValue marshallDescription(Map<String, String> description) Marshalls thedescription
into a ByteBuffer by outputting each key (modified UTF-8) followed by its value (also in modified UTF-8).- Parameters:
description
-- Returns:
- the description encoded as an AttributeValue with a ByteBuffer value
- See Also:
-
getSigningAlgorithmHeader
-
unmarshallDescription
protected static Map<String,String> unmarshallDescription(com.amazonaws.services.dynamodbv2.model.AttributeValue attributeValue) - See Also:
-
setEncryptionContextOverrideOperator
public final void setEncryptionContextOverrideOperator(Function<EncryptionContext, EncryptionContext> encryptionContextOverrideOperator) - Parameters:
encryptionContextOverrideOperator
- the nullable operator which will be used to override the EncryptionContext.- See Also:
-
getEncryptionContextOverrideOperator
- Returns:
- the operator used to override the EncryptionContext
- See Also:
-