Class DirectKmsMaterialProvider
java.lang.Object
com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.DirectKmsMaterialProvider
- All Implemented Interfaces:
EncryptionMaterialsProvider
Generates a unique data key for each record in DynamoDB and protects that key using
AWSKMS
. Currently, the HashKey, RangeKey, and TableName will be included in the KMS
EncryptionContext for wrapping/unwrapping the key. This means that records cannot be copied/moved
between tables without re-encryption.- See Also:
-
Constructor Summary
ConstructorDescriptionDirectKmsMaterialProvider
(com.amazonaws.services.kms.AWSKMS kms) DirectKmsMaterialProvider
(com.amazonaws.services.kms.AWSKMS kms, String encryptionKeyId) DirectKmsMaterialProvider
(com.amazonaws.services.kms.AWSKMS kms, String encryptionKeyId, Map<String, String> materialDescription) -
Method Summary
Modifier and TypeMethodDescriptionprotected com.amazonaws.services.kms.model.DecryptResult
decrypt
(com.amazonaws.services.kms.model.DecryptRequest request, EncryptionContext context) Decrypts ciphertext.protected com.amazonaws.services.kms.model.GenerateDataKeyResult
generateDataKey
(com.amazonaws.services.kms.model.GenerateDataKeyRequest request, EncryptionContext context) Returns a data encryption key that you can use in your application to encrypt data locally.getDecryptionMaterials
(EncryptionContext context) Retrieves encryption materials matching the specified description from some source.protected String
Get encryption key id that is used to create theEncryptionMaterials
.getEncryptionMaterials
(EncryptionContext context) Returns EncryptionMaterials which the caller can use for encryption.protected void
populateKmsEcFromEc
(EncryptionContext context, Map<String, String> kmsEc) Extracts relevant information fromcontext
and uses it to populate fields inkmsEc
.void
refresh()
Forces this encryption materials provider to refresh its encryption material.protected String
selectEncryptionKeyId
(EncryptionContext context) Select encryption key id to be used to generate data key.protected void
validateEncryptionKeyId
(String encryptionKeyId, EncryptionContext context) Validate the encryption key id.
-
Constructor Details
-
DirectKmsMaterialProvider
public DirectKmsMaterialProvider(com.amazonaws.services.kms.AWSKMS kms) -
DirectKmsMaterialProvider
-
DirectKmsMaterialProvider
-
-
Method Details
-
getDecryptionMaterials
Description copied from interface:EncryptionMaterialsProvider
Retrieves encryption materials matching the specified description from some source.- Specified by:
getDecryptionMaterials
in interfaceEncryptionMaterialsProvider
- Parameters:
context
- Information to assist in selecting a the proper return value. The implementation is free to determine the minimum necessary for successful processing.- Returns:
- The encryption materials that match the description, or null if no matching encryption materials found.
-
getEncryptionMaterials
Description copied from interface:EncryptionMaterialsProvider
Returns EncryptionMaterials which the caller can use for encryption. Each implementation of EncryptionMaterialsProvider can choose its own strategy for loading encryption material. For example, an implementation might load encryption material from an existing key management system, or load new encryption material when keys are rotated.- Specified by:
getEncryptionMaterials
in interfaceEncryptionMaterialsProvider
- Parameters:
context
- Information to assist in selecting a the proper return value. The implementation is free to determine the minimum necessary for successful processing.- Returns:
- EncryptionMaterials which the caller can use to encrypt or decrypt data.
-
getEncryptionKeyId
Get encryption key id that is used to create theEncryptionMaterials
.- Returns:
- encryption key id.
-
selectEncryptionKeyId
protected String selectEncryptionKeyId(EncryptionContext context) throws com.amazonaws.services.dynamodbv2.datamodeling.DynamoDBMappingException Select encryption key id to be used to generate data key. The default implementation of this method returnsencryptionKeyId
.- Parameters:
context
- encryption context.- Returns:
- the encryptionKeyId.
- Throws:
com.amazonaws.services.dynamodbv2.datamodeling.DynamoDBMappingException
- when we fails to select a valid encryption key id.
-
validateEncryptionKeyId
protected void validateEncryptionKeyId(String encryptionKeyId, EncryptionContext context) throws com.amazonaws.services.dynamodbv2.datamodeling.DynamoDBMappingException Validate the encryption key id. The default implementation of this method does not validate encryption key id.- Parameters:
encryptionKeyId
- encryption key id fromDecryptResult
.context
- encryption context.- Throws:
com.amazonaws.services.dynamodbv2.datamodeling.DynamoDBMappingException
- when encryptionKeyId is invalid.
-
decrypt
protected com.amazonaws.services.kms.model.DecryptResult decrypt(com.amazonaws.services.kms.model.DecryptRequest request, EncryptionContext context) Decrypts ciphertext. The default implementation calls KMS to decrypt the ciphertext using the parameters provided in theDecryptRequest
. Subclass can override the default implementation to provide additional request parameters using attributes within theEncryptionContext
.- Parameters:
request
- request parameters to decrypt the given ciphertext.context
- additional useful data to decrypt the ciphertext.- Returns:
- the decrypted plaintext for the given ciphertext.
-
generateDataKey
protected com.amazonaws.services.kms.model.GenerateDataKeyResult generateDataKey(com.amazonaws.services.kms.model.GenerateDataKeyRequest request, EncryptionContext context) Returns a data encryption key that you can use in your application to encrypt data locally. The default implementation calls KMS to generate the data key using the parameters provided in theGenerateDataKeyRequest
. Subclass can override the default implementation to provide additional request parameters using attributes within theEncryptionContext
.- Parameters:
request
- request parameters to generate the data key.context
- additional useful data to generate the data key.- Returns:
- the newly generated data key which includes both the plaintext and ciphertext.
-
populateKmsEcFromEc
Extracts relevant information fromcontext
and uses it to populate fields inkmsEc
. Subclass can override the default implementation to provide an alternative encryption context in calls to KMS. Currently, the default implementation includes these fields:HashKeyName
HashKeyValue
RangeKeyName
RangeKeyValue
TABLE_NAME_EC_KEY
TableName
-
refresh
public void refresh()Description copied from interface:EncryptionMaterialsProvider
Forces this encryption materials provider to refresh its encryption material. For many implementations of encryption materials provider, this may simply be a no-op, such as any encryption materials provider implementation that vends static/non-changing encryption material. For other implementations that vend different encryption material throughout their lifetime, this method should force the encryption materials provider to refresh its encryption material.- Specified by:
refresh
in interfaceEncryptionMaterialsProvider
-