Cloud Keys 2020 Delphi Edition

Questions / Feedback?

ReEncrypt Method

Decrypts data using one CMK and re-encrypts it using another CMK.

procedure ReEncrypt(OldKeyId: String; OldAlgorithm: String; NewKeyId: String; NewAlgorithm: String);

Remarks

This method decrypts data using the CMK specified by OldKeyId and re-encrypts it using the CMK specified by NewKeyId. This process happens completely on the server; at no point is the unencrypted data transferred over the wire.

The encrypted data is taken from the input stream supplied via the SetInputStream method, the specified InputFile, or the InputData property. The re-encrypted data is output to the output stream supplied via the SetOutputStream method, the specified OutputFile, or the OutputData property.

The values passed for the OldKeyId and NewKeyId parameters must be the Id or ARN of a CMK, or the name or ARN of an alias, in the current Region. For either or both parameters, if an ARN is provided, it can be for a CMK or alias in another account so long as the appropriate permissions are in place.

The OldAlgorithm and NewAlgorithm parameters specify the encryption algorithm currently in use, and the new encryption algorithm, respectively. Valid values vary depending on the old and new CMKs key specs:

CMK's Key Spec Valid Algorithms
SYMMETRIC_DEFAULT SYMMETRIC_DEFAULT (default if empty)
RSA_2048 RSAES_OAEP_SHA_1
RSAES_OAEP_SHA_256
RSA_3072 RSAES_OAEP_SHA_1
RSAES_OAEP_SHA_256
RSA_4096 RSAES_OAEP_SHA_1
RSAES_OAEP_SHA_256

Note that it is important to keep track of the new encryption algorithm used, since it must be specified again when calling Decrypt (or ReEncrypt) later.

If OldAlgorithm is SYMMETRIC_DEFAULT, the encryption context items in the EncryptionContext* properties will be included in the request for use with decryption. Keep in mind that in order to successfully decrypt the data, the exact same encryption context items that were present when the data was encrypted must be supplied again. Encryption context items are case-sensitive, but not order-sensitive.

If NewAlgorithm is SYMMETRIC_DEFAULT, the encryption context items in the EncryptionContext* properties will also be included in the request for use with re-encryption, effectively causing the encryption context to be transferred to the re-encrypted data. Alternatively, the NewEncryptionContext configuration setting can be set before calling this method in order to supply a new encryption context (or, if set to {}, to "remove" the existing one).

This method will fail if any of the following are true regarding either of the specified CMKs:

  • Its State is anything other than aksEnabled (0).
  • It is for signing/verification instead of encryption/decryption (see ForSigning).
  • It is an AWS-managed CMK (see AWSManaged).

 
 
Copyright (c) 2021 /n software inc. - All rights reserved.
Cloud Keys 2020 Delphi Edition - Version 20.0 [Build 7718]