Generates a data key that can be used outside of Amazon KMS.
This method generates a data key that can be used outside of Amazon KMS for encryption and decryption. The generated data key will be encrypted using the CMK specified by KeyId before it is returned. The key and its related information will be downloaded to the following KeyData* properties, refer to their documentation for more information:
The KeySpec parameter specifies either the spec of the data key, or the size of the data key in bytes. Valid values are:
- Some number of bytes in the range 1 to 1024 (e.g., 64)
The value passed for the KeyId parameter must be the Id or ARN of a CMK, or the name or ARN of an alias, in the current Region. If an ARN is provided, it can be for a CMK or alias in another account so long as the appropriate permissions are in place. The specified CMK must be symmetric. Any encryption context items present in the EncryptionContext* properties will be included in the request and used when encrypting the data key; they must be supplied again in order to decrypt it.
The IncludePlaintext parameter specifies whether the server should return a plaintext (i.e., unencrypted) copy of the data key in addition to the encrypted copy. This can be useful if the data key will be used immediately.
This method will fail if any of the following are true regarding the specified CMK:
- Its State is anything other than aksEnabled (0).
- It is asymmetric (see KeySpec).
- It is for signing/verification instead of encryption/decryption (see ForSigning).
- It is an AWS-managed CMK (see AWSManaged).