GenerateDataKeyPair Method

Generates a data key pair that can be used outside of Amazon KMS.

Syntax

public func generateDataKeyPair(keyPairSpec: String, keyId: String, includePlaintext: Bool) throws -> Void

Remarks

This method generates a data key pair that can be used outside of Amazon KMS for encryption and decryption, or signing and verification. The private key of the generated key pair will be encrypted using the CMK specified by KeyId before it is returned. The key and its related information will be downloaded to the following KeyData* properties, refer to their documentation for more information:

The KeySpec parameter specifies the spec of the data key pair. Valid values are:

  • RSA_2048
  • RSA_3072
  • RSA_4096
  • ECC_NIST_P256 (secp256r1)
  • ECC_NIST_P384 (secp384r1)
  • ECC_NIST_P521 (secp521r1)
  • ECC_SECG_P256K1 (secp256k1)

The value passed for the KeyId parameter must be the Id or ARN of a CMK, or the name or ARN of an alias, in the current Region. If an ARN is provided, it can be for a CMK or alias in another account so long as the appropriate permissions are in place. The specified CMK must be symmetric. Any encryption context items present in the EncryptionContext* properties will be included in the request and used when encrypting the private key; they must be supplied again in order to decrypt it.

The IncludePlaintext parameter specifies whether the server should return a plaintext (i.e., unencrypted) copy of the data key pair's private key in addition to the encrypted copy. This can be useful if the private key will be used immediately.

This method will fail if any of the following are true regarding the specified CMK:

  • Its State is anything other than aksEnabled (0).
  • It is asymmetric (see KeySpec).
  • It is for signing/verification instead of encryption/decryption (see ForSigning).
  • It is an AWS-managed CMK (see AWSManaged).

 
 
Copyright (c) 2021 /n software inc. - All rights reserved.
Cloud Keys 2020 macOS Edition - Version 20.0 [Build 7876]