ReEncrypt Method

Decrypts data using one CMK and re-encrypts it using another CMK.


public func reEncrypt(oldKeyId: String, oldAlgorithm: String, newKeyId: String, newAlgorithm: String) throws -> Void


This method decrypts data using the CMK specified by OldKeyId and re-encrypts it using the CMK specified by NewKeyId. This process happens completely on the server; at no point is the unencrypted data transferred over the wire.

The encrypted data is taken from the the specified InputFile or the InputData property. The re-encrypted data is output to the the specified OutputFile or the OutputData property.

The values passed for the OldKeyId and NewKeyId parameters must be the Id or ARN of a CMK, or the name or ARN of an alias, in the current Region. For either or both parameters, if an ARN is provided, it can be for a CMK or alias in another account so long as the appropriate permissions are in place.

The OldAlgorithm and NewAlgorithm parameters specify the encryption algorithm currently in use, and the new encryption algorithm, respectively. Valid values vary depending on the old and new CMKs key specs:

CMK's Key Spec Valid Algorithms

Note that it is important to keep track of the new encryption algorithm used, since it must be specified again when calling Decrypt (or ReEncrypt) later.

If OldAlgorithm is SYMMETRIC_DEFAULT, the encryption context items in the EncryptionContext* properties will be included in the request for use with decryption. Keep in mind that in order to successfully decrypt the data, the exact same encryption context items that were present when the data was encrypted must be supplied again. Encryption context items are case-sensitive, but not order-sensitive.

If NewAlgorithm is SYMMETRIC_DEFAULT, the encryption context items in the EncryptionContext* properties will also be included in the request for use with re-encryption, effectively causing the encryption context to be transferred to the re-encrypted data. Alternatively, the NewEncryptionContext configuration setting can be set before calling this method in order to supply a new encryption context (or, if set to {}, to "remove" the existing one).

This method will fail if any of the following are true regarding either of the specified CMKs:

  • Its State is anything other than aksEnabled (0).
  • It is for signing/verification instead of encryption/decryption (see ForSigning).
  • It is an AWS-managed CMK (see AWSManaged).

Copyright (c) 2021 /n software inc. - All rights reserved.
Cloud Keys 2020 macOS Edition - Version 20.0 [Build 7876]