Generates a data key that can be used outside of Amazon KMS.
amazonkms.generateDataKey(keySpec, keyId, includePlaintext, [callback])
The 'callback' parameter specifies a function which will be called when the operation completes (or an error is encountered). If the 'callback' parameter is not specified, then the method will block and will not return until the operation completes (or an error is encountered).
The callback for this method is defined as:
'err' is the error that occurred. If there was no error, then 'err' is 'null'.
'err' has 2 properties which hold detailed information:
This method generates a data key that can be used outside of Amazon KMS for encryption and decryption. The generated data key will be encrypted using the CMK specified by KeyId before it is returned. The key and its related information will be downloaded to the following KeyData* properties, refer to their documentation for more information:
- KeyDataPlaintextKey (if true is passed for IncludePlaintext)
The KeySpec parameter specifies either the spec of the data key, or the size of the data key in bytes. Valid values are:
- Some number of bytes in the range 1 to 1024 (e.g., 64)
The value passed for the KeyId parameter must be the Id or ARN of a CMK, or the name or ARN of an alias, in the current Region. If an ARN is provided, it can be for a CMK or alias in another account so long as the appropriate permissions are in place. The specified CMK must be symmetric. Any encryption context items present in the EncryptionContext* properties will be included in the request and used when encrypting the data key; they must be supplied again in order to decrypt it.
The IncludePlaintext parameter specifies whether the server should return a plaintext (i.e., unencrypted) copy of the data key in addition to the encrypted copy. This can be useful if the data key will be used immediately.
This method will fail if any of the following are true regarding the specified CMK: