Cloud Keys 2020 Node.js Edition

Questions / Feedback?

GenerateDataKeyPair Method

Generates a data key pair that can be used outside of Amazon KMS.


amazonkms.generateDataKeyPair(keyPairSpec, keyId, includePlaintext, [callback])


The 'callback' parameter specifies a function which will be called when the operation completes (or an error is encountered). If the 'callback' parameter is not specified, then the method will block and will not return until the operation completes (or an error is encountered).

The callback for this method is defined as:

function(err){ }

'err' is the error that occurred. If there was no error, then 'err' is 'null'.

'err' has 2 properties which hold detailed information:



This method generates a data key pair that can be used outside of Amazon KMS for encryption and decryption, or signing and verification. The private key of the generated key pair will be encrypted using the CMK specified by KeyId before it is returned. The key and its related information will be downloaded to the following KeyData* properties, refer to their documentation for more information:

The KeySpec parameter specifies the spec of the data key pair. Valid values are:

  • RSA_2048
  • RSA_3072
  • RSA_4096
  • ECC_NIST_P256 (secp256r1)
  • ECC_NIST_P384 (secp384r1)
  • ECC_NIST_P521 (secp521r1)
  • ECC_SECG_P256K1 (secp256k1)

The value passed for the KeyId parameter must be the Id or ARN of a CMK, or the name or ARN of an alias, in the current Region. If an ARN is provided, it can be for a CMK or alias in another account so long as the appropriate permissions are in place. The specified CMK must be symmetric. Any encryption context items present in the EncryptionContext* properties will be included in the request and used when encrypting the private key; they must be supplied again in order to decrypt it.

The IncludePlaintext parameter specifies whether the server should return a plaintext (i.e., unencrypted) copy of the data key pair's private key in addition to the encrypted copy. This can be useful if the private key will be used immediately.

This method will fail if any of the following are true regarding the specified CMK:

Copyright (c) 2022 /n software inc. - All rights reserved.
Cloud Keys 2020 Node.js Edition - Version 20.0 [Build 8157]