encrypt Method
Encrypts data using a CMK.
Syntax
def encrypt(key_id: str, algorithm: str) -> None: ...
Remarks
This method encrypts data using the CMK specified by KeyId and the given Algorithm. The data to encrypt is taken from the the specified input_file or the input_data property. The encrypted data is output to the the specified output_file or the output_data property.
The value passed for the KeyId parameter must be the Id or ARN of a CMK, or the name or ARN of an alias, in the current region. If an ARN is provided, it can be for a CMK or alias in another account so long as the appropriate permissions are in place.
The Algorithm parameter specifies which algorithm to use to encrypt the data. Possible values vary depending on the specified CMK's key spec. The CMK's key spec and the selected algorithm together dictate the maximum size of the input data.
CMK's Key Spec | Valid Algorithms | Max Bytes |
SYMMETRIC_DEFAULT | SYMMETRIC_DEFAULT (default if empty) | 4096 |
RSA_2048 | RSAES_OAEP_SHA_1 RSAES_OAEP_SHA_256 | 214 190 |
RSA_3072 | RSAES_OAEP_SHA_1 RSAES_OAEP_SHA_256 | 342 318 |
RSA_4096 | RSAES_OAEP_SHA_1 RSAES_OAEP_SHA_256 | 470 446 |
If Algorithm is SYMMETRIC_DEFAULT, the encryption context items in the EncryptionContext* properties will be included in the request. Including an encryption context when encrypting data means that the exact same encryption context must be supplied again in order to decrypt the data. Encryption context items are case-sensitive, but not order-sensitive.
This method will fail if any of the following are true regarding the specified CMK:
- Its key_state is anything other than aksEnabled (0).
- It is for signing/verification instead of encryption/decryption (see key_for_signing).
- It is an AWS-managed CMK (see key_aws_managed).