| Copyright | (c) 2013-2015 Brendan Hay |
|---|---|
| License | Mozilla Public License, v. 2.0. |
| Maintainer | Brendan Hay <brendan.g.hay@gmail.com> |
| Stability | auto-generated |
| Portability | non-portable (GHC extensions) |
| Safe Haskell | None |
| Language | Haskell2010 |
Network.AWS.KMS.ReEncrypt
Description
Encrypts data on the server side with a new customer master key without exposing the plaintext of the data on the client side. The data is first decrypted and then encrypted. This operation can also be used to change the encryption context of a ciphertext.
Unlike other actions, ReEncrypt is authorized twice - once as
ReEncryptFrom on the source key and once as ReEncryptTo on the
destination key. We therefore recommend that you include the
'"action":"kms:ReEncrypt*"' statement in your key policies to permit
re-encryption from or to the key. The statement is included
automatically when you authorize use of the key through the console but
must be included manually when you set a policy by using the
PutKeyPolicy function.
See: AWS API Reference for ReEncrypt.
- reEncrypt :: ByteString -> Text -> ReEncrypt
- data ReEncrypt
- reDestinationEncryptionContext :: Lens' ReEncrypt (HashMap Text Text)
- reSourceEncryptionContext :: Lens' ReEncrypt (HashMap Text Text)
- reGrantTokens :: Lens' ReEncrypt [Text]
- reCiphertextBlob :: Lens' ReEncrypt ByteString
- reDestinationKeyId :: Lens' ReEncrypt Text
- reEncryptResponse :: Int -> ReEncryptResponse
- data ReEncryptResponse
- rersSourceKeyId :: Lens' ReEncryptResponse (Maybe Text)
- rersKeyId :: Lens' ReEncryptResponse (Maybe Text)
- rersCiphertextBlob :: Lens' ReEncryptResponse (Maybe ByteString)
- rersResponseStatus :: Lens' ReEncryptResponse Int
Creating a Request
Arguments
| :: ByteString | |
| -> Text | |
| -> ReEncrypt |
Creates a value of ReEncrypt with the minimum fields required to make a request.
Use one of the following lenses to modify other fields as desired:
See: reEncrypt smart constructor.
Instances
Request Lenses
reDestinationEncryptionContext :: Lens' ReEncrypt (HashMap Text Text) Source
Encryption context to be used when the data is re-encrypted.
reSourceEncryptionContext :: Lens' ReEncrypt (HashMap Text Text) Source
Encryption context used to encrypt and decrypt the data specified in the
CiphertextBlob parameter.
reGrantTokens :: Lens' ReEncrypt [Text] Source
A list of grant tokens.
For more information, go to Grant Tokens in the AWS Key Management Service Developer Guide.
reCiphertextBlob :: Lens' ReEncrypt ByteString Source
Ciphertext of the data to re-encrypt.
Note: This Lens automatically encodes and decodes Base64 data,
despite what the AWS documentation might say.
The underlying isomorphism will encode to Base64 representation during
serialisation, and decode from Base64 representation during deserialisation.
This Lens accepts and returns only raw unencoded data.
reDestinationKeyId :: Lens' ReEncrypt Text Source
A unique identifier for the customer master key used to re-encrypt the data. This value can be a globally unique identifier, a fully specified ARN to either an alias or a key, or an alias name prefixed by "alias/".
- Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
- Alias ARN Example - arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
- Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
- Alias Name Example - alias/MyAliasName
Destructuring the Response
Arguments
| :: Int | |
| -> ReEncryptResponse |
Creates a value of ReEncryptResponse with the minimum fields required to make a request.
Use one of the following lenses to modify other fields as desired:
data ReEncryptResponse Source
See: reEncryptResponse smart constructor.
Response Lenses
rersSourceKeyId :: Lens' ReEncryptResponse (Maybe Text) Source
Unique identifier of the key used to originally encrypt the data.
rersKeyId :: Lens' ReEncryptResponse (Maybe Text) Source
Unique identifier of the key used to re-encrypt the data.
rersCiphertextBlob :: Lens' ReEncryptResponse (Maybe ByteString) Source
The re-encrypted data. If you are using the CLI, the value is Base64 encoded. Otherwise, it is not encoded.
Note: This Lens automatically encodes and decodes Base64 data,
despite what the AWS documentation might say.
The underlying isomorphism will encode to Base64 representation during
serialisation, and decode from Base64 representation during deserialisation.
This Lens accepts and returns only raw unencoded data.
rersResponseStatus :: Lens' ReEncryptResponse Int Source
The response status code.