| Copyright | (c) 2013-2018 Brendan Hay |
|---|---|
| License | Mozilla Public License, v. 2.0. |
| Maintainer | Brendan Hay <brendan.g.hay+amazonka@gmail.com> |
| Stability | auto-generated |
| Portability | non-portable (GHC extensions) |
| Safe Haskell | None |
| Language | Haskell2010 |
Network.AWS.KMS.GenerateDataKeyWithoutPlaintext
Description
Returns a data encryption key encrypted under a customer master key (CMK). This operation is identical to GenerateDataKey but returns only the encrypted copy of the data key.
To perform this operation on a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
This operation is useful in a system that has multiple components with different degrees of trust. For example, consider a system that stores encrypted data in containers. Each container stores the encrypted data and an encrypted copy of the data key. One component of the system, called the control plane , creates new containers. When it creates a new container, it uses this operation (GenerateDataKeyWithoutPlaintext ) to get an encrypted data key and then stores it in the container. Later, a different component of the system, called the data plane , puts encrypted data into the containers. To do this, it passes the encrypted data key to the Decrypt operation, then uses the returned plaintext data key to encrypt data, and finally stores the encrypted data in the container. In this system, the control plane never sees the plaintext data key.
Synopsis
- generateDataKeyWithoutPlaintext :: Text -> GenerateDataKeyWithoutPlaintext
- data GenerateDataKeyWithoutPlaintext
- gdkwpKeySpec :: Lens' GenerateDataKeyWithoutPlaintext (Maybe DataKeySpec)
- gdkwpEncryptionContext :: Lens' GenerateDataKeyWithoutPlaintext (HashMap Text Text)
- gdkwpNumberOfBytes :: Lens' GenerateDataKeyWithoutPlaintext (Maybe Natural)
- gdkwpGrantTokens :: Lens' GenerateDataKeyWithoutPlaintext [Text]
- gdkwpKeyId :: Lens' GenerateDataKeyWithoutPlaintext Text
- generateDataKeyWithoutPlaintextResponse :: Int -> GenerateDataKeyWithoutPlaintextResponse
- data GenerateDataKeyWithoutPlaintextResponse
- gdkwprsKeyId :: Lens' GenerateDataKeyWithoutPlaintextResponse (Maybe Text)
- gdkwprsCiphertextBlob :: Lens' GenerateDataKeyWithoutPlaintextResponse (Maybe ByteString)
- gdkwprsResponseStatus :: Lens' GenerateDataKeyWithoutPlaintextResponse Int
Creating a Request
generateDataKeyWithoutPlaintext Source #
Arguments
| :: Text | |
| -> GenerateDataKeyWithoutPlaintext |
Creates a value of GenerateDataKeyWithoutPlaintext with the minimum fields required to make a request.
Use one of the following lenses to modify other fields as desired:
gdkwpKeySpec- The length of the data encryption key. UseAES_128to generate a 128-bit symmetric key, orAES_256to generate a 256-bit symmetric key.gdkwpEncryptionContext- A set of key-value pairs that represents additional authenticated data. For more information, see Encryption Context in the AWS Key Management Service Developer Guide .gdkwpNumberOfBytes- The length of the data encryption key in bytes. For example, use the value 64 to generate a 512-bit data key (64 bytes is 512 bits). For common key lengths (128-bit and 256-bit symmetric keys), we recommend that you use theKeySpecfield instead of this one.gdkwpGrantTokens- A list of grant tokens. For more information, see Grant Tokens in the AWS Key Management Service Developer Guide .gdkwpKeyId- The identifier of the customer master key (CMK) under which to generate and encrypt the data encryption key. To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN. For example: * Key ID:1234abcd-12ab-34cd-56ef-1234567890ab* Key ARN: @arn:aws:kms:us-east-2:111122223333:key1234abcd-12ab-34cd-56ef-1234567890ab* Alias name:aliasExampleAlias* Alias ARN:arn:aws:kms:us-east-2:111122223333:aliasExampleAlias@ To get the key ID and key ARN for a CMK, useListKeysorDescribeKey. To get the alias name and alias ARN, useListAliases.
data GenerateDataKeyWithoutPlaintext Source #
See: generateDataKeyWithoutPlaintext smart constructor.
Instances
Request Lenses
gdkwpKeySpec :: Lens' GenerateDataKeyWithoutPlaintext (Maybe DataKeySpec) Source #
The length of the data encryption key. Use AES_128 to generate a 128-bit symmetric key, or AES_256 to generate a 256-bit symmetric key.
gdkwpEncryptionContext :: Lens' GenerateDataKeyWithoutPlaintext (HashMap Text Text) Source #
A set of key-value pairs that represents additional authenticated data. For more information, see Encryption Context in the AWS Key Management Service Developer Guide .
gdkwpNumberOfBytes :: Lens' GenerateDataKeyWithoutPlaintext (Maybe Natural) Source #
The length of the data encryption key in bytes. For example, use the value 64 to generate a 512-bit data key (64 bytes is 512 bits). For common key lengths (128-bit and 256-bit symmetric keys), we recommend that you use the KeySpec field instead of this one.
gdkwpGrantTokens :: Lens' GenerateDataKeyWithoutPlaintext [Text] Source #
A list of grant tokens. For more information, see Grant Tokens in the AWS Key Management Service Developer Guide .
gdkwpKeyId :: Lens' GenerateDataKeyWithoutPlaintext Text Source #
The identifier of the customer master key (CMK) under which to generate and encrypt the data encryption key. To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN. For example: * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab * Key ARN: @arn:aws:kms:us-east-2:111122223333:key1234abcd-12ab-34cd-56ef-1234567890ab * Alias name: aliasExampleAlias * Alias ARN: arn:aws:kms:us-east-2:111122223333:aliasExampleAlias@ To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey . To get the alias name and alias ARN, use ListAliases .
Destructuring the Response
generateDataKeyWithoutPlaintextResponse Source #
Creates a value of GenerateDataKeyWithoutPlaintextResponse with the minimum fields required to make a request.
Use one of the following lenses to modify other fields as desired:
gdkwprsKeyId- The identifier of the CMK under which the data encryption key was generated and encrypted.gdkwprsCiphertextBlob- The encrypted data encryption key. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not encoded.-- Note: ThisLensautomatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. ThisLensaccepts and returns only raw unencoded data.gdkwprsResponseStatus- -- | The response status code.
data GenerateDataKeyWithoutPlaintextResponse Source #
See: generateDataKeyWithoutPlaintextResponse smart constructor.
Instances
Response Lenses
gdkwprsKeyId :: Lens' GenerateDataKeyWithoutPlaintextResponse (Maybe Text) Source #
The identifier of the CMK under which the data encryption key was generated and encrypted.
gdkwprsCiphertextBlob :: Lens' GenerateDataKeyWithoutPlaintextResponse (Maybe ByteString) Source #
The encrypted data encryption key. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not encoded.-- Note: This Lens automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This Lens accepts and returns only raw unencoded data.
gdkwprsResponseStatus :: Lens' GenerateDataKeyWithoutPlaintextResponse Int Source #
- - | The response status code.