Copyright	(c) 2013-2018 Brendan Hay
License	Mozilla Public License, v. 2.0.
Maintainer	Brendan Hay <brendan.g.hay+amazonka@gmail.com>
Stability	auto-generated
Portability	non-portable (GHC extensions)
Safe Haskell	None
Language	Haskell2010

Network.AWS.KMS.ReEncrypt

Contents

Creating a Request
Request Lenses
Destructuring the Response
Response Lenses

Description

Encrypts data on the server side with a new customer master key (CMK) without exposing the plaintext of the data on the client side. The data is first decrypted and then reencrypted. You can also use this operation to change the encryption context of a ciphertext.

You can reencrypt data using CMKs in different AWS accounts.

Unlike other operations, ReEncrypt is authorized twice, once as ReEncryptFrom on the source CMK and once as ReEncryptTo on the destination CMK. We recommend that you include the "kms:ReEncrypt*" permission in your key policies to permit reencryption from or to the CMK. This permission is automatically included in the key policy when you create a CMK through the console, but you must include it manually when you create a CMK programmatically or when you set a key policy with the PutKeyPolicy operation.

Creating a Request

reEncrypt Source #

Arguments

:: ByteString	`reCiphertextBlob`
-> Text	`reDestinationKeyId`
-> ReEncrypt

Creates a value of ReEncrypt with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

reDestinationEncryptionContext - Encryption context to use when the data is reencrypted.
reSourceEncryptionContext - Encryption context used to encrypt and decrypt the data specified in the CiphertextBlob parameter.
reGrantTokens - A list of grant tokens. For more information, see Grant Tokens in the AWS Key Management Service Developer Guide .
reCiphertextBlob - Ciphertext of the data to reencrypt.-- Note: This Lens automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This Lens accepts and returns only raw unencoded data.
reDestinationKeyId - A unique identifier for the CMK that is used to reencrypt the data. To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN. For example: * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab * Key ARN: @arn:aws:kms:us-east-2:111122223333:key1234abcd-12ab-34cd-56ef-1234567890ab * Alias name: aliasExampleAlias * Alias ARN: arn:aws:kms:us-east-2:111122223333:aliasExampleAlias@ To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey . To get the alias name and alias ARN, use ListAliases .

data ReEncrypt Source #

See: reEncrypt smart constructor.

Instances

Eq ReEncrypt Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Methods (==) :: ReEncrypt -> ReEncrypt -> Bool # (/=) :: ReEncrypt -> ReEncrypt -> Bool #
Data ReEncrypt Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Methods gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> ReEncrypt -> c ReEncrypt # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c ReEncrypt # toConstr :: ReEncrypt -> Constr # dataTypeOf :: ReEncrypt -> DataType # dataCast1 :: Typeable t => (forall d. Data d => c (t d)) -> Maybe (c ReEncrypt) # dataCast2 :: Typeable t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c ReEncrypt) # gmapT :: (forall b. Data b => b -> b) -> ReEncrypt -> ReEncrypt # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> ReEncrypt -> r # gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> ReEncrypt -> r # gmapQ :: (forall d. Data d => d -> u) -> ReEncrypt -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> ReEncrypt -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> ReEncrypt -> m ReEncrypt # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> ReEncrypt -> m ReEncrypt # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> ReEncrypt -> m ReEncrypt #
Read ReEncrypt Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Methods readsPrec :: Int -> ReadS ReEncrypt # readList :: ReadS [ReEncrypt] # readPrec :: ReadPrec ReEncrypt # readListPrec :: ReadPrec [ReEncrypt] #
Show ReEncrypt Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Methods showsPrec :: Int -> ReEncrypt -> ShowS # show :: ReEncrypt -> String # showList :: [ReEncrypt] -> ShowS #
Generic ReEncrypt Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Associated Types type Rep ReEncrypt :: Type -> Type # Methods from :: ReEncrypt -> Rep ReEncrypt x # to :: Rep ReEncrypt x -> ReEncrypt #
Hashable ReEncrypt Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Methods hashWithSalt :: Int -> ReEncrypt -> Int # hash :: ReEncrypt -> Int #
ToJSON ReEncrypt Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Methods toJSON :: ReEncrypt -> Value # toEncoding :: ReEncrypt -> Encoding # toJSONList :: [ReEncrypt] -> Value # toEncodingList :: [ReEncrypt] -> Encoding #
AWSRequest ReEncrypt Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Associated Types type Rs ReEncrypt :: Type # Methods request :: ReEncrypt -> Request ReEncrypt # response :: (MonadResource m, MonadThrow m) => Logger -> Service -> Proxy ReEncrypt -> ClientResponse -> m (Response ReEncrypt) #
ToHeaders ReEncrypt Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Methods toHeaders :: ReEncrypt -> [Header] #
ToPath ReEncrypt Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Methods toPath :: ReEncrypt -> ByteString #
ToQuery ReEncrypt Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Methods toQuery :: ReEncrypt -> QueryString #
NFData ReEncrypt Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Methods rnf :: ReEncrypt -> () #
type Rep ReEncrypt Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt type Rep ReEncrypt = D1 (MetaData "ReEncrypt" "Network.AWS.KMS.ReEncrypt" "amazonka-kms-1.6.1-1UDljZYfeha1jjHbbMax4v" False) (C1 (MetaCons "ReEncrypt'" PrefixI True) ((S1 (MetaSel (Just "_reDestinationEncryptionContext") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 (Maybe (Map Text Text))) :: S1 (MetaSel (Just "_reSourceEncryptionContext") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 (Maybe (Map Text Text)))) :: (S1 (MetaSel (Just "_reGrantTokens") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 (Maybe [Text])) :: (S1 (MetaSel (Just "_reCiphertextBlob") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 Base64) :: S1 (MetaSel (Just "_reDestinationKeyId") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 Text)))))
type Rs ReEncrypt Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt type Rs ReEncrypt = ReEncryptResponse

Request Lenses

reDestinationEncryptionContext :: Lens' ReEncrypt (HashMap Text Text) Source #

Encryption context to use when the data is reencrypted.

reSourceEncryptionContext :: Lens' ReEncrypt (HashMap Text Text) Source #

Encryption context used to encrypt and decrypt the data specified in the CiphertextBlob parameter.

reGrantTokens :: Lens' ReEncrypt [Text] Source #

A list of grant tokens. For more information, see Grant Tokens in the AWS Key Management Service Developer Guide .

reCiphertextBlob :: Lens' ReEncrypt ByteString Source #

Ciphertext of the data to reencrypt.-- Note: This Lens automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This Lens accepts and returns only raw unencoded data.

reDestinationKeyId :: Lens' ReEncrypt Text Source #

A unique identifier for the CMK that is used to reencrypt the data. To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN. For example: * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab * Key ARN: @arn:aws:kms:us-east-2:111122223333:key1234abcd-12ab-34cd-56ef-1234567890ab * Alias name: aliasExampleAlias * Alias ARN: arn:aws:kms:us-east-2:111122223333:aliasExampleAlias@ To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey . To get the alias name and alias ARN, use ListAliases .

Destructuring the Response

reEncryptResponse Source #

Arguments

:: Int	`rersResponseStatus`
-> ReEncryptResponse

Creates a value of ReEncryptResponse with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

rersSourceKeyId - Unique identifier of the CMK used to originally encrypt the data.
rersKeyId - Unique identifier of the CMK used to reencrypt the data.
rersCiphertextBlob - The reencrypted data. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not encoded.-- Note: This Lens automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This Lens accepts and returns only raw unencoded data.
rersResponseStatus - -- | The response status code.

data ReEncryptResponse Source #

See: reEncryptResponse smart constructor.

Instances

Eq ReEncryptResponse Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Methods (==) :: ReEncryptResponse -> ReEncryptResponse -> Bool # (/=) :: ReEncryptResponse -> ReEncryptResponse -> Bool #
Data ReEncryptResponse Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Methods gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> ReEncryptResponse -> c ReEncryptResponse # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c ReEncryptResponse # toConstr :: ReEncryptResponse -> Constr # dataTypeOf :: ReEncryptResponse -> DataType # dataCast1 :: Typeable t => (forall d. Data d => c (t d)) -> Maybe (c ReEncryptResponse) # dataCast2 :: Typeable t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c ReEncryptResponse) # gmapT :: (forall b. Data b => b -> b) -> ReEncryptResponse -> ReEncryptResponse # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> ReEncryptResponse -> r # gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> ReEncryptResponse -> r # gmapQ :: (forall d. Data d => d -> u) -> ReEncryptResponse -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> ReEncryptResponse -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> ReEncryptResponse -> m ReEncryptResponse # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> ReEncryptResponse -> m ReEncryptResponse # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> ReEncryptResponse -> m ReEncryptResponse #
Read ReEncryptResponse Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Methods readsPrec :: Int -> ReadS ReEncryptResponse # readList :: ReadS [ReEncryptResponse] # readPrec :: ReadPrec ReEncryptResponse # readListPrec :: ReadPrec [ReEncryptResponse] #
Show ReEncryptResponse Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Methods showsPrec :: Int -> ReEncryptResponse -> ShowS # show :: ReEncryptResponse -> String # showList :: [ReEncryptResponse] -> ShowS #
Generic ReEncryptResponse Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Associated Types type Rep ReEncryptResponse :: Type -> Type # Methods from :: ReEncryptResponse -> Rep ReEncryptResponse x # to :: Rep ReEncryptResponse x -> ReEncryptResponse #
NFData ReEncryptResponse Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt Methods rnf :: ReEncryptResponse -> () #
type Rep ReEncryptResponse Source #
Instance details Defined in Network.AWS.KMS.ReEncrypt type Rep ReEncryptResponse = D1 (MetaData "ReEncryptResponse" "Network.AWS.KMS.ReEncrypt" "amazonka-kms-1.6.1-1UDljZYfeha1jjHbbMax4v" False) (C1 (MetaCons "ReEncryptResponse'" PrefixI True) ((S1 (MetaSel (Just "_rersSourceKeyId") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 (Maybe Text)) :: S1 (MetaSel (Just "_rersKeyId") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 (Maybe Text))) :: (S1 (MetaSel (Just "_rersCiphertextBlob") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 (Maybe Base64)) :*: S1 (MetaSel (Just "_rersResponseStatus") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 Int))))

Response Lenses

rersSourceKeyId :: Lens' ReEncryptResponse (Maybe Text) Source #

Unique identifier of the CMK used to originally encrypt the data.

rersKeyId :: Lens' ReEncryptResponse (Maybe Text) Source #

Unique identifier of the CMK used to reencrypt the data.

rersCiphertextBlob :: Lens' ReEncryptResponse (Maybe ByteString) Source #

The reencrypted data. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not encoded.-- Note: This Lens automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This Lens accepts and returns only raw unencoded data.

rersResponseStatus :: Lens' ReEncryptResponse Int Source #

- | The response status code.