ReEncrypt
Decrypts ciphertext and then re-encrypts it entirely within QKMS.
Description
The `ReEncrypt` operation decrypts ciphertext and then re-encrypts it entirely within QKMS. You can use this operation to change the KMS key under which data is encrypted, such as when you want to manually rotate a key or move encrypted data from one region to another.
note
- The source and destination KMS keys must be symmetric encryption KMS keys.
- The source and destination KMS keys must be enabled.
- The ciphertext and the destination KMS key must be in the same region.
- The operation never exposes the plaintext data outside of QKMS.
- You can use different encryption contexts for encryption and decryption.
Request Syntax
Headers
| Name | Description | Required | Type |
|---|---|---|---|
| Content-Type | Must be "application/x-amz-json-1.1" | Yes | string |
| X-Amz-Target | Must be "TrentService.ReEncrypt" | Yes | string |
Request Body
| Name | Description | Required | Type |
|---|---|---|---|
| CiphertextBlob | The ciphertext of the data to re-encrypt. | Yes | blob |
| SourceKeyId | Specifies the KMS key that was used to encrypt the ciphertext. This can be the key ID or key ARN of the KMS key. | No | string |
| DestinationKeyId | Specifies the KMS key that will be used to re-encrypt the data. This can be the key ID or key ARN of the KMS key. | Yes | string |
| SourceEncryptionContext | Specifies the encryption context to use when decrypting the data. Must match the encryption context used when the data was encrypted. | No | object |
| DestinationEncryptionContext | Specifies the encryption context to use when re-encrypting the data. | No | object |
| SourceEncryptionAlgorithm | The encryption algorithm that was used to encrypt the ciphertext. | No | string |
| DestinationEncryptionAlgorithm | The encryption algorithm that will be used to re-encrypt the data. | No | string |
| GrantTokens | A list of grant tokens that represent grants that can be used to decrypt the ciphertext and re-encrypt it with the destination KMS key. | No | array |
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.ReEncrypt
{
"CiphertextBlob": "AQICAHiWj6qDgGqSQXkNHcsbq8Q3+q6lThTZqXXRRXYtGhEQXwEH5qV5eN9LQI6CtDwBUvNVAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM6v4DhjrVUqgdqVEuAgEQgDsgli8KqqW4qp0g9ZWnHdRGYc3ZJzpV3xH9qVGFRwzVVKJNK/Ey/fGS2tl4TOQXLcTYJMEOxR8gPjA=",
"SourceKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"DestinationKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321",
"SourceEncryptionContext": {
"Department": "Finance"
},
"DestinationEncryptionContext": {
"Purpose": "Test"
},
"SourceEncryptionAlgorithm": "SYMMETRIC_DEFAULT",
"DestinationEncryptionAlgorithm": "SYMMETRIC_DEFAULT",
"GrantTokens": [
"AQpAM2RhZTk1MGMyNTk2ZmZmMzEyYWVhOWViN2I1MWM4Mzc0MWFiYjc0ZDE1ODkyNGFlNTIzODZhMzgyZjBlNDkxOAF4"
]
}
Values in italics indicate user input and should be replaced with actual values.
Response Elements
| Name | Description | Required | Type |
|---|---|---|---|
| CiphertextBlob | The re-encrypted data. | No | String |
| SourceKeyId | The Amazon Resource Name (ARN) of the KMS key that was used to decrypt the data. | No | String |
| KeyId | The Amazon Resource Name (ARN) of the KMS key that was used to re-encrypt the data. | No | String |
| SourceEncryptionAlgorithm | The encryption algorithm that was used to decrypt the ciphertext. | No | String |
| DestinationEncryptionAlgorithm | The encryption algorithm that was used to re-encrypt the data. | No | String |
Examples
Example 1: Re-encrypt data with a new KMS key
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.ReEncrypt
{
"CiphertextBlob": "AQICAHiWj6qDgGqSQXkNHcsbq8Q3+q6lThTZqXXRRXYtGhEQXwEH5qV5eN9LQI6CtDwBUvNVAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM6v4DhjrVUqgdqVEuAgEQgDsgli8KqqW4qp0g9ZWnHdRGYc3ZJzpV3xH9qVGFRwzVVKJNK/Ey/fGS2tl4TOQXLcTYJMEOxR8gPjA=",
"SourceKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"DestinationKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321",
"SourceEncryptionContext": {
"Department": "Finance"
},
"DestinationEncryptionContext": {
"Purpose": "Test"
}
}
Values in italics indicate user input and should be replaced with actual values.
HTTP/1.1 200 OK
Content-Type: application/x-amz-json-1.1
{
"CiphertextBlob": "AQICAHiWj6qDgGqSQXkNHcsbq8Q3+q6lThTZqXXRRXYtGhEQXwEH5qV5eN9LQI6CtDwBUvNVAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM6v4DhjrVUqgdqVEuAgEQgDsgli8KqqW4qp0g9ZWnHdRGYc3ZJzpV3xH9qVGFRwzVVKJNK/Ey/fGS2tl4TOQXLcTYJMEOxR8gPjA=",
"SourceKeyId": "arn:verenc:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"KeyId": "arn:verenc:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321",
"SourceEncryptionAlgorithm": "SYMMETRIC_DEFAULT",
"DestinationEncryptionAlgorithm": "SYMMETRIC_DEFAULT"
}
Values in italics indicate variable response values.
Special Errors
| Error Code | Description |
|---|---|
| DependencyTimeoutException | The system timed out while trying to fulfill the request. |
| DisabledException | The request was rejected because the specified KMS key is disabled. |
| InvalidCiphertextException | The request was rejected because the specified ciphertext has been corrupted or is otherwise invalid. |
| InvalidGrantTokenException | The request was rejected because the specified grant token is not valid. |
| InvalidKeyUsageException | The request was rejected because the specified KeyId value cannot be used for this operation. |
| KeyUnavailableException | The request was rejected because the specified KMS key was not available. |
| KMSInternalException | An internal error occurred. |
| KMSInvalidStateException | The request was rejected because the key state is not valid for this operation. |
| NotFoundException | The request was rejected because the specified entity or resource could not be found. |
Permissions
To use the `ReEncrypt` operation, you must have the following permissions:
- `kms:ReEncryptFrom` on the source KMS key (specified in the policy)
- `kms:ReEncryptTo` on the destination KMS key (specified in the policy)
Try It Out
Test ReEncrypt
Re-encrypt data with a new KMS key.
Coming Soon
This feature is currently under development and will be available soon.