| generate_data_key {aws.kms} | R Documentation |
Generate data keys
Description
Generate data keys for local encryption
Usage
generate_data_key(key, spec = c("AES_256", "AES_128"), plaintext = TRUE, ...)
Arguments
key |
A character string specifying a key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with “alias/”. |
spec |
A character string specifying the length of the data encryption key, either “AES_256” or “AES_128”. |
plaintext |
A logical indicating whether to return the data key in plain text, as well as in encrypted form. |
... |
Additional arguments passed to |
Details
This function generates and returns a “data key” for use in local encrption. The suggested workflow from AWS is to encrypt, do the following:
Use this operation (
generate_data_key) to get a data encryption key.Use the plaintext data encryption key (returned in the Plaintext field of the response) to encrypt data locally, then erase the plaintext data key from memory.
Store the encrypted data key (returned in the CiphertextBlob field of the response) alongside the locally encrypted data.
Then to decrypt locally:
Use
decryptto decrypt the encrypted data key into a plaintext copy of the data key.Use the plaintext data key to decrypt data locally, then erase the plaintext data key from memory.
Value
encrypt returns a base64-encoded binary object as a character string.
References
https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html
See Also
Examples
## Not run:
# create a (CMK) key
k <- create_kms_key()
# generate a data key for local encryption
datakey <- generate_data_key(key = k)
## encrypt something locally using datakey$Plaintext
## then delete the plaintext key
datakey$Plaintext <- NULL
# decrypt the encrypted data key
datakey$Plaintext <- decrypt(datakey$CiphertextBlob, k, encode = FALSE)
## then use this to decrypt locally
# cleanup
delete_kms_key(k)
## End(Not run)