generate_data_key {aws.kms}R Documentation

Generate data keys


Generate data keys for local encryption


generate_data_key(key, spec = c("AES_256", "AES_128"), plaintext = TRUE, ...)



A character string specifying a key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with “alias/”.


A character string specifying the length of the data encryption key, either “AES_256” or “AES_128”.


A logical indicating whether to return the data key in plain text, as well as in encrypted form.


Additional arguments passed to kmsHTTP.


This function generates and returns a “data key” for use in local encrption. The suggested workflow from AWS is to encrypt, do the following:

  1. Use this operation (generate_data_key) to get a data encryption key.

  2. Use the plaintext data encryption key (returned in the Plaintext field of the response) to encrypt data locally, then erase the plaintext data key from memory.

  3. Store the encrypted data key (returned in the CiphertextBlob field of the response) alongside the locally encrypted data.

Then to decrypt locally:

  1. Use decrypt to decrypt the encrypted data key into a plaintext copy of the data key.

  2. Use the plaintext data key to decrypt data locally, then erase the plaintext data key from memory.


encrypt returns a base64-encoded binary object as a character string.


See Also

create_kms_key, generate_blob


## Not run: 
  # create a (CMK) key
  k <- create_kms_key()
  # generate a data key for local encryption
  datakey <- generate_data_key(key = k)
  ## encrypt something locally using datakey$Plaintext
  ## then delete the plaintext key
  datakey$Plaintext <- NULL
  # decrypt the encrypted data key
  datakey$Plaintext <- decrypt(datakey$CiphertextBlob, k, encode = FALSE)
  ## then use this to decrypt locally
  # cleanup

## End(Not run)

[Package aws.kms version 0.1.4 Index]