GenerateDataKey

Last Updated: Mar 13, 2017

Generates a data key that you can use to encrypt local data. The API returns a plaintext Plaintext and a ciphertext CiphertextBlob of DataKey. DataKey is encrypted using CMK corresponding to the KeyID. You can call the Decrypt API to decrypt the data key.

  • NOTE:

    • We recommend that you use the following method to encrypt data locally: call the GenerateDataKey API to encrypt data locally by using the returned plaintext DataKey, and then delete the plaintext DataKey from the memory. Store the ciphertext CiphertextBlob and the encrypted data.
    • To decrypt data, call the Decrypt API and use CiphertextBlob as a parameter. If the call succeeds, the plaintext of DataKey Plaintext is returned for you to decrypt locally encrypted data.
  • Request format

  1. KeyId="string"&KeySpec="string"&NumberOfBytes=number&EncryptionContext=json
  • Request parameters

    • KeyId
      • Description: Globally unique identifier of CMK
      • Type: String
      • Required or not: Yes
    • KeySpec 
      • Description: Specifies the encryption algorithm used to generate the key and the size of the key. Currently, AES_128 or AES_256 is supported.
      • Type: String
      • Valid value: AES_256 | AES_128
      • Required or not: No
    • NumberOfBytes (If both NumberOfBytes and KeySpec are specified, use NumberOfBytes.)
      • Description: Length of the key
      • Type: Integer
      • Valid value: 1 to 1,024
      • Required or not: No
    • EncryptionContext
  • Request example

  1. https://kms.cn-hangzhou.aliyuncs.com/?Action=GenerateDataKey
  2. &KeyId=<your-key-id>
  3. &KeySpec=AES_256
  4. &EncryptionContext={"Example":"Example"}
  5. &<Other public parameters>
  • Return format
  1. {
  2. "CiphertextBlob": blob, // Blob is a Base64 encoded string.
  3. "KeyId": "string",
  4. "Plaintext": blob, // Blob is a Base64 encoded string.
  5. "RequestId":"string"
  6. }
  • Return parameters

    • KeyId
      • Description: Globally unique identifier of CMK
      • Type: String
    • Plaintext
      • Description: Generated plaintext of DataKey
      • Type: String
    • CiphertextBlob
      • Description: Ciphertext of DataKey after encryption
      • Type: String
    • RequestId
      • Description: Random access ID
      • Type: String
  • Return example:

  1. //json response
  2. {
  3. "CiphertextBlob": "CiphertextBlob",
  4. "KeyId": "KeyId",
  5. "Plaintext": "Plaintext",
  6. "RequestId": "7021b6ec-4be7-4d3c-8a68-1e85d4d515a0"
  7. }
  8. //xml response
  9. <KMS>
  10. <CiphertextBlob>CiphertextBlob</CiphertextBlob>
  11. <KeyId>KeyId</KeyId>
  12. <Plaintext>Plaintext</Plaintext>
  13. <RequestId>7021b6ec-4be7-4d3c-8a68-1e85d4d515a0</RequestId>
  14. </KMS>
Thank you! We've received your feedback.