Encrypts plaintext with a symmetric CMK.

  • KMS uses the primary version of a specified CMK to encrypt data.
  • Only data of 6 KB or less can be encrypted, such as RSA keys, database keys, or other sensitive user data.
  • If you migrate encrypted data from one region to another, you can call this operation to encrypt the plaintext of the data key used to encrypt data in the source region. By doing this, you can provide a ciphertext of the data key that is recognized by the destination region and can be decrypted by calling the Decrypt API in the destination region.

Request parameters

Parameter Type Required Description
KeyId String Yes The globally unique ID of the CMK. This parameter can also be specified as an alias bound to the CMK. For more information, see Use aliases.
Plaintext String Yes The plaintext to be encrypted, which must be Base64-encoded.
EncryptionContext String to String Map No The JSON string of the key-value pair. If you specify this parameter here, it is also required when you call the Decrypt operation. For more information, see Encryption Context.

Response parameters

Parameter Type Description
KeyId String The globally unique ID of the CMK.
Note If you set the KeyId parameter to the alias of the CMK, the ID of the CMK to which the alias is bound is returned.
KeyVersionId String The ID of the primary CMK key version used to encrypt the specified plaintext.
CiphertextBlob String The ciphertext of the data key encrypted by using the primary CMK version.
RequestId String The ID of the request.


Sample requests

&KeyId=<cmkid or aliasname>
&Plaintext=<data need encrypt>
&<Common request parameters>

Sample responses

JSON format

//json response
    "KeyId": "your-key-id",
    "KeyVersionId": "2ab1a983-7072-4bbc-a582-584b5bd8ecf3",
    "CiphertextBlob": "CiphertextBlob",
    "RequestId": "475f1620-b9d3-4d35-b5c6-3fbdd941423d"

XML format

//xml response