You can call this operation to encrypt plaintext with a specified CMK.

  • KMS uses the primary version of a specified CMK to encrypt data.
  • Only data which do not exceed 6 KB in size can be encrypted, such as RSA keys, database keys, or other sensitive user data.
  • If you migrate encrypted data from one region to another, you can call this operation to encrypt the plaintext of the data key to be used for encrypting data in the previous region. By doing this, you can provide a ciphertext of the data key that is recognized by the new region and can be decrypted by calling the Decrypt API in the new region.

Request parameters

Parameter Type Required Description
KeyId String Yes The globally unique ID of the CMK. This parameter can also be specified as an alias bound to the CMK. For more information, see Use aliases.
Plaintext String Yes The plaintext to be encrypted which must be encoded in Base64.
EncryptionContext String to string map No The JSON string of the key-value pair. If you specify this parameter here, it is also required when you call the Decrypt API operation. For more information, see Encryption Context.

Response parameters

Parameter Type Decription
KeyId String The globally unique ID of the CMK.
Note If an alias of the CMK is used as the value of the KeyId parameter, the ID of the CMK that the alias is bound to will be returned in the response.
KeyVersionId String The ID of the key version used to encrypt plaintext. It is the primary key version of the specified CMK.
CiphertextBlob String The ciphertext of the data key encrypted with the primary CMK version.
RequestId String The ID of the request.


Sample requests
&KeyId=<cmkid or aliasname>
&Plaintext=<data need encrypt>
&<Common request parameters>

Sample responses

JSON format

//json response
    "KeyId": "your-key-id",
    "KeyVersionId": "2ab1a983-7072-4bbc-a582-584b5bd8ecf3",
    "CiphertextBlob": "CiphertextBlob",
    "RequestId": "475f1620-b9d3-4d35-b5c6-3fbdd941423d"

XML format

//xml response