EncryptionContext is a JSON string that can be used in KMS cryptographic operations — Encrypt, GenerateDataKey, and Decrypt — to verify data integrity during decryption.
How it works
Pass EncryptionContext when calling Encrypt or GenerateDataKey. To decrypt the resulting ciphertext, pass an equivalent EncryptionContext to the Decrypt operation. If the context doesn't match, decryption fails.
EncryptionContext is related to decryption but is not stored inside the ciphertext (the CipherBlob parameter). Store the context alongside the ciphertext so you can retrieve it when decrypting.
Format
EncryptionContext is a JSON object in string-to-string format, with a maximum length of 8,192 characters. Each key and each value must be a string — no integers, no arrays, no nested objects.
Valid examples
{"purpose": "encrypt-user-data"}
{"resourceId": "disk-bp1234567890abcdef", "region": "cn-hangzhou"}Invalid examples
[{"key": "value"}] // JSON array — not a JSON object
{"key": 12345} // String-int — value must be a string
{"key": ["v1", "v2"]} // String-array — value must be a stringEquivalence rule
Two EncryptionContext values are equivalent if they contain the same key-value pairs, regardless of order.
{"Key1": "Value1", "Key2": "Value2"}is equivalent to:
{"Key2": "Value2", "Key1": "Value1"}The order of key-value pairs in your Decrypt call does not need to match the original encryption call.