EncryptionContext is a JSON string that can be used in KMS API operations, such as Encrypt, GenerateDataKey, and Decrypt.

Function of EncryptionContext

EncryptionContext is a JSON string. It must be in the string-string format and is used to ensure data integrity.

If this parameter is specified during encryption, you must specify equivalent EncryptionContext for decryption. Encryption is involved in Encrypt and GenerateDataKey, and decryption is involved in Decrypt. EncryptionContext is related to decryption, but is not included in ciphertext, which corresponds to CipherBlob.

Valid values of EncryptionContext

A valid value of EncryptionContext is a JSON string of up to 8,192 characters only in the string-string format. When you specify EncryptionContext for an API operation, consider the escape characters.

Example of valid EncryptionContext


(Partial) Example of invalid EncryptionContext

[{"Key":"Value"}] // JSON array
{"Key":12345} //String-int
{"Key":["value1","value2"]} // String-array

Equivalent EncryptionContext

In essence, EncryptionContext is a map or hash table in the string-string format. When EncryptionContext is used as a parameter, make sure that the key-value pairs indicated by the JSON string match. This allows you to obtain equivalent EncryptionContext. You can use EncryptionContext that is equivalent to EncryptionContext that you entered during encryption to decrypt ciphertext, rather than retaining the original string.

Example of equivalent EncryptionContext

{"Key1":"Value1","Key2":"Value2"} is equivalent to {"Key2":"Value2","Key1":"Value1"}.