edit-icon download-icon

Encryption Context

Last Updated: Dec 13, 2017

Function of Encryption Context

Encryption Context is a JSON string, in the String-String format only, which may be used in KMS APIs including Encrypt, GenerateDataKey, and Decrypt to protect data integrity.

If this parameter is specified during encryption (Encrypt and GenerateDataKey), successful ciphertext decryption requires an equivalent parameter. Encryption Context is related to decryption, but it is not included in the ciphertext (CipherBlob).

Valid value of Encryption Context

The valid value of Encryption Context is a JSON string of up to 8,192 characters in the String-String format only. When you directly call the API to enter Encryption Context, pay attention to the escape character.

Example of valid Encryption Context

  1. 1. {"ValidKey":"ValidValue"}
  2. 2. {"Key1":"Value1","Key2":"Value2"}

(Partial) Example of invalid Encryption Context

  1. 1. [{"Key":"Value"}] //JSON array
  2. 2. {"Key":12345} //String-int
  3. 3. {"Key":["value1","value2"]} //String-array

Equivalent Encryption Context

In essence, Encryption Context is a map (hashtable) in the String-String format. Therefore, when Encryption Context is used as a parameter, you only need to make sure that the meaning of key-value indicated by the JSON string is consistent, and thus Encryption Context is equivalent. You can use the Encryption Context equivalent to the Encryption Context you entered during encryption to decrypt the ciphertext, rather than retaining the original string.

Example of equivalent Encryption Context

  1. {"Key1":"Value1","Key2":"Value2"} is equivalent to {"Key2":"Value2","Key1":"Value1"}.
Thank you! We've received your feedback.