Encrypts plaintext by using a symmetric CMK.

  • KMS uses the primary version of a specified CMK to encrypt data.
  • Only data of 6 KB or less can be encrypted. For example, you can call this operation to encrypt RSA keys, database access passwords, or other sensitive information.
  • When you migrate encrypted data across regions, you can call this operation in the destination region to encrypt the plaintext of the data key that is used to encrypt the migrated data in the source region. This way, the ciphertext of the data key is generated in the destination region. You can also call the Decrypt operation to decrypt the data key.


OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes Encrypt

The operation that you want to perform. Set the value to Encrypt.

KeyId String Yes 1234abcd-12ab-34cd-56ef-12345678****

The globally unique ID of the CMK. You can also set this parameter to an alias that is bound to the CMK. For more information, see Use aliases.

Plaintext String Yes SGVsbG8gd29y****

The plaintext to be encrypted. The plaintext must be Base64 encoded.

EncryptionContext Json No {"Example":"Example"}

A JSON string that consists of key-value pairs. If you specify this parameter, an equivalent value is required when you call the Decrypt operation. For more information, see EncryptionContext.

Response parameters

Parameter Type Example Description
CiphertextBlob String DZhOWVmZDktM2QxNi00ODk0LWJkNGYtMWZjNDNmM2YyYWJmaaSl+TztSIMe43nbTH/Z1Wr4XfLftKhAciUmDQXuMRl4WTvKhxjMThjK****

The ciphertext of the data that is encrypted by using the primary CMK version.

KeyId String 1234abcd-12ab-34cd-56ef-12345678****

The globally unique ID of the CMK. If you set the KeyId parameter to an alias, the ID of the CMK to which the alias is bound is returned.

KeyVersionId String 86a9efd9-3d16-4894-bd4f-1fc43f3f****

The ID of the key version that is used to encrypt the plaintext. It is the primary version of the CMK.

RequestId String 475f1620-b9d3-4d35-b5c6-3fbdd941423d

The ID of the request.


Sample requests

&<Common request parameters>

Sample success responses

XML format


JSON format


Error codes

For a list of error codes, visit the API Error Center.