ExportDataKey - Key Management Service - Alibaba Cloud Documentation Center

Operation description

Precautions

For information about the access policy required for a RAM user or RAM role to call this operation, see Resource Access Management.
You can call this operation using a shared gateway or a dedicated gateway. For more information, see Alibaba Cloud SDK.
- Shared gateway: You can access KMS using the public endpoint or a VPC endpoint. To use the public endpoint, you must first enable it. For more information, see Access the key in a KMS instance over the Internet.
- Dedicated gateway: You can access KMS using the private endpoint of the KMS instance: <YOUR_KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com.

Description

After you call the GenerateDataKeyWithoutPlaintext operation to obtain a data key encrypted by a master key (CMK), you can call the ExportDataKey operation to distribute the data key to other regions or cryptographic modules. The ExportDataKey operation returns the ciphertext of the data key, which is encrypted with the specified public key.

You can import the exported ciphertext into the cryptographic module that holds the corresponding private key. This process lets you securely distribute the data key from KMS to a cryptographic module. After the data key is imported into the cryptographic module, you can use it to encrypt or decrypt data.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

No authorization for this operation. If you encounter issues with this operation, contact technical support.

Request parameters

Parameter	Type	Required	Description	Example
CiphertextBlob	string	Yes	The ciphertext of the data key that is encrypted using a master key (CMK).	ODZhOWVmZDktM2QxNi00ODk0LWJkNGYtMWZjNDNmM2YyYWJmS7FmDBBQ0BkKsQrtRnidtPwirmDcS0ZuJCU41xxAAWk4Z8qsADfbV0b+i6kQmlvj79dJdGOvtX69Uycs901q********
EncryptionContext	object	No	A JSON string that consists of key-value pairs. EncryptionContext is the encryption context that is passed in when the data key is encrypted using a CMK. For more information, see EncryptionContext.	{"Example":"Example"}
PublicKeyBlob	string	Yes	The public key in Base64 format.	MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAndKfC2ReLL2+y8a0+ZBBeAft/uBYo86GZiYJuflqgUzKxpyuvlo3uQkBv6b+nx+0tz8g8v7GhpPWMSW5L9mNHYsvYFsa7jTxsYdt17yj6GlUHPuMIs8hr5qbwl38IHU1iIa7nYWwE2fb3ePOvLDACRJVgGpU0yxioW80d2QD+9aU4jF5dlAahcfgsNzo2CXzCUc1+xbmNuq7Rp+H9VJB9dyYOwqnW3RhOLBo21FzpORapf0UiRlrHRpk1V6ez+aE1dofaYh/9bh0m6ioxj7j5hpZbWccuEZTMBKd+cbuBkRhJzc6Tti6qwZbDiu4fUwbZS0Tqpuo1UadiyxMW********
WrappingKeySpec	string	Yes	The type of the public key specified by PublicKeyBlob. For more information about key types, see Introduction to asymmetric keys. Valid values: RSA_2048 EC_SM2	RSA_2048
WrappingAlgorithm	string	Yes	The encryption algorithm that is used to encrypt the data key using the public key specified by PublicKeyBlob. For more information about the algorithms, see AsymmetricDecrypt. Valid values: RSAES_OAEP_SHA_256 RSAES_OAEP_SHA_1 SM2PKE	RSAES_OAEP_SHA_256
DryRun	string	No	Specifies whether to enable the DryRun mode. true false (default) The DryRun mode is used to test the API call and verify the permissions on the specified resources and the validity of the request parameters. If you enable the DryRun mode, KMS returns a failure response and a failure reason. The failure reasons include the following: DryRunOperationError: The request would have succeeded if the DryRun parameter was not specified. ValidationError: The specified parameters in the request are invalid. AccessDeniedError: You are not authorized to perform the operation on the KMS resource.	false

Response parameters

Parameter	Type	Description	Example
	object
KeyVersionId	string	The ID of the key version that is used to decrypt the ciphertext of the specified data key.	2ab1a983-7072-4bbc-a582-584b5bd8****
KeyId	string	The ID of the CMK that is used to decrypt the ciphertext of the specified data key. The globally unique identifier of the CMK.	202b9877-5a25-46e3-a763-e20791b5****
RequestId	string	The ID of the request, which is a unique identifier generated by Alibaba Cloud for the request. You can use the request ID to troubleshoot issues.	4bd560a1-729e-45f1-a3d9-b2a33d61046b
ExportedDataKey	string	The exported data key that is protected by public key encryption.	BQKP+1zK6+ZEMxTP5qaVzcsgXtWplYBKm0NXdSnB5FzliFxE1bSiu4dnEIlca2JpeH7yz1/S6fed630H+hIH6DoM25fTLNcKj+mFB0Xnh9m2+HN59Mn4qyTfcUeadnfCXSWcGBouhXFwcdd2rJ3n337bzTf4jm659gZu3L0i6PLuxM9p7mqdwO0cKJPfGVfhnfMz+f4alMg79WB/NNyE2lyX7/qxvV49ObNrrJbKSFiz8Djocaf0IESNLMbfYI5bXjWkJlX92DQbKhibtQW8ZOJ//ZC6t0AWcUoKL6QDm/dg5koQalcleRinpB+QadFm894sLbVZ9+N4GVs*******

Examples

Success response

JSON format

{
  "KeyVersionId": "2ab1a983-7072-4bbc-a582-584b5bd8****",
  "KeyId": "202b9877-5a25-46e3-a763-e20791b5****",
  "RequestId": "4bd560a1-729e-45f1-a3d9-b2a33d61046b",
  "ExportedDataKey": "BQKP+1zK6+ZEMxTP5qaVzcsgXtWplYBKm0NXdSnB5FzliFxE1bSiu4dnEIlca2JpeH7yz1/S6fed630H+hIH6DoM25fTLNcKj+mFB0Xnh9m2+HN59Mn4qyTfcUeadnfCXSWcGBouhXFwcdd2rJ3n337bzTf4jm659gZu3L0i6PLuxM9p7mqdwO0cKJPfGVfhnfMz+f4alMg79WB/NNyE2lyX7/qxvV49ObNrrJbKSFiz8Djocaf0IESNLMbfYI5bXjWkJlX92DQbKhibtQW8ZOJ//ZC6t0AWcUoKL6QDm/dg5koQalcleRinpB+QadFm894sLbVZ9+N4GVs*******"
}

Error codes

HTTP status code	Error code	Error message	Description
400	InvalidParameter	The specified parameter is not valid.	An invalid value is specified for the parameter.
500	InternalFailure	Internal Failure.
404	InvalidAccessKeyId.NotFound	The Access Key ID provided does not exist in our records.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.