The following tables list the KMS Instance API operations available in Key Management Service (KMS).
Key-related operations
| Operation | Description | Key type | Notes |
|---|
| AdvanceEncrypt | Encrypts plaintext into ciphertext. Use this operation instead of Encrypt when automatic key rotation is enabled — AdvanceEncrypt is designed to stay compatible across key rotations. | Symmetric only | If automatic key rotation is enabled, use AdvanceEncrypt, AdvanceDecrypt, or AdvanceGenerateDataKey to prevent the key rotation feature from becoming invalid. For more information, see Configure key rotation. Before calling AdvanceDecrypt, save the ciphertext (CiphertextBlob) and authentication data (Aad) returned by this operation. |
| AdvanceDecrypt | Decrypts ciphertext into plaintext. | Symmetric only | Requires the CiphertextBlob and Aad saved from the original AdvanceEncrypt or AdvanceGenerateDataKey call. |
| AdvanceGenerateDataKey | Generates a data key and encrypts data using envelope encryption. | Symmetric only | Before calling AdvanceDecrypt, save the ciphertext (CiphertextBlob) and authentication data (Aad) returned by this operation. |
| Encrypt | Encrypts plaintext into ciphertext. | Symmetric or asymmetric | Before calling Decrypt or AdvanceDecrypt, save the key ID (KeyId), ciphertext (CiphertextBlob), encryption algorithm (Algorithm), initialization vector (Iv), padding mode (PaddingMode), and authentication data (Aad) returned by this operation. |
| Decrypt | Decrypts ciphertext into plaintext. | Symmetric or asymmetric | — |
| GenerateDataKey | Generates a data key and encrypts data using envelope encryption. | Symmetric only | — |
| Sign | Generates a signature using an asymmetric key. | Asymmetric only | To verify the signature, call the Verify operation. To verify offline, call GetPublicKey to retrieve the public key and verify on your own system. |
| Verify | Verifies a signature using an asymmetric key. | Asymmetric only | — |
| GetPublicKey | Retrieves the public key of a specified asymmetric key. Use this operation when you need to perform signature verification or encryption outside of KMS. | Asymmetric only | — |
Secret-related operations