REWRAP_KEYSET re-encrypts an existing wrapped keyset with a new Key Management Service (KMS) customer master key (CMK). Use this function to re-encrypt a wrapped keyset that was generated by NEW_WRAPPED_KEYSET using a different KMS key.
For details on creating a wrapped keyset, see NEW_WRAPPED_KEYSET.
Prerequisites
Before you begin, make sure that you have:
A wrapped keyset generated by
NEW_WRAPPED_KEYSETA new KMS CMK with its key ARN (
kms_cmk_arn) availableA RAM role that has permissions on both the old and new KMS keys, and that MaxCompute is authorized to assume
Syntax
binary REWRAP_KEYSET(string <kms_cmk_arn>, string <role_arn>, string <wrapped_keyset> [, string <role_chain>])Parameters
| Parameter | Required | Description |
|---|---|---|
kms_cmk_arn | Yes | ARN of the new KMS CMK to use for re-encryption. Format: 'acs:kms:<RegionId>:<UserId>:key/<CmkId>'. Get this ARN from the Key Details page in the KMS console. |
role_arn | Yes | ARN of the RAM role that has permissions on both the old and new KMS keys. MaxCompute assumes this role to perform the re-encryption. Format: 'acs:ram::<UserId>:role/<roleName>'. |
wrapped_keyset | Yes | The wrapped keyset to re-encrypt. |
role_chain | No | Role chain for cross-account authorization. Format: 'acs:ram:<UserAId>:role/<roleName2>,acs:ram:<UserBId>:role/<roleName3>,...'. Use this parameter to call wrapped keysets across Alibaba Cloud accounts. |
Return value
Returns the re-encrypted wrapped keyset as a BINARY value. To convert it to a storable string, wrap the call with the HEX function. For details, see HEX.
Examples
The following examples contain variable placeholders. Run them in script mode or replace each placeholder with an actual value before running in SQL mode.
Re-encrypt a wrapped keyset
@origin_key := unhex('<wrapped_keyset>');
SELECT HEX(REWRAP_KEYSET(
'acs:kms:cn-hangzhou:1**************7:key/key-hzz******************',
'acs:ram::1**************7:role/kms',
@origin_key
));Re-encrypt and enable cross-account access
@origin_key := unhex('<wrapped_keyset>');
@role_chain := 'acs:ram:<UserAId>:role/<roleName2>,acs:ram:<UserBId>:role/<roleName3>';
SELECT HEX(REWRAP_KEYSET(
'acs:kms:cn-hangzhou:1**************7:key/key-hzz******************',
'acs:ram::1**************7:role/kms',
@origin_key,
@role_chain
));The role_chain parameter grants other Alibaba Cloud accounts permission to use the re-encrypted wrapped keyset.
References
Document | Description |
Describes how to use keyset encryption functions. | |
Creates a keyset based on a specified algorithm. | |
Adds a new key to a keyset and sets the new key as the master key. | |
Converts a keyset of the BINARY type to a readable JSON format to view the keyset details. | |
Converts a keyset of the JSON type to the BINARY type. | |
The system automatically generates a new key and sets it as the master key. | |
Creates a new wrapped keyset. This function grants a role with KMS CMK permissions to MaxCompute. You can also use a role chain to authorize other Alibaba Cloud accounts to decrypt the keyset. | |
Decrypts an existing encrypted keyset, performs key rotation, and then encrypts the keyset with a new key. | |
Converts a wrapped keyset to a basic keyset to use as a parameter in encryption and decryption functions. This function also lets you obtain and save information about the wrapped keyset for easy maintenance. | |
Encrypts data with a specified keyset. | |
Decrypts data with a specified keyset. |
What's next
NEW_WRAPPED_KEYSET — create a wrapped keyset
HEX — convert
BINARYoutput to a storable string