pub struct Client { /* private fields */ }Implementations§
Source§impl Client
impl Client
Sourcepub fn get_key_store_info(&self) -> GetKeyStoreInfoFluentBuilder
pub fn get_key_store_info(&self) -> GetKeyStoreInfoFluentBuilder
Constructs a fluent builder for the GetKeyStoreInfo operation.
- The fluent builder is configurable:
- On success, responds with
GetKeyStoreInfoOutputwith field(s):grant_tokens(Option<::std::vec::Vec<::std::string::String>>): (undocumented)key_store_id(Option<::std::string::String>): (undocumented)key_store_name(Option<::std::string::String>): (undocumented)kms_configuration(Option<crate::deps::aws_cryptography_keyStore::types::KmsConfiguration>): (undocumented)logical_key_store_name(Option<::std::string::String>): (undocumented)
- On failure, responds with
SdkError<GetKeyStoreInfoError>
Source§impl Client
impl Client
Sourcepub fn create_key_store(&self) -> CreateKeyStoreFluentBuilder
pub fn create_key_store(&self) -> CreateKeyStoreFluentBuilder
Constructs a fluent builder for the CreateKeyStore operation.
- The fluent builder is configurable:
- On success, responds with
CreateKeyStoreOutputwith field(s):table_arn(Option<::std::string::String>): (undocumented)
- On failure, responds with
SdkError<CreateKeyStoreError>
Source§impl Client
impl Client
Sourcepub fn create_key(&self) -> CreateKeyFluentBuilder
pub fn create_key(&self) -> CreateKeyFluentBuilder
Constructs a fluent builder for the CreateKey operation.
- The fluent builder is configurable:
branch_key_identifier(impl Into<Option<::std::string::String>>)/set_branch_key_identifier(Option<::std::string::String>): (undocumented)encryption_context(impl Into<Option<::std::collections::HashMap<::std::string::String, ::std::string::String>>>)/set_encryption_context(Option<::std::collections::HashMap<::std::string::String, ::std::string::String>>): (undocumented)
- On success, responds with
CreateKeyOutputwith field(s):branch_key_identifier(Option<::std::string::String>): (undocumented)
- On failure, responds with
SdkError<CreateKeyError>
Examples found in repository?
examples/keyring/aws_kms_hierarchical/create_branch_key_id.rs (line 35)
16pub async fn create_branch_key_id(
17 key_store_table_name: &str,
18 logical_key_store_name: &str,
19 kms_key_arn: &str,
20) -> Result<String, crate::BoxError> {
21 // Create a Key Store
22 // The KMS Configuration you use in the KeyStore MUST have the right access to the resources in the KeyStore.
23 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
24 let key_store_config = KeyStoreConfig::builder()
25 .kms_client(aws_sdk_kms::Client::new(&sdk_config))
26 .ddb_client(aws_sdk_dynamodb::Client::new(&sdk_config))
27 .ddb_table_name(key_store_table_name)
28 .logical_key_store_name(logical_key_store_name)
29 .kms_configuration(KmsConfiguration::KmsKeyArn(kms_key_arn.to_string()))
30 .build()?;
31
32 let keystore = keystore_client::Client::from_conf(key_store_config)?;
33
34 // Create a branch key identifier with the AWS KMS Key configured in the KeyStore Configuration.
35 let new_key = keystore.create_key().send().await?;
36 Ok(new_key.branch_key_identifier.unwrap())
37}Source§impl Client
impl Client
Sourcepub fn version_key(&self) -> VersionKeyFluentBuilder
pub fn version_key(&self) -> VersionKeyFluentBuilder
Constructs a fluent builder for the VersionKey operation.
- The fluent builder is configurable:
- On success, responds with
VersionKeyOutputwith field(s): - On failure, responds with
SdkError<VersionKeyError>
Examples found in repository?
examples/keyring/aws_kms_hierarchical/version_branch_key_id_example.rs (line 33)
12pub async fn version_branch_key_id(
13 key_store_table_name: &str,
14 logical_key_store_name: &str,
15 kms_key_arn: &str,
16 branch_key_id: &str,
17) -> Result<(), crate::BoxError> {
18 // Create a Key Store
19 // The KMS Configuration you use in the KeyStore MUST have the right access to the resources in the KeyStore.
20 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
21 let key_store_config = KeyStoreConfig::builder()
22 .kms_client(aws_sdk_kms::Client::new(&sdk_config))
23 .ddb_client(aws_sdk_dynamodb::Client::new(&sdk_config))
24 .ddb_table_name(key_store_table_name)
25 .logical_key_store_name(logical_key_store_name)
26 .kms_configuration(KmsConfiguration::KmsKeyArn(kms_key_arn.to_string()))
27 .build()?;
28
29 let keystore = keystore_client::Client::from_conf(key_store_config)?;
30
31 // To version a branch key you MUST have access to kms:ReEncrypt* and kms:GenerateDataKeyWithoutPlaintext
32 keystore
33 .version_key()
34 .branch_key_identifier(branch_key_id)
35 .send()
36 .await?;
37
38 println!("Version Branch Key Example Completed Successfully");
39
40 Ok(())
41}Source§impl Client
impl Client
Sourcepub fn get_active_branch_key(&self) -> GetActiveBranchKeyFluentBuilder
pub fn get_active_branch_key(&self) -> GetActiveBranchKeyFluentBuilder
Constructs a fluent builder for the GetActiveBranchKey operation.
- The fluent builder is configurable:
- On success, responds with
GetActiveBranchKeyOutputwith field(s): - On failure, responds with
SdkError<GetActiveBranchKeyError>
Source§impl Client
impl Client
Sourcepub fn get_branch_key_version(&self) -> GetBranchKeyVersionFluentBuilder
pub fn get_branch_key_version(&self) -> GetBranchKeyVersionFluentBuilder
Constructs a fluent builder for the GetBranchKeyVersion operation.
- The fluent builder is configurable:
- On success, responds with
GetBranchKeyVersionOutputwith field(s): - On failure, responds with
SdkError<GetBranchKeyVersionError>
Source§impl Client
impl Client
Sourcepub fn get_beacon_key(&self) -> GetBeaconKeyFluentBuilder
pub fn get_beacon_key(&self) -> GetBeaconKeyFluentBuilder
Constructs a fluent builder for the GetBeaconKey operation.
- The fluent builder is configurable:
- On success, responds with
GetBeaconKeyOutputwith field(s): - On failure, responds with
SdkError<GetBeaconKeyError>
Source§impl Client
impl Client
Sourcepub fn from_conf(input: KeyStoreConfig) -> Result<Self, Error>
pub fn from_conf(input: KeyStoreConfig) -> Result<Self, Error>
Creates a new client from the service Config.
Examples found in repository?
examples/keyring/aws_kms_hierarchical/create_branch_key_id.rs (line 32)
16pub async fn create_branch_key_id(
17 key_store_table_name: &str,
18 logical_key_store_name: &str,
19 kms_key_arn: &str,
20) -> Result<String, crate::BoxError> {
21 // Create a Key Store
22 // The KMS Configuration you use in the KeyStore MUST have the right access to the resources in the KeyStore.
23 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
24 let key_store_config = KeyStoreConfig::builder()
25 .kms_client(aws_sdk_kms::Client::new(&sdk_config))
26 .ddb_client(aws_sdk_dynamodb::Client::new(&sdk_config))
27 .ddb_table_name(key_store_table_name)
28 .logical_key_store_name(logical_key_store_name)
29 .kms_configuration(KmsConfiguration::KmsKeyArn(kms_key_arn.to_string()))
30 .build()?;
31
32 let keystore = keystore_client::Client::from_conf(key_store_config)?;
33
34 // Create a branch key identifier with the AWS KMS Key configured in the KeyStore Configuration.
35 let new_key = keystore.create_key().send().await?;
36 Ok(new_key.branch_key_identifier.unwrap())
37}More examples
examples/keyring/aws_kms_hierarchical/version_branch_key_id_example.rs (line 29)
12pub async fn version_branch_key_id(
13 key_store_table_name: &str,
14 logical_key_store_name: &str,
15 kms_key_arn: &str,
16 branch_key_id: &str,
17) -> Result<(), crate::BoxError> {
18 // Create a Key Store
19 // The KMS Configuration you use in the KeyStore MUST have the right access to the resources in the KeyStore.
20 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
21 let key_store_config = KeyStoreConfig::builder()
22 .kms_client(aws_sdk_kms::Client::new(&sdk_config))
23 .ddb_client(aws_sdk_dynamodb::Client::new(&sdk_config))
24 .ddb_table_name(key_store_table_name)
25 .logical_key_store_name(logical_key_store_name)
26 .kms_configuration(KmsConfiguration::KmsKeyArn(kms_key_arn.to_string()))
27 .build()?;
28
29 let keystore = keystore_client::Client::from_conf(key_store_config)?;
30
31 // To version a branch key you MUST have access to kms:ReEncrypt* and kms:GenerateDataKeyWithoutPlaintext
32 keystore
33 .version_key()
34 .branch_key_identifier(branch_key_id)
35 .send()
36 .await?;
37
38 println!("Version Branch Key Example Completed Successfully");
39
40 Ok(())
41}examples/keyring/aws_kms_hierarchical/aws_kms_hierarchical_keyring_example.rs (line 84)
52pub async fn encrypt_and_decrypt_with_keyring(
53 example_data: &str,
54 key_store_table_name: &str,
55 logical_key_store_name: &str,
56 key_store_kms_key_id: &str,
57) -> Result<(), crate::BoxError> {
58 // 1. Instantiate the encryption SDK client.
59 // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
60 // which enforces that this client only encrypts using committing algorithm suites and enforces
61 // that this client will only decrypt encrypted messages that were created with a committing
62 // algorithm suite.
63 let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
64 let esdk_client = esdk_client::Client::from_conf(esdk_config)?;
65
66 // 2. Create a KMS client and DynamoDB client.
67 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
68 let kms_client = aws_sdk_kms::Client::new(&sdk_config);
69 let ddb_client = aws_sdk_dynamodb::Client::new(&sdk_config);
70
71 // 3. Configure your KeyStore resource.
72 // This SHOULD be the same configuration that you used
73 // to initially create and populate your KeyStore.
74 let key_store_config = KeyStoreConfig::builder()
75 .kms_client(kms_client)
76 .ddb_client(ddb_client)
77 .ddb_table_name(key_store_table_name)
78 .logical_key_store_name(logical_key_store_name)
79 .kms_configuration(KmsConfiguration::KmsKeyArn(
80 key_store_kms_key_id.to_string(),
81 ))
82 .build()?;
83
84 let key_store = keystore_client::Client::from_conf(key_store_config)?;
85
86 // 4. Call CreateKey to create two new active branch keys
87 let branch_key_id_a: String = create_branch_key_id(
88 key_store_table_name,
89 logical_key_store_name,
90 key_store_kms_key_id,
91 )
92 .await?;
93 let branch_key_id_b: String = create_branch_key_id(
94 key_store_table_name,
95 logical_key_store_name,
96 key_store_kms_key_id,
97 )
98 .await?;
99
100 // 5. Create a branch key supplier that maps the branch key id to a more readable format
101 let branch_key_id_supplier =
102 ExampleBranchKeyIdSupplier::new(&branch_key_id_a, &branch_key_id_b);
103
104 // 6. Create the Hierarchical Keyring.
105 let mpl_config = MaterialProvidersConfig::builder().build()?;
106 let mpl = mpl_client::Client::from_conf(mpl_config)?;
107
108 let hierarchical_keyring = mpl
109 .create_aws_kms_hierarchical_keyring()
110 .key_store(key_store.clone())
111 .branch_key_id_supplier(branch_key_id_supplier)
112 .ttl_seconds(600)
113 .send()
114 .await?;
115
116 // 7. Create encryption context for both tenants.
117 // The Branch Key Id supplier uses the encryption context to determine which branch key id will
118 // be used to encrypt data.
119 // Remember that your encryption context is NOT SECRET.
120 // For more information, see
121 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
122
123 // Create encryption context for TenantA
124 let encryption_context_a = HashMap::from([
125 ("tenant".to_string(), "TenantA".to_string()),
126 ("encryption".to_string(), "context".to_string()),
127 ("is not".to_string(), "secret".to_string()),
128 ("but adds".to_string(), "useful metadata".to_string()),
129 (
130 "that can help you".to_string(),
131 "be confident that".to_string(),
132 ),
133 (
134 "the data you are handling".to_string(),
135 "is what you think it is".to_string(),
136 ),
137 ]);
138
139 // Create encryption context for TenantB
140 let encryption_context_b = HashMap::from([
141 ("tenant".to_string(), "TenantB".to_string()),
142 ("encryption".to_string(), "context".to_string()),
143 ("is not".to_string(), "secret".to_string()),
144 ("but adds".to_string(), "useful metadata".to_string()),
145 (
146 "that can help you".to_string(),
147 "be confident that".to_string(),
148 ),
149 (
150 "the data you are handling".to_string(),
151 "is what you think it is".to_string(),
152 ),
153 ]);
154
155 // 8. Encrypt the data with encryption_contextA & encryption_contextB
156 let plaintext = example_data.as_bytes();
157
158 let encryption_response_a = esdk_client
159 .encrypt()
160 .plaintext(plaintext)
161 .keyring(hierarchical_keyring.clone())
162 .encryption_context(encryption_context_a.clone())
163 .send()
164 .await?;
165
166 let ciphertext_a = encryption_response_a
167 .ciphertext
168 .expect("Unable to unwrap ciphertext from encryption response");
169
170 let encryption_response_b = esdk_client
171 .encrypt()
172 .plaintext(plaintext)
173 .keyring(hierarchical_keyring.clone())
174 .encryption_context(encryption_context_b.clone())
175 .send()
176 .await?;
177
178 let ciphertext_b = encryption_response_b
179 .ciphertext
180 .expect("Unable to unwrap ciphertext from encryption response");
181
182 // 9. Demonstrate that the ciphertexts and plaintext are different.
183 // (This is an example for demonstration; you do not need to do this in your own code.)
184 assert_ne!(
185 ciphertext_a,
186 aws_smithy_types::Blob::new(plaintext),
187 "Ciphertext and plaintext data are the same. Invalid encryption"
188 );
189
190 assert_ne!(
191 ciphertext_b,
192 aws_smithy_types::Blob::new(plaintext),
193 "Ciphertext and plaintext data are the same. Invalid encryption"
194 );
195
196 // 10. To attest that TenantKeyB cannot decrypt a message written by TenantKeyA,
197 // and vice versa, let's construct more restrictive hierarchical keyrings.
198 let hierarchical_keyring_a = mpl
199 .create_aws_kms_hierarchical_keyring()
200 .key_store(key_store.clone())
201 .branch_key_id(branch_key_id_a)
202 .ttl_seconds(600)
203 .send()
204 .await?;
205
206 let hierarchical_keyring_b = mpl
207 .create_aws_kms_hierarchical_keyring()
208 .key_store(key_store)
209 .branch_key_id(branch_key_id_b)
210 .ttl_seconds(600)
211 .send()
212 .await?;
213
214 // 11. Demonstrate that data encrypted by one tenant's key
215 // cannot be decrypted with by a keyring specific to another tenant.
216
217 // Keyring with tenant B's branch key cannot decrypt data encrypted with tenant A's branch key
218 // This will fail and raise a AwsCryptographicMaterialProvidersError,
219 // which we swallow ONLY for demonstration purposes.
220 let decryption_response_mismatch_1 = esdk_client
221 .decrypt()
222 .ciphertext(ciphertext_a.clone())
223 .keyring(hierarchical_keyring_b.clone())
224 // Provide the encryption context that was supplied to the encrypt method
225 .encryption_context(encryption_context_a.clone())
226 .send()
227 .await;
228
229 match decryption_response_mismatch_1 {
230 Ok(_) => panic!(
231 "Decrypt with wrong tenant's hierarchical keyring MUST \
232 raise AwsCryptographicMaterialProvidersError"
233 ),
234 Err(AwsCryptographicMaterialProvidersError { error: _e }) => (),
235 _ => panic!("Unexpected error type"),
236 }
237
238 // Keyring with tenant A's branch key cannot decrypt data encrypted with tenant B's branch key.
239 // This will fail and raise a AwsCryptographicMaterialProvidersError,
240 // which we swallow ONLY for demonstration purposes.
241 let decryption_response_mismatch_2 = esdk_client
242 .decrypt()
243 .ciphertext(ciphertext_b.clone())
244 .keyring(hierarchical_keyring_a.clone())
245 // Provide the encryption context that was supplied to the encrypt method
246 .encryption_context(encryption_context_b.clone())
247 .send()
248 .await;
249
250 match decryption_response_mismatch_2 {
251 Ok(_) => panic!(
252 "Decrypt with wrong tenant's hierarchical keyring MUST \
253 raise AwsCryptographicMaterialProvidersError"
254 ),
255 Err(AwsCryptographicMaterialProvidersError { error: _e }) => (),
256 _ => panic!("Unexpected error type"),
257 }
258
259 // 12. Demonstrate that data encrypted by one tenant's branch key can be decrypted by that tenant,
260 // and that the decrypted data matches the input data.
261 let decryption_response_a = esdk_client
262 .decrypt()
263 .ciphertext(ciphertext_a)
264 .keyring(hierarchical_keyring_a)
265 // Provide the encryption context that was supplied to the encrypt method
266 .encryption_context(encryption_context_a)
267 .send()
268 .await?;
269
270 let decrypted_plaintext_a = decryption_response_a
271 .plaintext
272 .expect("Unable to unwrap plaintext from decryption response");
273
274 // Demonstrate that the decrypted plaintext is identical to the original plaintext.
275 // (This is an example for demonstration; you do not need to do this in your own code.)
276 assert_eq!(
277 decrypted_plaintext_a,
278 aws_smithy_types::Blob::new(plaintext),
279 "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
280 );
281
282 // Similarly for TenantB
283 let decryption_response_b = esdk_client
284 .decrypt()
285 .ciphertext(ciphertext_b)
286 .keyring(hierarchical_keyring_b)
287 // Provide the encryption context that was supplied to the encrypt method
288 .encryption_context(encryption_context_b)
289 .send()
290 .await?;
291
292 let decrypted_plaintext_b = decryption_response_b
293 .plaintext
294 .expect("Unable to unwrap plaintext from decryption response");
295
296 // Demonstrate that the decrypted plaintext is identical to the original plaintext.
297 // (This is an example for demonstration; you do not need to do this in your own code.)
298 assert_eq!(
299 decrypted_plaintext_b,
300 aws_smithy_types::Blob::new(plaintext),
301 "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
302 );
303
304 println!("Hierarchical Keyring Example Completed Successfully");
305
306 Ok(())
307}examples/keyring/aws_kms_hierarchical/shared_cache_across_hierarchical_keyrings_example.rs (line 135)
78pub async fn encrypt_and_decrypt_with_keyring(
79 example_data: &str,
80 key_store_table_name: &str,
81 logical_key_store_name: &str,
82 key_store_kms_key_id: &str,
83) -> Result<(), crate::BoxError> {
84 // 1a. Create the CryptographicMaterialsCache (CMC) to share across multiple Hierarchical Keyrings
85 // using the Material Providers Library
86 // This CMC takes in:
87 // - CacheType
88 let mpl_config = MaterialProvidersConfig::builder().build()?;
89 let mpl = mpl_client::Client::from_conf(mpl_config)?;
90
91 let cache: CacheType = CacheType::Default(DefaultCache::builder().entry_capacity(100).build()?);
92
93 let shared_cryptographic_materials_cache: CryptographicMaterialsCacheRef = mpl
94 .create_cryptographic_materials_cache()
95 .cache(cache)
96 .send()
97 .await?;
98
99 // 1b. Create a CacheType object for the shared_cryptographic_materials_cache
100 // Note that the `cache` parameter in the Hierarchical Keyring Input takes a `CacheType` as input
101 // Here, we pass a `Shared` CacheType that passes an already initialized shared cache.
102
103 // If you want to use a Shared Cache, you need to initialize it only once, and
104 // pass the same cache `shared_cache` to different hierarchical keyrings.
105
106 // CryptographicMaterialsCacheRef is an Rc (Reference Counted), so if you clone it to
107 // pass it to different Hierarchical Keyrings, it will still point to the same
108 // underlying cache, and increment the reference count accordingly.
109 let shared_cache: CacheType = CacheType::Shared(shared_cryptographic_materials_cache);
110
111 // 2. Instantiate the encryption SDK client.
112 // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
113 // which enforces that this client only encrypts using committing algorithm suites and enforces
114 // that this client will only decrypt encrypted messages that were created with a committing
115 // algorithm suite.
116 let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
117 let esdk_client = esdk_client::Client::from_conf(esdk_config)?;
118
119 // 3. Configure your Key Store resource key_store1.
120 // This SHOULD be the same configuration that you used
121 // to initially create and populate your physical Key Store.
122 // Note that key_store_table_name is the physical Key Store,
123 // and key_store1 is instances of this physical Key Store.
124 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
125 let key_store_config = KeyStoreConfig::builder()
126 .kms_client(aws_sdk_kms::Client::new(&sdk_config))
127 .ddb_client(aws_sdk_dynamodb::Client::new(&sdk_config))
128 .ddb_table_name(key_store_table_name)
129 .logical_key_store_name(logical_key_store_name)
130 .kms_configuration(KmsConfiguration::KmsKeyArn(
131 key_store_kms_key_id.to_string(),
132 ))
133 .build()?;
134
135 let key_store1 = keystore_client::Client::from_conf(key_store_config.clone())?;
136
137 // 4. Call create_branch_key_id to create one new active branch key
138 let branch_key_id: String = create_branch_key_id(
139 key_store_table_name,
140 logical_key_store_name,
141 key_store_kms_key_id,
142 )
143 .await?;
144
145 // 5. Create the Hierarchical Keyring HK1 with Key Store instance K1, partition_id,
146 // the shared_cache and the branch_key_id.
147 // Note that we are now providing an already initialized shared cache instead of just mentioning
148 // the cache type and the Hierarchical Keyring initializing a cache at initialization.
149
150 // partition_id for this example is a random UUID
151 let partition_id = "91c1b6a2-6fc3-4539-ad5e-938d597ed730".to_string();
152
153 // Please make sure that you read the guidance on how to set Partition ID, Logical Key Store Name and
154 // Branch Key ID at the top of this example before creating Hierarchical Keyrings with a Shared Cache
155 let keyring1 = mpl
156 .create_aws_kms_hierarchical_keyring()
157 .key_store(key_store1)
158 .branch_key_id(branch_key_id.clone())
159 // CryptographicMaterialsCacheRef is an Rc (Reference Counted), so if you clone it to
160 // pass it to different Hierarchical Keyrings, it will still point to the same
161 // underlying cache, and increment the reference count accordingly.
162 .cache(shared_cache.clone())
163 .ttl_seconds(600)
164 .partition_id(partition_id.clone())
165 .send()
166 .await?;
167
168 // 6. Create encryption context.
169 // Remember that your encryption context is NOT SECRET.
170 // For more information, see
171 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
172 let encryption_context = HashMap::from([
173 ("encryption".to_string(), "context".to_string()),
174 ("is not".to_string(), "secret".to_string()),
175 ("but adds".to_string(), "useful metadata".to_string()),
176 (
177 "that can help you".to_string(),
178 "be confident that".to_string(),
179 ),
180 (
181 "the data you are handling".to_string(),
182 "is what you think it is".to_string(),
183 ),
184 ]);
185
186 // 7. Encrypt the data for encryption_context using keyring1
187 let plaintext = example_data.as_bytes();
188
189 let encryption_response1 = esdk_client
190 .encrypt()
191 .plaintext(plaintext)
192 .keyring(keyring1.clone())
193 .encryption_context(encryption_context.clone())
194 .send()
195 .await?;
196
197 let ciphertext1 = encryption_response1
198 .ciphertext
199 .expect("Unable to unwrap ciphertext from encryption response");
200
201 // 8. Demonstrate that the ciphertexts and plaintext are different.
202 // (This is an example for demonstration; you do not need to do this in your own code.)
203 assert_ne!(
204 ciphertext1,
205 aws_smithy_types::Blob::new(plaintext),
206 "Ciphertext and plaintext data are the same. Invalid encryption"
207 );
208
209 // 9. Decrypt your encrypted data using the same keyring HK1 you used on encrypt.
210 let decryption_response1 = esdk_client
211 .decrypt()
212 .ciphertext(ciphertext1)
213 .keyring(keyring1)
214 // Provide the encryption context that was supplied to the encrypt method
215 .encryption_context(encryption_context.clone())
216 .send()
217 .await?;
218
219 let decrypted_plaintext1 = decryption_response1
220 .plaintext
221 .expect("Unable to unwrap plaintext from decryption response");
222
223 // 10. Demonstrate that the decrypted plaintext is identical to the original plaintext.
224 // (This is an example for demonstration; you do not need to do this in your own code.)
225 assert_eq!(
226 decrypted_plaintext1,
227 aws_smithy_types::Blob::new(plaintext),
228 "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
229 );
230
231 // 11. Through the above encrypt and decrypt roundtrip, the cache will be populated and
232 // the cache entries can be used by another Hierarchical Keyring with the
233 // - Same Partition ID
234 // - Same Logical Key Store Name of the Key Store for the Hierarchical Keyring
235 // - Same Branch Key ID
236
237 // Configure your Key Store resource key_store2.
238 // This SHOULD be the same configuration that you used
239 // to initially create and populate your physical Key Store.
240 // Note that key_store_table_name is the physical Key Store,
241 // and key_store2 is instances of this physical Key Store.
242
243 // Note that for this example, key_store2 is identical to key_store1.
244 // You can optionally change configurations like KMS Client or KMS Key ID based
245 // on your use-case.
246 // Make sure you have the required permissions to use different configurations.
247
248 // - If you want to share cache entries across two keyrings HK1 and HK2,
249 // you should set the Logical Key Store Names for both
250 // Key Store instances (K1 and K2) to be the same.
251 // - If you set the Logical Key Store Names for K1 and K2 to be different,
252 // HK1 (which uses Key Store instance K1) and HK2 (which uses Key Store
253 // instance K2) will NOT be able to share cache entries.
254 let key_store2 = keystore_client::Client::from_conf(key_store_config.clone())?;
255
256 // 12. Create the Hierarchical Keyring HK2 with Key Store instance K2, the shared_cache
257 // and the same partition_id and branch_key_id used in HK1 because we want to share cache entries
258 // (and experience cache HITS).
259
260 // Please make sure that you read the guidance on how to set Partition ID, Logical Key Store Name and
261 // Branch Key ID at the top of this example before creating Hierarchical Keyrings with a Shared Cache
262 let keyring2 = mpl
263 .create_aws_kms_hierarchical_keyring()
264 .key_store(key_store2)
265 .branch_key_id(branch_key_id)
266 .cache(shared_cache)
267 .ttl_seconds(600)
268 .partition_id(partition_id)
269 .send()
270 .await?;
271
272 // 13. This encrypt-decrypt roundtrip with HK2 will experience Cache HITS from previous HK1 roundtrip
273 // Encrypt the data for encryption_context using keyring2
274 let encryption_response2 = esdk_client
275 .encrypt()
276 .plaintext(plaintext)
277 .keyring(keyring2.clone())
278 .encryption_context(encryption_context.clone())
279 .send()
280 .await?;
281
282 let ciphertext2 = encryption_response2
283 .ciphertext
284 .expect("Unable to unwrap ciphertext from encryption response");
285
286 // 14. Demonstrate that the ciphertexts and plaintext are different.
287 // (This is an example for demonstration; you do not need to do this in your own code.)
288 assert_ne!(
289 ciphertext2,
290 aws_smithy_types::Blob::new(plaintext),
291 "Ciphertext and plaintext data are the same. Invalid encryption"
292 );
293
294 // 15. Decrypt your encrypted data using the same keyring HK2 you used on encrypt.
295 let decryption_response2 = esdk_client
296 .decrypt()
297 .ciphertext(ciphertext2)
298 .keyring(keyring2)
299 // Provide the encryption context that was supplied to the encrypt method
300 .encryption_context(encryption_context)
301 .send()
302 .await?;
303
304 let decrypted_plaintext2 = decryption_response2
305 .plaintext
306 .expect("Unable to unwrap plaintext from decryption response");
307
308 // 10. Demonstrate that the decrypted plaintext is identical to the original plaintext.
309 // (This is an example for demonstration; you do not need to do this in your own code.)
310 assert_eq!(
311 decrypted_plaintext2,
312 aws_smithy_types::Blob::new(plaintext),
313 "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
314 );
315
316 println!("Shared Cache Across Hierarchical Keyrings Example Completed Successfully");
317
318 Ok(())
319}Trait Implementations§
impl StructuralPartialEq for Client
Auto Trait Implementations§
impl Freeze for Client
impl !RefUnwindSafe for Client
impl Send for Client
impl Sync for Client
impl Unpin for Client
impl !UnwindSafe for Client
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
Converts
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
Converts
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreCreates a shared type from an unshared type.