Struct Client 

pub struct Client { /* private fields */ }

Implementations

impl Client

pub fn create_aws_kms_keyring(&self) -> CreateAwsKmsKeyringFluentBuilder

Constructs a fluent builder for the CreateAwsKmsKeyring operation.

• The fluent builder is configurable:
  • grant_tokens(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_grant_tokens(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
  • kms_client(impl Into<Option<crate::deps::com_amazonaws_kms::client::Client>>) / set_kms_client(Option<crate::deps::com_amazonaws_kms::client::Client>): (undocumented)
    
  • kms_key_id(impl Into<Option<::std::string::String>>) / set_kms_key_id(Option<::std::string::String>): (undocumented)
    
• On success, responds with CreateKeyringOutput with field(s):
  • keyring(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
• On failure, responds with SdkError<CreateAwsKmsKeyringError>

Examples found in repository

examples/keyring/aws_kms_keyring_example.rs (line 69)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    kms_key_id: &str,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Create a KMS keyring
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let kms_keyring = mpl
        .create_aws_kms_keyring()
        .kms_key_id(kms_key_id)
        .kms_client(kms_client)
        .send()
        .await?;

    // 5. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(kms_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 6. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 7. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(kms_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("KMS Keyring Example Completed Successfully");

    Ok(())
}

examples/set_commitment_policy_example.rs (line 78)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    kms_key_id: &str,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This example builds the client with the ForbidEncryptAllowDecrypt commitment policy,
    // which enforces that this client cannot encrypt with key commitment
    // and it can decrypt ciphertexts encrypted with or without key commitment.
    // The default commitment policy if you were to build the client like in
    // the `keyring/aws_kms_keyring_example.rs` is RequireEncryptRequireDecrypt.
    // We recommend that AWS Encryption SDK users use the default commitment policy
    // (RequireEncryptRequireDecrypt) whenever possible.
    let esdk_config = AwsEncryptionSdkConfig::builder()
        .commitment_policy(ForbidEncryptAllowDecrypt)
        .build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Create a KMS keyring
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let kms_keyring = mpl
        .create_aws_kms_keyring()
        .kms_key_id(kms_key_id)
        .kms_client(kms_client)
        .send()
        .await?;

    // 5. Encrypt the data with the encryption_context. Make sure you use a non-committing algorithm
    // with the commitment policy ForbidEncryptAllowDecrypt. Otherwise esdk_client.encrypt() will throw
    // Error: AwsCryptographicMaterialProvidersError
    //   {
    //     error: InvalidAlgorithmSuiteInfoOnEncrypt
    //     {
    //       message: "Configuration conflict. Commitment policy requires only non-committing algorithm suites"
    //     }
    //   }
    // By default for ForbidEncryptAllowDecrypt, the algorithm used is
    // AlgAes256GcmIv12Tag16HkdfSha384EcdsaP384 which is a non-committing algorithm.
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(kms_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 6. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 7. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(kms_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("Set Commitment Policy Example Completed Successfully");

    Ok(())
}

examples/cryptographic_materials_manager/restrict_algorithm_suite/signing_only_example.rs (line 58)

pub async fn encrypt_and_decrypt_with_cmm(
    example_data: &str,
    kms_key_id: &str,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Create a custom SigningSuiteOnlyCMM
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let kms_keyring = mpl
        .create_aws_kms_keyring()
        .kms_key_id(kms_key_id)
        .kms_client(kms_client)
        .send()
        .await?;

    let signing_suite_only_cmm = SigningSuiteOnlyCMM::new(kms_keyring);

    let signing_suite_only_cmm_ref: CryptographicMaterialsManagerRef =
        CryptographicMaterialsManagerRef {
            inner: ::std::sync::Arc::new(std::sync::Mutex::new(signing_suite_only_cmm)),
        };

    // 5. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .materials_manager(signing_suite_only_cmm_ref.clone())
        .encryption_context(encryption_context.clone())
        .algorithm_suite_id(EsdkAlgorithmSuiteId::AlgAes256GcmHkdfSha512CommitKeyEcdsaP384)
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 6. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 7. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .materials_manager(signing_suite_only_cmm_ref.clone())
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // 9. Demonstrate that a Non Signing Algorithm Suite will be rejected
    // by the CMM.
    let encryption_response_non_signing = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .materials_manager(signing_suite_only_cmm_ref)
        .encryption_context(encryption_context.clone())
        .algorithm_suite_id(EsdkAlgorithmSuiteId::AlgAes256GcmHkdfSha512CommitKey)
        .send()
        .await;

    match encryption_response_non_signing {
        Ok(_) => panic!(
            "Encrypt using non signing algorithm suite MUST \
                            raise AwsCryptographicMaterialProvidersError"
        ),
        Err(AwsCryptographicMaterialProvidersError { error: _e }) => (),
        _ => panic!("Unexpected error type"),
    }

    println!("SigningSuiteOnlyCMM Example Completed Successfully");

    Ok(())
}

examples/keyring/aws_kms_discovery_multi_keyring_example.rs (line 87)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    kms_key_id: &str,
    aws_account_id: &str,
    aws_regions: Vec<String>,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Create the keyring that determines how your data keys are protected.
    //    Although this example highlights Discovery keyrings, Discovery keyrings cannot
    //    be used to encrypt, so for encryption we create a KMS keyring without discovery mode.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let encrypt_kms_keyring = mpl
        .create_aws_kms_keyring()
        .kms_key_id(kms_key_id)
        .kms_client(kms_client.clone())
        .send()
        .await?;

    // 5. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(encrypt_kms_keyring)
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 6. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 7. Now create a Discovery Multi keyring to use for decryption. We'll add a discovery filter
    //    so that we limit the set of ciphertexts we are willing to decrypt to only ones
    //    created by KMS keys in our account and partition.
    let discovery_filter = DiscoveryFilter::builder()
        .account_ids(vec![aws_account_id.to_string()])
        .partition("aws".to_string())
        .build()?;

    // This is a Multi Keyring composed of Discovery Keyrings.
    // There is a keyring for every region in `regions`.
    // All the keyrings have the same Discovery Filter.
    // Each keyring has its own KMS Client, which is created for the keyring's region.
    let discovery_multi_keyring = mpl
        .create_aws_kms_discovery_multi_keyring()
        .regions(aws_regions)
        .discovery_filter(discovery_filter)
        .send()
        .await?;

    // 8. On Decrypt, the header of the encrypted message (ciphertext) will be parsed.
    // The header contains the Encrypted Data Keys (EDKs), which, if the EDK
    // was encrypted by a KMS Keyring, includes the KMS Key ARN.
    // For each member of the Multi Keyring, every EDK will try to be decrypted until a decryption
    // is successful.
    // Since every member of the Multi Keyring is a Discovery Keyring:
    //   Each Keyring will filter the EDKs by the Discovery Filter
    //       For the filtered EDKs, the keyring will try to decrypt it with the keyring's client.
    // All of this is done serially, until a success occurs or all keyrings have
    // failed all (filtered) EDKs.
    // KMS Discovery Keyrings will attempt to decrypt Multi Region Keys (MRKs) and regular KMS Keys.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(discovery_multi_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 9. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("KMS Discovery Multi Keyring Example Completed Successfully");

    Ok(())
}

examples/keyring/aws_kms_discovery_keyring_example.rs (line 89)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    kms_key_id: &str,
    aws_account_id: &str,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Create the keyring that determines how your data keys are protected.
    //    Although this example highlights Discovery keyrings, Discovery keyrings cannot
    //    be used to encrypt, so for encryption we create a KMS keyring without discovery mode.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let encrypt_kms_keyring = mpl
        .create_aws_kms_keyring()
        .kms_key_id(kms_key_id)
        .kms_client(kms_client.clone())
        .send()
        .await?;

    // 5. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(encrypt_kms_keyring)
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 6. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 7. Now create a Discovery keyring to use for decryption. We'll add a discovery filter
    //    so that we limit the set of ciphertexts we are willing to decrypt to only ones
    //    created by KMS keys in our account and partition.
    let discovery_filter = DiscoveryFilter::builder()
        .account_ids(vec![aws_account_id.to_string()])
        .partition("aws".to_string())
        .build()?;

    let discovery_keyring = mpl
        .create_aws_kms_discovery_keyring()
        .kms_client(kms_client.clone())
        .discovery_filter(discovery_filter)
        .send()
        .await?;

    // 8. Decrypt your encrypted data using the discovery keyring.
    //    On Decrypt, the header of the encrypted message (ciphertext) will be parsed.
    //    The header contains the Encrypted Data Keys (EDKs), which, if the EDK
    //    was encrypted by a KMS Keyring, includes the KMS Key ARN.
    //    The Discovery Keyring filters these EDKs for
    //    EDKs encrypted by Single Region OR Multi Region KMS Keys.
    //    If a Discovery Filter is present, these KMS Keys must belong
    //    to an AWS Account ID in the discovery filter's AccountIds and
    //    must be from the discovery filter's partition.
    //    Finally, KMS is called to decrypt each filtered EDK until an EDK is
    //    successfully decrypted. The resulting data key is used to decrypt the
    //    ciphertext's message.
    //    If all calls to KMS fail, the decryption fails.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .keyring(discovery_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 9. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // 10. Demonstrate that if a different discovery keyring (Bob's) doesn't have the correct
    //     AWS Account ID's, the decrypt will fail with an error message
    //     Note that this assumes Account ID used here ('888888888888') is different than the one used
    //     during encryption
    let discovery_filter_bob = DiscoveryFilter::builder()
        .account_ids(vec!["888888888888".to_string()])
        .partition("aws".to_string())
        .build()?;

    let discovery_keyring_bob = mpl
        .create_aws_kms_discovery_keyring()
        .kms_client(kms_client)
        .discovery_filter(discovery_filter_bob)
        .send()
        .await?;

    // Decrypt the ciphertext using Bob's discovery keyring which doesn't contain the required
    // Account ID's for the KMS keyring used for encryption.
    // This should throw an AwsCryptographicMaterialProvidersError exception
    let decryption_response_bob = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(discovery_keyring_bob)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await;

    match decryption_response_bob {
        Ok(_) => panic!(
            "Decrypt using discovery keyring with wrong AWS Account ID MUST \
                            raise AwsCryptographicMaterialProvidersError"
        ),
        Err(AwsCryptographicMaterialProvidersError { error: _e }) => (),
        _ => panic!("Unexpected error type"),
    }

    println!("KMS Discovery Keyring Example Completed Successfully");

    Ok(())
}

examples/keyring/multi_keyring_example.rs (line 91)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    kms_key_id: &str,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Create a KMS keyring
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let kms_keyring = mpl
        .create_aws_kms_keyring()
        .kms_key_id(kms_key_id)
        .kms_client(kms_client)
        .send()
        .await?;

    // 5. Create a raw AES keyring to additionally encrypt under as child_keyring

    // The key namespace and key name are defined by you.
    // and are used by the Raw AES keyring to determine
    // whether it should attempt to decrypt an encrypted data key.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html
    let key_namespace: &str = "my-key-namespace";
    let key_name: &str = "my-aes-key-name";

    // Generate a 256-bit AES key to use with your raw AES keyring.
    // In practice, you should get this key from a secure key management system such as an HSM.
    let aes_key_bytes = generate_aes_key_bytes();

    let raw_aes_keyring = mpl
        .create_raw_aes_keyring()
        .key_name(key_name)
        .key_namespace(key_namespace)
        .wrapping_key(aes_key_bytes)
        .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
        .send()
        .await?;

    // 6. Create a multi_keyring that consists of the previously created keyrings.
    // When using this multi_keyring to encrypt data, either `kms_keyring` or
    // `raw_aes_keyring` (or a multi_keyring containing either) may be used to decrypt the data.
    let multi_keyring = mpl
        .create_multi_keyring()
        .generator(kms_keyring.clone())
        .child_keyrings(vec![raw_aes_keyring.clone()])
        .send()
        .await?;

    // 7. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(multi_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 8. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 9a. Decrypt your encrypted data using the same multi_keyring you used on encrypt.
    let decryption_response_multi_keyring = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .keyring(multi_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext_multi_keyring = decryption_response_multi_keyring
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 9b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_multi_keyring,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // Because you used a multi_keyring on Encrypt, you can use either the
    // `kms_keyring` or `raw_aes_keyring` individually to decrypt the data.

    // 10. Demonstrate that you can successfully decrypt data using just the `kms_keyring`
    // directly.
    // (This is an example for demonstration; you do not need to do this in your own code.)

    // 10a. Decrypt your encrypted data using the kms_keyring.
    let decryption_response_kms_keyring = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .keyring(kms_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext_kms_keyring = decryption_response_kms_keyring
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 10b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_kms_keyring,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // 11. Demonstrate that you can also successfully decrypt data using the `raw_aes_keyring`
    // directly.
    // (This is an example for demonstration; you do not need to do this in your own code.)

    // 11a. Decrypt your encrypted data using the raw_aes_keyring.
    let decryption_response_raw_aes_keyring = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(raw_aes_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext_raw_aes_keyring = decryption_response_raw_aes_keyring
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 11b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_raw_aes_keyring,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("Multi Keyring Example Completed Successfully");

    Ok(())
}

Additional examples can be found in:

• examples/keyring/aws_kms_multi_keyring_example.rs
• examples/cryptographic_materials_manager/required_encryption_context/required_encryption_context_example.rs

impl Client

pub fn create_aws_kms_discovery_keyring( &self, ) -> CreateAwsKmsDiscoveryKeyringFluentBuilder

Constructs a fluent builder for the CreateAwsKmsDiscoveryKeyring operation.

• The fluent builder is configurable:
  • discovery_filter(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::DiscoveryFilter>>) / set_discovery_filter(Option<crate::deps::aws_cryptography_materialProviders::types::DiscoveryFilter>): (undocumented)
    
  • grant_tokens(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_grant_tokens(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
  • kms_client(impl Into<Option<crate::deps::com_amazonaws_kms::client::Client>>) / set_kms_client(Option<crate::deps::com_amazonaws_kms::client::Client>): (undocumented)
    
• On success, responds with CreateKeyringOutput with field(s):
  • keyring(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
• On failure, responds with SdkError<CreateAwsKmsDiscoveryKeyringError>

Examples found in repository

examples/keyring/aws_kms_discovery_keyring_example.rs (line 127)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    kms_key_id: &str,
    aws_account_id: &str,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Create the keyring that determines how your data keys are protected.
    //    Although this example highlights Discovery keyrings, Discovery keyrings cannot
    //    be used to encrypt, so for encryption we create a KMS keyring without discovery mode.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let encrypt_kms_keyring = mpl
        .create_aws_kms_keyring()
        .kms_key_id(kms_key_id)
        .kms_client(kms_client.clone())
        .send()
        .await?;

    // 5. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(encrypt_kms_keyring)
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 6. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 7. Now create a Discovery keyring to use for decryption. We'll add a discovery filter
    //    so that we limit the set of ciphertexts we are willing to decrypt to only ones
    //    created by KMS keys in our account and partition.
    let discovery_filter = DiscoveryFilter::builder()
        .account_ids(vec![aws_account_id.to_string()])
        .partition("aws".to_string())
        .build()?;

    let discovery_keyring = mpl
        .create_aws_kms_discovery_keyring()
        .kms_client(kms_client.clone())
        .discovery_filter(discovery_filter)
        .send()
        .await?;

    // 8. Decrypt your encrypted data using the discovery keyring.
    //    On Decrypt, the header of the encrypted message (ciphertext) will be parsed.
    //    The header contains the Encrypted Data Keys (EDKs), which, if the EDK
    //    was encrypted by a KMS Keyring, includes the KMS Key ARN.
    //    The Discovery Keyring filters these EDKs for
    //    EDKs encrypted by Single Region OR Multi Region KMS Keys.
    //    If a Discovery Filter is present, these KMS Keys must belong
    //    to an AWS Account ID in the discovery filter's AccountIds and
    //    must be from the discovery filter's partition.
    //    Finally, KMS is called to decrypt each filtered EDK until an EDK is
    //    successfully decrypted. The resulting data key is used to decrypt the
    //    ciphertext's message.
    //    If all calls to KMS fail, the decryption fails.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .keyring(discovery_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 9. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // 10. Demonstrate that if a different discovery keyring (Bob's) doesn't have the correct
    //     AWS Account ID's, the decrypt will fail with an error message
    //     Note that this assumes Account ID used here ('888888888888') is different than the one used
    //     during encryption
    let discovery_filter_bob = DiscoveryFilter::builder()
        .account_ids(vec!["888888888888".to_string()])
        .partition("aws".to_string())
        .build()?;

    let discovery_keyring_bob = mpl
        .create_aws_kms_discovery_keyring()
        .kms_client(kms_client)
        .discovery_filter(discovery_filter_bob)
        .send()
        .await?;

    // Decrypt the ciphertext using Bob's discovery keyring which doesn't contain the required
    // Account ID's for the KMS keyring used for encryption.
    // This should throw an AwsCryptographicMaterialProvidersError exception
    let decryption_response_bob = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(discovery_keyring_bob)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await;

    match decryption_response_bob {
        Ok(_) => panic!(
            "Decrypt using discovery keyring with wrong AWS Account ID MUST \
                            raise AwsCryptographicMaterialProvidersError"
        ),
        Err(AwsCryptographicMaterialProvidersError { error: _e }) => (),
        _ => panic!("Unexpected error type"),
    }

    println!("KMS Discovery Keyring Example Completed Successfully");

    Ok(())
}

impl Client

pub fn create_aws_kms_multi_keyring( &self, ) -> CreateAwsKmsMultiKeyringFluentBuilder

Constructs a fluent builder for the CreateAwsKmsMultiKeyring operation.

• The fluent builder is configurable:
  • client_supplier(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::client_supplier::ClientSupplierRef>>) / set_client_supplier(Option<crate::deps::aws_cryptography_materialProviders::types::client_supplier::ClientSupplierRef>): (undocumented)
    
  • generator(impl Into<Option<::std::string::String>>) / set_generator(Option<::std::string::String>): (undocumented)
    
  • grant_tokens(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_grant_tokens(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
  • kms_key_ids(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_kms_key_ids(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
• On success, responds with CreateKeyringOutput with field(s):
  • keyring(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
• On failure, responds with SdkError<CreateAwsKmsMultiKeyringError>

Examples found in repository

examples/keyring/aws_kms_multi_keyring_example.rs (line 90)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    default_region_kms_key_id: &str,
    second_region_kms_key_id: &str,
    default_region: String,
    second_region: String,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 3. Create an AwsKmsMultiKeyring that protects your data under two different KMS Keys.
    // Either KMS Key individually is capable of decrypting data encrypted under this Multi Keyring.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let kms_multi_keyring = mpl
        .create_aws_kms_multi_keyring()
        .generator(default_region_kms_key_id)
        .kms_key_ids(vec![second_region_kms_key_id.to_string()])
        .send()
        .await?;

    // 4. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(kms_multi_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 5. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 6a. Decrypt your encrypted data using the same multi_keyring you used on encrypt.
    let decryption_response_multi_keyring = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .keyring(kms_multi_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext_multi_keyring = decryption_response_multi_keyring
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 6b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_multi_keyring,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // Because you used a multi_keyring on Encrypt, you can use either of the two
    // kms keyrings individually to decrypt the data.

    // 7. Demonstrate that you can successfully decrypt data using a KMS keyring with just the
    // `default_region_kms_key_id` directly.
    // (This is an example for demonstration; you do not need to do this in your own code.)

    // 7a. Create a client for KMS for the default region.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let default_region_kms_config = aws_sdk_kms::config::Builder::from(&sdk_config)
        .region(Region::new(default_region))
        .build();
    let default_region_kms_client = aws_sdk_kms::Client::from_conf(default_region_kms_config);

    // 7b. Create KMS keyring
    let default_region_kms_keyring = mpl
        .create_aws_kms_keyring()
        .kms_key_id(default_region_kms_key_id)
        .kms_client(default_region_kms_client)
        .send()
        .await?;

    // 7c. Decrypt your encrypted data using the default_region_kms_keyring.
    let decryption_response_default_region_kms_keyring = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .keyring(default_region_kms_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext_default_region_kms_keyring =
        decryption_response_default_region_kms_keyring
            .plaintext
            .expect("Unable to unwrap plaintext from decryption response");

    // 7d. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_default_region_kms_keyring,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // 8. Demonstrate that you can also successfully decrypt data using a KMS keyring with just the
    // `second_region_kms_key_id` directly.
    // (This is an example for demonstration; you do not need to do this in your own code.)

    // 8a. Create a client for KMS for the second region.
    let second_region_kms_config = aws_sdk_kms::config::Builder::from(&sdk_config)
        .region(Region::new(second_region))
        .build();
    let second_region_kms_client = aws_sdk_kms::Client::from_conf(second_region_kms_config);

    // 8b. Create KMS keyring
    let second_region_kms_keyring = mpl
        .create_aws_kms_keyring()
        .kms_key_id(second_region_kms_key_id)
        .kms_client(second_region_kms_client)
        .send()
        .await?;

    // 8c. Decrypt your encrypted data using the second_region_kms_keyring.
    let decryption_response_second_region_kms_keyring = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(second_region_kms_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext_second_region_kms_keyring =
        decryption_response_second_region_kms_keyring
            .plaintext
            .expect("Unable to unwrap plaintext from decryption response");

    // 8d. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_second_region_kms_keyring,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("KMS Multi Keyring Example Completed Successfully");

    Ok(())
}

impl Client

pub fn create_aws_kms_discovery_multi_keyring( &self, ) -> CreateAwsKmsDiscoveryMultiKeyringFluentBuilder

Constructs a fluent builder for the CreateAwsKmsDiscoveryMultiKeyring operation.

• The fluent builder is configurable:
  • client_supplier(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::client_supplier::ClientSupplierRef>>) / set_client_supplier(Option<crate::deps::aws_cryptography_materialProviders::types::client_supplier::ClientSupplierRef>): (undocumented)
    
  • discovery_filter(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::DiscoveryFilter>>) / set_discovery_filter(Option<crate::deps::aws_cryptography_materialProviders::types::DiscoveryFilter>): (undocumented)
    
  • grant_tokens(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_grant_tokens(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
  • regions(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_regions(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
• On success, responds with CreateKeyringOutput with field(s):
  • keyring(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
• On failure, responds with SdkError<CreateAwsKmsDiscoveryMultiKeyringError>

Examples found in repository

examples/keyring/aws_kms_discovery_multi_keyring_example.rs (line 129)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    kms_key_id: &str,
    aws_account_id: &str,
    aws_regions: Vec<String>,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Create the keyring that determines how your data keys are protected.
    //    Although this example highlights Discovery keyrings, Discovery keyrings cannot
    //    be used to encrypt, so for encryption we create a KMS keyring without discovery mode.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let encrypt_kms_keyring = mpl
        .create_aws_kms_keyring()
        .kms_key_id(kms_key_id)
        .kms_client(kms_client.clone())
        .send()
        .await?;

    // 5. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(encrypt_kms_keyring)
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 6. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 7. Now create a Discovery Multi keyring to use for decryption. We'll add a discovery filter
    //    so that we limit the set of ciphertexts we are willing to decrypt to only ones
    //    created by KMS keys in our account and partition.
    let discovery_filter = DiscoveryFilter::builder()
        .account_ids(vec![aws_account_id.to_string()])
        .partition("aws".to_string())
        .build()?;

    // This is a Multi Keyring composed of Discovery Keyrings.
    // There is a keyring for every region in `regions`.
    // All the keyrings have the same Discovery Filter.
    // Each keyring has its own KMS Client, which is created for the keyring's region.
    let discovery_multi_keyring = mpl
        .create_aws_kms_discovery_multi_keyring()
        .regions(aws_regions)
        .discovery_filter(discovery_filter)
        .send()
        .await?;

    // 8. On Decrypt, the header of the encrypted message (ciphertext) will be parsed.
    // The header contains the Encrypted Data Keys (EDKs), which, if the EDK
    // was encrypted by a KMS Keyring, includes the KMS Key ARN.
    // For each member of the Multi Keyring, every EDK will try to be decrypted until a decryption
    // is successful.
    // Since every member of the Multi Keyring is a Discovery Keyring:
    //   Each Keyring will filter the EDKs by the Discovery Filter
    //       For the filtered EDKs, the keyring will try to decrypt it with the keyring's client.
    // All of this is done serially, until a success occurs or all keyrings have
    // failed all (filtered) EDKs.
    // KMS Discovery Keyrings will attempt to decrypt Multi Region Keys (MRKs) and regular KMS Keys.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(discovery_multi_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 9. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("KMS Discovery Multi Keyring Example Completed Successfully");

    Ok(())
}

impl Client

pub fn create_aws_kms_mrk_keyring(&self) -> CreateAwsKmsMrkKeyringFluentBuilder

Constructs a fluent builder for the CreateAwsKmsMrkKeyring operation.

• The fluent builder is configurable:
  • grant_tokens(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_grant_tokens(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
  • kms_client(impl Into<Option<crate::deps::com_amazonaws_kms::client::Client>>) / set_kms_client(Option<crate::deps::com_amazonaws_kms::client::Client>): (undocumented)
    
  • kms_key_id(impl Into<Option<::std::string::String>>) / set_kms_key_id(Option<::std::string::String>): (undocumented)
    
• On success, responds with CreateKeyringOutput with field(s):
  • keyring(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
• On failure, responds with SdkError<CreateAwsKmsMrkKeyringError>

Examples found in repository

examples/keyring/aws_kms_mrk_keyring_example.rs (line 81)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    mrk_key_id_encrypt: &str,
    mrk_replica_key_id_decrypt: &str,
    mrk_encrypt_region: String,
    mrk_replica_decrypt_region: String,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 3. Create a keyring that will encrypt your data, using a KMS MRK in the first region.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    // Create a KMS client in the first region
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let encrypt_kms_config = aws_sdk_kms::config::Builder::from(&sdk_config)
        .region(Region::new(mrk_encrypt_region))
        .build();
    let encrypt_kms_client = aws_sdk_kms::Client::from_conf(encrypt_kms_config);

    // Create the keyring that determines how your data keys are protected.
    let encrypt_kms_keyring = mpl
        .create_aws_kms_mrk_keyring()
        .kms_key_id(mrk_key_id_encrypt)
        .kms_client(encrypt_kms_client)
        .send()
        .await?;

    // 4. Encrypt the data with the encryption_context using the encrypt_keyring.
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(encrypt_kms_keyring)
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 5. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 6. Create a keyring that will decrypt your data, using the same KMS MRK replicated
    // to the second region. This example assumes you have already replicated your key

    // Create a KMS Client in the second region.
    let decrypt_kms_config = aws_sdk_kms::config::Builder::from(&sdk_config)
        .region(Region::new(mrk_replica_decrypt_region))
        .build();
    let decrypt_kms_client = aws_sdk_kms::Client::from_conf(decrypt_kms_config);

    let decrypt_kms_keyring = mpl
        .create_aws_kms_mrk_keyring()
        .kms_key_id(mrk_replica_key_id_decrypt)
        .kms_client(decrypt_kms_client)
        .send()
        .await?;

    // 7. Decrypt your encrypted data using the decrypt keyring.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(decrypt_kms_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("KMS MRK Keyring Example Completed Successfully");

    Ok(())
}

examples/keyring/aws_kms_mrk_discovery_keyring_example.rs (line 97)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    mrk_key_id_encrypt: &str,
    aws_account_id: &str,
    mrk_encrypt_region: String,
    mrk_replica_decrypt_region: String,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 3. Create the keyring that determines how your data keys are protected.
    // Although this example highlights Discovery keyrings, Discovery keyrings cannot
    // be used to encrypt, so for encryption we create an MRK keyring without discovery mode.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    // Create a KMS client in the first region
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let encrypt_kms_config = aws_sdk_kms::config::Builder::from(&sdk_config)
        .region(Region::new(mrk_encrypt_region))
        .build();
    let encrypt_kms_client = aws_sdk_kms::Client::from_conf(encrypt_kms_config);

    // Create a keyring that will encrypt your data, using a KMS MRK in the first region.
    let encrypt_kms_keyring = mpl
        .create_aws_kms_mrk_keyring()
        .kms_key_id(mrk_key_id_encrypt)
        .kms_client(encrypt_kms_client)
        .send()
        .await?;

    // 4. Encrypt the data with the encryption_context using the encrypt_keyring.
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(encrypt_kms_keyring)
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 5. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 6. Now create a Discovery keyring to use for decryption.
    // In order to illustrate the MRK behavior of this keyring, we configure
    // the keyring to use the second KMS region where the MRK (mrk_key_id_encrypt) is replicated to.
    // This example assumes you have already replicated your key, but since we
    // are using a discovery keyring, we don't need to provide the mrk replica key id

    // Create a KMS Client in the second region.
    let decrypt_kms_config = aws_sdk_kms::config::Builder::from(&sdk_config)
        .region(Region::new(mrk_replica_decrypt_region.clone()))
        .build();
    let decrypt_kms_client = aws_sdk_kms::Client::from_conf(decrypt_kms_config);

    let discovery_filter = DiscoveryFilter::builder()
        .account_ids(vec![aws_account_id.to_string()])
        .partition("aws".to_string())
        .build()?;

    let discovery_keyring = mpl
        .create_aws_kms_mrk_discovery_keyring()
        .kms_client(decrypt_kms_client)
        .region(mrk_replica_decrypt_region)
        .discovery_filter(discovery_filter)
        .send()
        .await?;

    // 7. Decrypt your encrypted data using the discovery keyring.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(discovery_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("KMS MRK Discovery Keyring Example Completed Successfully");

    Ok(())
}

examples/keyring/aws_kms_mrk_discovery_multi_keyring_example.rs (line 99)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    mrk_key_id_encrypt: &str,
    mrk_encrypt_region: String,
    aws_account_id: &str,
    aws_regions: Vec<String>,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 3. Create the keyring that determines how your data keys are protected.
    // Although this example highlights Discovery keyrings, Discovery keyrings cannot
    // be used to encrypt, so for encryption we create an MRK keyring without discovery mode.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    // Create a KMS client in the first region
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let encrypt_kms_config = aws_sdk_kms::config::Builder::from(&sdk_config)
        .region(Region::new(mrk_encrypt_region))
        .build();
    let encrypt_kms_client = aws_sdk_kms::Client::from_conf(encrypt_kms_config);

    // Create a keyring that will encrypt your data, using a KMS MRK in the first region.
    let encrypt_kms_keyring = mpl
        .create_aws_kms_mrk_keyring()
        .kms_key_id(mrk_key_id_encrypt)
        .kms_client(encrypt_kms_client)
        .send()
        .await?;

    // 4. Encrypt the data with the encryption_context using the encrypt_keyring.
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(encrypt_kms_keyring)
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 5. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 6. Now create a MRK Discovery Multi Keyring to use for decryption.
    // We'll add a discovery filter to limit the set of encrypted data keys
    // we are willing to decrypt to only ones created by KMS keys in select
    // accounts and the partition `aws`.
    // MRK Discovery keyrings also filter encrypted data keys by the region
    // the keyring is created with.
    let discovery_filter = DiscoveryFilter::builder()
        .account_ids(vec![aws_account_id.to_string()])
        .partition("aws".to_string())
        .build()?;

    // This is a Multi Keyring composed of Discovery Keyrings.
    // There is a keyring for every region in `regions`.
    // All the keyrings have the same Discovery Filter.
    // Each keyring has its own KMS Client, which is created for the keyring's region.
    let discovery_multi_keyring = mpl
        .create_aws_kms_mrk_discovery_multi_keyring()
        .regions(aws_regions)
        .discovery_filter(discovery_filter)
        .send()
        .await?;

    // 7. Decrypt your encrypted data using the discovery multi keyring.
    // On Decrypt, the header of the encrypted message (ciphertext) will be parsed.
    // The header contains the Encrypted Data Keys (EDKs), which, if the EDK
    // was encrypted by a KMS Keyring, includes the KMS Key ARN.
    // For each member of the Multi Keyring, every EDK will try to be decrypted until a decryption
    // is successful.
    // Since every member of the Multi Keyring is a Discovery Keyring:
    //   Each Keyring will filter the EDKs by the Discovery Filter and the Keyring's region.
    //      For each filtered EDK, the keyring will attempt decryption with the keyring's client.
    // All of this is done serially, until a success occurs or all keyrings have failed
    // all (filtered) EDKs. KMS MRK Discovery Keyrings will attempt to decrypt
    // Multi Region Keys (MRKs) and regular KMS Keys.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(discovery_multi_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("KMS MRK Discovery Multi Keyring Example Completed Successfully");

    Ok(())
}

examples/keyring/aws_kms_mrk_multi_keyring_example.rs (line 148)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    mrk_key_id: &str,
    kms_key_id: &str,
    mrk_replica_key_id: &str,
    mrk_replica_decrypt_region: String,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 3. Create an AwsKmsMrkMultiKeyring that protects your data under two different KMS Keys.
    // The Keys can either be regular KMS keys or MRKs.
    // Either KMS Key individually is capable of decrypting data encrypted under this keyring.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let kms_mrk_multi_keyring = mpl
        .create_aws_kms_mrk_multi_keyring()
        .generator(mrk_key_id)
        .kms_key_ids(vec![kms_key_id.to_string()])
        .send()
        .await?;

    // 4. Encrypt the data with the encryption_context using the kms_mrk_multi_keyring.
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(kms_mrk_multi_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 5. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 6. Decrypt your encrypted data using the same AwsKmsMrkMultiKeyring you used on encrypt.
    // It will decrypt the data using the generator key (in this case, the MRK), since that is
    // the first available KMS key on the keyring that is capable of decrypting the data.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .keyring(kms_mrk_multi_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 7. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // Demonstrate that a single AwsKmsMrkKeyring configured with a replica of the MRK from the
    // multi-keyring used to encrypt the data is also capable of decrypting the data.
    // (This is an example for demonstration; you do not need to do this in your own code.)

    // 8. Create a single AwsKmsMrkKeyring with the replica KMS MRK from the second region.

    // Create a client for KMS in the second region which is the region for mrk_replica_key_id.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let second_region_kms_config = aws_sdk_kms::config::Builder::from(&sdk_config)
        .region(Region::new(mrk_replica_decrypt_region))
        .build();
    let second_region_kms_client = aws_sdk_kms::Client::from_conf(second_region_kms_config);

    let second_region_mrk_keyring = mpl
        .create_aws_kms_mrk_keyring()
        .kms_key_id(mrk_replica_key_id)
        .kms_client(second_region_kms_client)
        .send()
        .await?;

    // 9. Decrypt your encrypted data using the second region AwsKmsMrkKeyring
    let second_region_decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(second_region_mrk_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let second_region_decrypted_plaintext = second_region_decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 10. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        second_region_decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // Not shown in this example: A KMS Keyring created with `kms_key_id` could also
    // decrypt this message.

    println!("KMS MRK Multi Keyring Example Completed Successfully");

    Ok(())
}

impl Client

pub fn create_aws_kms_mrk_multi_keyring( &self, ) -> CreateAwsKmsMrkMultiKeyringFluentBuilder

Constructs a fluent builder for the CreateAwsKmsMrkMultiKeyring operation.

• The fluent builder is configurable:
  • client_supplier(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::client_supplier::ClientSupplierRef>>) / set_client_supplier(Option<crate::deps::aws_cryptography_materialProviders::types::client_supplier::ClientSupplierRef>): (undocumented)
    
  • generator(impl Into<Option<::std::string::String>>) / set_generator(Option<::std::string::String>): (undocumented)
    
  • grant_tokens(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_grant_tokens(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
  • kms_key_ids(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_kms_key_ids(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
• On success, responds with CreateKeyringOutput with field(s):
  • keyring(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
• On failure, responds with SdkError<CreateAwsKmsMrkMultiKeyringError>

Examples found in repository

examples/keyring/aws_kms_mrk_multi_keyring_example.rs (line 81)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    mrk_key_id: &str,
    kms_key_id: &str,
    mrk_replica_key_id: &str,
    mrk_replica_decrypt_region: String,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 3. Create an AwsKmsMrkMultiKeyring that protects your data under two different KMS Keys.
    // The Keys can either be regular KMS keys or MRKs.
    // Either KMS Key individually is capable of decrypting data encrypted under this keyring.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let kms_mrk_multi_keyring = mpl
        .create_aws_kms_mrk_multi_keyring()
        .generator(mrk_key_id)
        .kms_key_ids(vec![kms_key_id.to_string()])
        .send()
        .await?;

    // 4. Encrypt the data with the encryption_context using the kms_mrk_multi_keyring.
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(kms_mrk_multi_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 5. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 6. Decrypt your encrypted data using the same AwsKmsMrkMultiKeyring you used on encrypt.
    // It will decrypt the data using the generator key (in this case, the MRK), since that is
    // the first available KMS key on the keyring that is capable of decrypting the data.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .keyring(kms_mrk_multi_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 7. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // Demonstrate that a single AwsKmsMrkKeyring configured with a replica of the MRK from the
    // multi-keyring used to encrypt the data is also capable of decrypting the data.
    // (This is an example for demonstration; you do not need to do this in your own code.)

    // 8. Create a single AwsKmsMrkKeyring with the replica KMS MRK from the second region.

    // Create a client for KMS in the second region which is the region for mrk_replica_key_id.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let second_region_kms_config = aws_sdk_kms::config::Builder::from(&sdk_config)
        .region(Region::new(mrk_replica_decrypt_region))
        .build();
    let second_region_kms_client = aws_sdk_kms::Client::from_conf(second_region_kms_config);

    let second_region_mrk_keyring = mpl
        .create_aws_kms_mrk_keyring()
        .kms_key_id(mrk_replica_key_id)
        .kms_client(second_region_kms_client)
        .send()
        .await?;

    // 9. Decrypt your encrypted data using the second region AwsKmsMrkKeyring
    let second_region_decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(second_region_mrk_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let second_region_decrypted_plaintext = second_region_decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 10. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        second_region_decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // Not shown in this example: A KMS Keyring created with `kms_key_id` could also
    // decrypt this message.

    println!("KMS MRK Multi Keyring Example Completed Successfully");

    Ok(())
}

examples/client_supplier/client_supplier_example.rs (line 74)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    mrk_key_id_encrypt: &str,
    aws_account_id: &str,
    aws_regions: Vec<String>,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 3. Create a single MRK multi-keyring.
    //    This can be either a single-region KMS key or an MRK.
    //    For this example to succeed, the key's region must either
    //    1) be in the regions list, or
    //    2) the key must be an MRK with a replica defined
    //    in a region in the regions list, and the client
    //    must have the correct permissions to access the replica.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    // Create the multi-keyring using our custom client supplier
    // defined in the RegionalRoleClientSupplier class in this directory.
    // Note: RegionalRoleClientSupplier will internally use the key_arn's region
    // to retrieve the correct IAM role.
    let mrk_keyring_with_client_supplier = mpl
        .create_aws_kms_mrk_multi_keyring()
        .client_supplier(RegionalRoleClientSupplier {})
        .generator(mrk_key_id_encrypt)
        .send()
        .await?;

    // 4. Encrypt the data with the encryption_context using the encrypt_keyring.
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(mrk_keyring_with_client_supplier)
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 5. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 6. Create a MRK discovery multi-keyring with a custom client supplier.
    //    A discovery MRK multi-keyring will be composed of
    //    multiple discovery MRK keyrings, one for each region.
    //    Each component keyring has its own KMS client in a particular region.
    //    When we provide a client supplier to the multi-keyring, all component
    //    keyrings will use that client supplier configuration.
    //    In our tests, we make `mrk_key_id_encrypt` an MRK with a replica, and
    //    provide only the replica region in our discovery filter.
    let discovery_filter = DiscoveryFilter::builder()
        .account_ids(vec![aws_account_id.to_string()])
        .partition("aws".to_string())
        .build()?;

    let mrk_discovery_client_supplier_keyring = mpl
        .create_aws_kms_mrk_discovery_multi_keyring()
        .client_supplier(RegionalRoleClientSupplier {})
        .discovery_filter(discovery_filter.clone())
        .regions(aws_regions)
        .send()
        .await?;

    // 7. Decrypt your encrypted data using the discovery multi keyring.
    // On Decrypt, the header of the encrypted message (ciphertext) will be parsed.
    // The header contains the Encrypted Data Keys (EDKs), which, if the EDK
    // was encrypted by a KMS Keyring, includes the KMS Key ARN.
    // For each member of the Multi Keyring, every EDK will try to be decrypted until a decryption
    // is successful.
    // Since every member of the Multi Keyring is a Discovery Keyring:
    //   Each Keyring will filter the EDKs by the Discovery Filter and the Keyring's region.
    //      For each filtered EDK, the keyring will attempt decryption with the keyring's client.
    // All of this is done serially, until a success occurs or all keyrings have failed
    // all (filtered) EDKs. KMS MRK Discovery Keyrings will attempt to decrypt
    // Multi Region Keys (MRKs) and regular KMS Keys.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(mrk_discovery_client_supplier_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // 9. Test the Missing Region Exception
    // (This is an example for demonstration; you do not need to do this in your own code.)
    let mrk_discovery_client_supplier_keyring_missing_region = mpl
        .create_aws_kms_mrk_discovery_multi_keyring()
        .client_supplier(RegionalRoleClientSupplier {})
        .discovery_filter(discovery_filter)
        .regions(vec!["fake-region".to_string()])
        .send()
        .await;

    // Swallow the exception
    // (This is an example for demonstration; you do not need to do this in your own code.)
    match mrk_discovery_client_supplier_keyring_missing_region {
        Ok(_) => panic!(
            "Decryption using discovery keyring with missing region MUST \
                            raise AwsCryptographicMaterialProvidersException"
        ),
        Err(AwsCryptographicMaterialProvidersException { message: _e }) => (),
        _ => panic!("Unexpected error type"),
    }

    println!("Client Supplier Example Completed Successfully");

    Ok(())
}

impl Client

pub fn create_aws_kms_mrk_discovery_keyring( &self, ) -> CreateAwsKmsMrkDiscoveryKeyringFluentBuilder

Constructs a fluent builder for the CreateAwsKmsMrkDiscoveryKeyring operation.

• The fluent builder is configurable:
  • discovery_filter(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::DiscoveryFilter>>) / set_discovery_filter(Option<crate::deps::aws_cryptography_materialProviders::types::DiscoveryFilter>): (undocumented)
    
  • grant_tokens(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_grant_tokens(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
  • kms_client(impl Into<Option<crate::deps::com_amazonaws_kms::client::Client>>) / set_kms_client(Option<crate::deps::com_amazonaws_kms::client::Client>): (undocumented)
    
  • region(impl Into<Option<::std::string::String>>) / set_region(Option<::std::string::String>): (undocumented)
    
• On success, responds with CreateKeyringOutput with field(s):
  • keyring(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
• On failure, responds with SdkError<CreateAwsKmsMrkDiscoveryKeyringError>

Examples found in repository

examples/keyring/aws_kms_mrk_discovery_keyring_example.rs (line 144)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    mrk_key_id_encrypt: &str,
    aws_account_id: &str,
    mrk_encrypt_region: String,
    mrk_replica_decrypt_region: String,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 3. Create the keyring that determines how your data keys are protected.
    // Although this example highlights Discovery keyrings, Discovery keyrings cannot
    // be used to encrypt, so for encryption we create an MRK keyring without discovery mode.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    // Create a KMS client in the first region
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let encrypt_kms_config = aws_sdk_kms::config::Builder::from(&sdk_config)
        .region(Region::new(mrk_encrypt_region))
        .build();
    let encrypt_kms_client = aws_sdk_kms::Client::from_conf(encrypt_kms_config);

    // Create a keyring that will encrypt your data, using a KMS MRK in the first region.
    let encrypt_kms_keyring = mpl
        .create_aws_kms_mrk_keyring()
        .kms_key_id(mrk_key_id_encrypt)
        .kms_client(encrypt_kms_client)
        .send()
        .await?;

    // 4. Encrypt the data with the encryption_context using the encrypt_keyring.
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(encrypt_kms_keyring)
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 5. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 6. Now create a Discovery keyring to use for decryption.
    // In order to illustrate the MRK behavior of this keyring, we configure
    // the keyring to use the second KMS region where the MRK (mrk_key_id_encrypt) is replicated to.
    // This example assumes you have already replicated your key, but since we
    // are using a discovery keyring, we don't need to provide the mrk replica key id

    // Create a KMS Client in the second region.
    let decrypt_kms_config = aws_sdk_kms::config::Builder::from(&sdk_config)
        .region(Region::new(mrk_replica_decrypt_region.clone()))
        .build();
    let decrypt_kms_client = aws_sdk_kms::Client::from_conf(decrypt_kms_config);

    let discovery_filter = DiscoveryFilter::builder()
        .account_ids(vec![aws_account_id.to_string()])
        .partition("aws".to_string())
        .build()?;

    let discovery_keyring = mpl
        .create_aws_kms_mrk_discovery_keyring()
        .kms_client(decrypt_kms_client)
        .region(mrk_replica_decrypt_region)
        .discovery_filter(discovery_filter)
        .send()
        .await?;

    // 7. Decrypt your encrypted data using the discovery keyring.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(discovery_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("KMS MRK Discovery Keyring Example Completed Successfully");

    Ok(())
}

impl Client

pub fn create_aws_kms_mrk_discovery_multi_keyring( &self, ) -> CreateAwsKmsMrkDiscoveryMultiKeyringFluentBuilder

Constructs a fluent builder for the CreateAwsKmsMrkDiscoveryMultiKeyring operation.

• The fluent builder is configurable:
  • client_supplier(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::client_supplier::ClientSupplierRef>>) / set_client_supplier(Option<crate::deps::aws_cryptography_materialProviders::types::client_supplier::ClientSupplierRef>): (undocumented)
    
  • discovery_filter(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::DiscoveryFilter>>) / set_discovery_filter(Option<crate::deps::aws_cryptography_materialProviders::types::DiscoveryFilter>): (undocumented)
    
  • grant_tokens(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_grant_tokens(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
  • regions(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_regions(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
• On success, responds with CreateKeyringOutput with field(s):
  • keyring(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
• On failure, responds with SdkError<CreateAwsKmsMrkDiscoveryMultiKeyringError>

Examples found in repository

examples/keyring/aws_kms_mrk_discovery_multi_keyring_example.rs (line 144)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    mrk_key_id_encrypt: &str,
    mrk_encrypt_region: String,
    aws_account_id: &str,
    aws_regions: Vec<String>,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 3. Create the keyring that determines how your data keys are protected.
    // Although this example highlights Discovery keyrings, Discovery keyrings cannot
    // be used to encrypt, so for encryption we create an MRK keyring without discovery mode.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    // Create a KMS client in the first region
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let encrypt_kms_config = aws_sdk_kms::config::Builder::from(&sdk_config)
        .region(Region::new(mrk_encrypt_region))
        .build();
    let encrypt_kms_client = aws_sdk_kms::Client::from_conf(encrypt_kms_config);

    // Create a keyring that will encrypt your data, using a KMS MRK in the first region.
    let encrypt_kms_keyring = mpl
        .create_aws_kms_mrk_keyring()
        .kms_key_id(mrk_key_id_encrypt)
        .kms_client(encrypt_kms_client)
        .send()
        .await?;

    // 4. Encrypt the data with the encryption_context using the encrypt_keyring.
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(encrypt_kms_keyring)
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 5. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 6. Now create a MRK Discovery Multi Keyring to use for decryption.
    // We'll add a discovery filter to limit the set of encrypted data keys
    // we are willing to decrypt to only ones created by KMS keys in select
    // accounts and the partition `aws`.
    // MRK Discovery keyrings also filter encrypted data keys by the region
    // the keyring is created with.
    let discovery_filter = DiscoveryFilter::builder()
        .account_ids(vec![aws_account_id.to_string()])
        .partition("aws".to_string())
        .build()?;

    // This is a Multi Keyring composed of Discovery Keyrings.
    // There is a keyring for every region in `regions`.
    // All the keyrings have the same Discovery Filter.
    // Each keyring has its own KMS Client, which is created for the keyring's region.
    let discovery_multi_keyring = mpl
        .create_aws_kms_mrk_discovery_multi_keyring()
        .regions(aws_regions)
        .discovery_filter(discovery_filter)
        .send()
        .await?;

    // 7. Decrypt your encrypted data using the discovery multi keyring.
    // On Decrypt, the header of the encrypted message (ciphertext) will be parsed.
    // The header contains the Encrypted Data Keys (EDKs), which, if the EDK
    // was encrypted by a KMS Keyring, includes the KMS Key ARN.
    // For each member of the Multi Keyring, every EDK will try to be decrypted until a decryption
    // is successful.
    // Since every member of the Multi Keyring is a Discovery Keyring:
    //   Each Keyring will filter the EDKs by the Discovery Filter and the Keyring's region.
    //      For each filtered EDK, the keyring will attempt decryption with the keyring's client.
    // All of this is done serially, until a success occurs or all keyrings have failed
    // all (filtered) EDKs. KMS MRK Discovery Keyrings will attempt to decrypt
    // Multi Region Keys (MRKs) and regular KMS Keys.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(discovery_multi_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("KMS MRK Discovery Multi Keyring Example Completed Successfully");

    Ok(())
}

examples/client_supplier/client_supplier_example.rs (line 117)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    mrk_key_id_encrypt: &str,
    aws_account_id: &str,
    aws_regions: Vec<String>,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 3. Create a single MRK multi-keyring.
    //    This can be either a single-region KMS key or an MRK.
    //    For this example to succeed, the key's region must either
    //    1) be in the regions list, or
    //    2) the key must be an MRK with a replica defined
    //    in a region in the regions list, and the client
    //    must have the correct permissions to access the replica.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    // Create the multi-keyring using our custom client supplier
    // defined in the RegionalRoleClientSupplier class in this directory.
    // Note: RegionalRoleClientSupplier will internally use the key_arn's region
    // to retrieve the correct IAM role.
    let mrk_keyring_with_client_supplier = mpl
        .create_aws_kms_mrk_multi_keyring()
        .client_supplier(RegionalRoleClientSupplier {})
        .generator(mrk_key_id_encrypt)
        .send()
        .await?;

    // 4. Encrypt the data with the encryption_context using the encrypt_keyring.
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(mrk_keyring_with_client_supplier)
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 5. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 6. Create a MRK discovery multi-keyring with a custom client supplier.
    //    A discovery MRK multi-keyring will be composed of
    //    multiple discovery MRK keyrings, one for each region.
    //    Each component keyring has its own KMS client in a particular region.
    //    When we provide a client supplier to the multi-keyring, all component
    //    keyrings will use that client supplier configuration.
    //    In our tests, we make `mrk_key_id_encrypt` an MRK with a replica, and
    //    provide only the replica region in our discovery filter.
    let discovery_filter = DiscoveryFilter::builder()
        .account_ids(vec![aws_account_id.to_string()])
        .partition("aws".to_string())
        .build()?;

    let mrk_discovery_client_supplier_keyring = mpl
        .create_aws_kms_mrk_discovery_multi_keyring()
        .client_supplier(RegionalRoleClientSupplier {})
        .discovery_filter(discovery_filter.clone())
        .regions(aws_regions)
        .send()
        .await?;

    // 7. Decrypt your encrypted data using the discovery multi keyring.
    // On Decrypt, the header of the encrypted message (ciphertext) will be parsed.
    // The header contains the Encrypted Data Keys (EDKs), which, if the EDK
    // was encrypted by a KMS Keyring, includes the KMS Key ARN.
    // For each member of the Multi Keyring, every EDK will try to be decrypted until a decryption
    // is successful.
    // Since every member of the Multi Keyring is a Discovery Keyring:
    //   Each Keyring will filter the EDKs by the Discovery Filter and the Keyring's region.
    //      For each filtered EDK, the keyring will attempt decryption with the keyring's client.
    // All of this is done serially, until a success occurs or all keyrings have failed
    // all (filtered) EDKs. KMS MRK Discovery Keyrings will attempt to decrypt
    // Multi Region Keys (MRKs) and regular KMS Keys.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(mrk_discovery_client_supplier_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // 9. Test the Missing Region Exception
    // (This is an example for demonstration; you do not need to do this in your own code.)
    let mrk_discovery_client_supplier_keyring_missing_region = mpl
        .create_aws_kms_mrk_discovery_multi_keyring()
        .client_supplier(RegionalRoleClientSupplier {})
        .discovery_filter(discovery_filter)
        .regions(vec!["fake-region".to_string()])
        .send()
        .await;

    // Swallow the exception
    // (This is an example for demonstration; you do not need to do this in your own code.)
    match mrk_discovery_client_supplier_keyring_missing_region {
        Ok(_) => panic!(
            "Decryption using discovery keyring with missing region MUST \
                            raise AwsCryptographicMaterialProvidersException"
        ),
        Err(AwsCryptographicMaterialProvidersException { message: _e }) => (),
        _ => panic!("Unexpected error type"),
    }

    println!("Client Supplier Example Completed Successfully");

    Ok(())
}

impl Client

pub fn create_aws_kms_hierarchical_keyring( &self, ) -> CreateAwsKmsHierarchicalKeyringFluentBuilder

Constructs a fluent builder for the CreateAwsKmsHierarchicalKeyring operation.

• The fluent builder is configurable:
  • branch_key_id(impl Into<Option<::std::string::String>>) / set_branch_key_id(Option<::std::string::String>): (undocumented)
    
  • branch_key_id_supplier(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::branch_key_id_supplier::BranchKeyIdSupplierRef>>) / set_branch_key_id_supplier(Option<crate::deps::aws_cryptography_materialProviders::types::branch_key_id_supplier::BranchKeyIdSupplierRef>): (undocumented)
    
  • cache(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::CacheType>>) / set_cache(Option<crate::deps::aws_cryptography_materialProviders::types::CacheType>): (undocumented)
    
  • key_store(impl Into<Option<crate::deps::aws_cryptography_keyStore::client::Client>>) / set_key_store(Option<crate::deps::aws_cryptography_keyStore::client::Client>): (undocumented)
    
  • partition_id(impl Into<Option<::std::string::String>>) / set_partition_id(Option<::std::string::String>): (undocumented)
    
  • ttl_seconds(impl Into<Option<::std::primitive::i64>>) / set_ttl_seconds(Option<::std::primitive::i64>): (undocumented)
    
• On success, responds with CreateKeyringOutput with field(s):
  • keyring(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
• On failure, responds with SdkError<CreateAwsKmsHierarchicalKeyringError>

Examples found in repository

examples/keyring/aws_kms_hierarchical/aws_kms_hierarchical_keyring_example.rs (line 109)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    key_store_table_name: &str,
    logical_key_store_name: &str,
    key_store_kms_key_id: &str,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client and DynamoDB client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);
    let ddb_client = aws_sdk_dynamodb::Client::new(&sdk_config);

    // 3. Configure your KeyStore resource.
    //    This SHOULD be the same configuration that you used
    //    to initially create and populate your KeyStore.
    let key_store_config = KeyStoreConfig::builder()
        .kms_client(kms_client)
        .ddb_client(ddb_client)
        .ddb_table_name(key_store_table_name)
        .logical_key_store_name(logical_key_store_name)
        .kms_configuration(KmsConfiguration::KmsKeyArn(
            key_store_kms_key_id.to_string(),
        ))
        .build()?;

    let key_store = keystore_client::Client::from_conf(key_store_config)?;

    // 4. Call CreateKey to create two new active branch keys
    let branch_key_id_a: String = create_branch_key_id(
        key_store_table_name,
        logical_key_store_name,
        key_store_kms_key_id,
    )
    .await?;
    let branch_key_id_b: String = create_branch_key_id(
        key_store_table_name,
        logical_key_store_name,
        key_store_kms_key_id,
    )
    .await?;

    // 5. Create a branch key supplier that maps the branch key id to a more readable format
    let branch_key_id_supplier =
        ExampleBranchKeyIdSupplier::new(&branch_key_id_a, &branch_key_id_b);

    // 6. Create the Hierarchical Keyring.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let hierarchical_keyring = mpl
        .create_aws_kms_hierarchical_keyring()
        .key_store(key_store.clone())
        .branch_key_id_supplier(branch_key_id_supplier)
        .ttl_seconds(600)
        .send()
        .await?;

    // 7. Create encryption context for both tenants.
    //    The Branch Key Id supplier uses the encryption context to determine which branch key id will
    //    be used to encrypt data.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context

    // Create encryption context for TenantA
    let encryption_context_a = HashMap::from([
        ("tenant".to_string(), "TenantA".to_string()),
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // Create encryption context for TenantB
    let encryption_context_b = HashMap::from([
        ("tenant".to_string(), "TenantB".to_string()),
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 8. Encrypt the data with encryption_contextA & encryption_contextB
    let plaintext = example_data.as_bytes();

    let encryption_response_a = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(hierarchical_keyring.clone())
        .encryption_context(encryption_context_a.clone())
        .send()
        .await?;

    let ciphertext_a = encryption_response_a
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    let encryption_response_b = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(hierarchical_keyring.clone())
        .encryption_context(encryption_context_b.clone())
        .send()
        .await?;

    let ciphertext_b = encryption_response_b
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 9. Demonstrate that the ciphertexts and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext_a,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    assert_ne!(
        ciphertext_b,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 10. To attest that TenantKeyB cannot decrypt a message written by TenantKeyA,
    //    and vice versa, let's construct more restrictive hierarchical keyrings.
    let hierarchical_keyring_a = mpl
        .create_aws_kms_hierarchical_keyring()
        .key_store(key_store.clone())
        .branch_key_id(branch_key_id_a)
        .ttl_seconds(600)
        .send()
        .await?;

    let hierarchical_keyring_b = mpl
        .create_aws_kms_hierarchical_keyring()
        .key_store(key_store)
        .branch_key_id(branch_key_id_b)
        .ttl_seconds(600)
        .send()
        .await?;

    // 11. Demonstrate that data encrypted by one tenant's key
    // cannot be decrypted with by a keyring specific to another tenant.

    // Keyring with tenant B's branch key cannot decrypt data encrypted with tenant A's branch key
    // This will fail and raise a AwsCryptographicMaterialProvidersError,
    // which we swallow ONLY for demonstration purposes.
    let decryption_response_mismatch_1 = esdk_client
        .decrypt()
        .ciphertext(ciphertext_a.clone())
        .keyring(hierarchical_keyring_b.clone())
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context_a.clone())
        .send()
        .await;

    match decryption_response_mismatch_1 {
        Ok(_) => panic!(
            "Decrypt with wrong tenant's hierarchical keyring MUST \
                            raise AwsCryptographicMaterialProvidersError"
        ),
        Err(AwsCryptographicMaterialProvidersError { error: _e }) => (),
        _ => panic!("Unexpected error type"),
    }

    // Keyring with tenant A's branch key cannot decrypt data encrypted with tenant B's branch key.
    // This will fail and raise a AwsCryptographicMaterialProvidersError,
    // which we swallow ONLY for demonstration purposes.
    let decryption_response_mismatch_2 = esdk_client
        .decrypt()
        .ciphertext(ciphertext_b.clone())
        .keyring(hierarchical_keyring_a.clone())
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context_b.clone())
        .send()
        .await;

    match decryption_response_mismatch_2 {
        Ok(_) => panic!(
            "Decrypt with wrong tenant's hierarchical keyring MUST \
                            raise AwsCryptographicMaterialProvidersError"
        ),
        Err(AwsCryptographicMaterialProvidersError { error: _e }) => (),
        _ => panic!("Unexpected error type"),
    }

    // 12. Demonstrate that data encrypted by one tenant's branch key can be decrypted by that tenant,
    //     and that the decrypted data matches the input data.
    let decryption_response_a = esdk_client
        .decrypt()
        .ciphertext(ciphertext_a)
        .keyring(hierarchical_keyring_a)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context_a)
        .send()
        .await?;

    let decrypted_plaintext_a = decryption_response_a
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_a,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // Similarly for TenantB
    let decryption_response_b = esdk_client
        .decrypt()
        .ciphertext(ciphertext_b)
        .keyring(hierarchical_keyring_b)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context_b)
        .send()
        .await?;

    let decrypted_plaintext_b = decryption_response_b
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_b,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("Hierarchical Keyring Example Completed Successfully");

    Ok(())
}

examples/keyring/aws_kms_hierarchical/shared_cache_across_hierarchical_keyrings_example.rs (line 156)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    key_store_table_name: &str,
    logical_key_store_name: &str,
    key_store_kms_key_id: &str,
) -> Result<(), crate::BoxError> {
    // 1a. Create the CryptographicMaterialsCache (CMC) to share across multiple Hierarchical Keyrings
    // using the Material Providers Library
    //    This CMC takes in:
    //     - CacheType
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let cache: CacheType = CacheType::Default(DefaultCache::builder().entry_capacity(100).build()?);

    let shared_cryptographic_materials_cache: CryptographicMaterialsCacheRef = mpl
        .create_cryptographic_materials_cache()
        .cache(cache)
        .send()
        .await?;

    // 1b. Create a CacheType object for the shared_cryptographic_materials_cache
    // Note that the `cache` parameter in the Hierarchical Keyring Input takes a `CacheType` as input
    // Here, we pass a `Shared` CacheType that passes an already initialized shared cache.

    // If you want to use a Shared Cache, you need to initialize it only once, and
    // pass the same cache `shared_cache` to different hierarchical keyrings.

    // CryptographicMaterialsCacheRef is an Rc (Reference Counted), so if you clone it to
    // pass it to different Hierarchical Keyrings, it will still point to the same
    // underlying cache, and increment the reference count accordingly.
    let shared_cache: CacheType = CacheType::Shared(shared_cryptographic_materials_cache);

    // 2. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 3. Configure your Key Store resource key_store1.
    //    This SHOULD be the same configuration that you used
    //    to initially create and populate your physical Key Store.
    // Note that key_store_table_name is the physical Key Store,
    // and key_store1 is instances of this physical Key Store.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let key_store_config = KeyStoreConfig::builder()
        .kms_client(aws_sdk_kms::Client::new(&sdk_config))
        .ddb_client(aws_sdk_dynamodb::Client::new(&sdk_config))
        .ddb_table_name(key_store_table_name)
        .logical_key_store_name(logical_key_store_name)
        .kms_configuration(KmsConfiguration::KmsKeyArn(
            key_store_kms_key_id.to_string(),
        ))
        .build()?;

    let key_store1 = keystore_client::Client::from_conf(key_store_config.clone())?;

    // 4. Call create_branch_key_id to create one new active branch key
    let branch_key_id: String = create_branch_key_id(
        key_store_table_name,
        logical_key_store_name,
        key_store_kms_key_id,
    )
    .await?;

    // 5. Create the Hierarchical Keyring HK1 with Key Store instance K1, partition_id,
    // the shared_cache and the branch_key_id.
    // Note that we are now providing an already initialized shared cache instead of just mentioning
    // the cache type and the Hierarchical Keyring initializing a cache at initialization.

    // partition_id for this example is a random UUID
    let partition_id = "91c1b6a2-6fc3-4539-ad5e-938d597ed730".to_string();

    // Please make sure that you read the guidance on how to set Partition ID, Logical Key Store Name and
    // Branch Key ID at the top of this example before creating Hierarchical Keyrings with a Shared Cache
    let keyring1 = mpl
        .create_aws_kms_hierarchical_keyring()
        .key_store(key_store1)
        .branch_key_id(branch_key_id.clone())
        // CryptographicMaterialsCacheRef is an Rc (Reference Counted), so if you clone it to
        // pass it to different Hierarchical Keyrings, it will still point to the same
        // underlying cache, and increment the reference count accordingly.
        .cache(shared_cache.clone())
        .ttl_seconds(600)
        .partition_id(partition_id.clone())
        .send()
        .await?;

    // 6. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 7. Encrypt the data for encryption_context using keyring1
    let plaintext = example_data.as_bytes();

    let encryption_response1 = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(keyring1.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext1 = encryption_response1
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 8. Demonstrate that the ciphertexts and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext1,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 9. Decrypt your encrypted data using the same keyring HK1 you used on encrypt.
    let decryption_response1 = esdk_client
        .decrypt()
        .ciphertext(ciphertext1)
        .keyring(keyring1)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext1 = decryption_response1
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 10. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext1,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // 11. Through the above encrypt and decrypt roundtrip, the cache will be populated and
    // the cache entries can be used by another Hierarchical Keyring with the
    // - Same Partition ID
    // - Same Logical Key Store Name of the Key Store for the Hierarchical Keyring
    // - Same Branch Key ID

    // Configure your Key Store resource key_store2.
    //    This SHOULD be the same configuration that you used
    //    to initially create and populate your physical Key Store.
    // Note that key_store_table_name is the physical Key Store,
    // and key_store2 is instances of this physical Key Store.

    // Note that for this example, key_store2 is identical to key_store1.
    // You can optionally change configurations like KMS Client or KMS Key ID based
    // on your use-case.
    // Make sure you have the required permissions to use different configurations.

    // - If you want to share cache entries across two keyrings HK1 and HK2,
    //   you should set the Logical Key Store Names for both
    //   Key Store instances (K1 and K2) to be the same.
    // - If you set the Logical Key Store Names for K1 and K2 to be different,
    //   HK1 (which uses Key Store instance K1) and HK2 (which uses Key Store
    //   instance K2) will NOT be able to share cache entries.
    let key_store2 = keystore_client::Client::from_conf(key_store_config.clone())?;

    // 12. Create the Hierarchical Keyring HK2 with Key Store instance K2, the shared_cache
    // and the same partition_id and branch_key_id used in HK1 because we want to share cache entries
    // (and experience cache HITS).

    // Please make sure that you read the guidance on how to set Partition ID, Logical Key Store Name and
    // Branch Key ID at the top of this example before creating Hierarchical Keyrings with a Shared Cache
    let keyring2 = mpl
        .create_aws_kms_hierarchical_keyring()
        .key_store(key_store2)
        .branch_key_id(branch_key_id)
        .cache(shared_cache)
        .ttl_seconds(600)
        .partition_id(partition_id)
        .send()
        .await?;

    // 13. This encrypt-decrypt roundtrip with HK2 will experience Cache HITS from previous HK1 roundtrip
    // Encrypt the data for encryption_context using keyring2
    let encryption_response2 = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(keyring2.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext2 = encryption_response2
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 14. Demonstrate that the ciphertexts and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext2,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 15. Decrypt your encrypted data using the same keyring HK2 you used on encrypt.
    let decryption_response2 = esdk_client
        .decrypt()
        .ciphertext(ciphertext2)
        .keyring(keyring2)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext2 = decryption_response2
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 10. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext2,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("Shared Cache Across Hierarchical Keyrings Example Completed Successfully");

    Ok(())
}

impl Client

pub fn create_aws_kms_rsa_keyring(&self) -> CreateAwsKmsRsaKeyringFluentBuilder

Constructs a fluent builder for the CreateAwsKmsRsaKeyring operation.

• The fluent builder is configurable:
  • encryption_algorithm(impl Into<Option<aws_sdk_kms::types::EncryptionAlgorithmSpec>>) / set_encryption_algorithm(Option<aws_sdk_kms::types::EncryptionAlgorithmSpec>): (undocumented)
    
  • grant_tokens(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_grant_tokens(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
  • kms_client(impl Into<Option<crate::deps::com_amazonaws_kms::client::Client>>) / set_kms_client(Option<crate::deps::com_amazonaws_kms::client::Client>): (undocumented)
    
  • kms_key_id(impl Into<Option<::std::string::String>>) / set_kms_key_id(Option<::std::string::String>): (undocumented)
    
  • public_key(impl Into<Option<::aws_smithy_types::Blob>>) / set_public_key(Option<::aws_smithy_types::Blob>): (undocumented)
    
• On success, responds with CreateKeyringOutput with field(s):
  • keyring(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
• On failure, responds with SdkError<CreateAwsKmsRsaKeyringError>

Examples found in repository

examples/keyring/aws_kms_rsa_keyring_example.rs (line 70)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    kms_rsa_key_id: &str,
    kms_rsa_public_key: &str,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Create a KMS RSA keyring
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    // For more information on the allowed encryption algorithms, please see
    // https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-rsa
    let kms_rsa_keyring = mpl
        .create_aws_kms_rsa_keyring()
        .kms_key_id(kms_rsa_key_id)
        .public_key(aws_smithy_types::Blob::new(kms_rsa_public_key))
        .encryption_algorithm(aws_sdk_kms::types::EncryptionAlgorithmSpec::RsaesOaepSha256)
        .kms_client(kms_client)
        .send()
        .await?;

    // 5. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(kms_rsa_keyring.clone())
        .encryption_context(encryption_context.clone())
        .algorithm_suite_id(EsdkAlgorithmSuiteId::AlgAes256GcmHkdfSha512CommitKey)
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 6. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 7. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(kms_rsa_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("KMS RSA Keyring Example Completed Successfully");

    Ok(())
}

impl Client

pub fn create_aws_kms_ecdh_keyring( &self, ) -> CreateAwsKmsEcdhKeyringFluentBuilder

Constructs a fluent builder for the CreateAwsKmsEcdhKeyring operation.

• The fluent builder is configurable:
  • key_agreement_scheme(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::KmsEcdhStaticConfigurations>>) / set_key_agreement_scheme(Option<crate::deps::aws_cryptography_materialProviders::types::KmsEcdhStaticConfigurations>): (undocumented)
    
  • curve_spec(impl Into<Option<crate::deps::aws_cryptography_primitives::types::EcdhCurveSpec>>) / set_curve_spec(Option<crate::deps::aws_cryptography_primitives::types::EcdhCurveSpec>): (undocumented)
    
  • grant_tokens(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_grant_tokens(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
  • kms_client(impl Into<Option<crate::deps::com_amazonaws_kms::client::Client>>) / set_kms_client(Option<crate::deps::com_amazonaws_kms::client::Client>): (undocumented)
    
• On success, responds with CreateKeyringOutput with field(s):
  • keyring(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
• On failure, responds with SdkError<CreateAwsKmsEcdhKeyringError>

Examples found in repository

examples/keyring/ecdh/kms_ecdh_discovery_keyring_example.rs (line 104)

pub async fn decrypt_with_keyring(
    example_data: &str,
    ecdh_curve_spec: EcdhCurveSpec,
    ecc_recipient_key_arn: &str,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Create the KmsPublicKeyDiscoveryInput
    let kms_ecdh_discovery_static_configuration_input = KmsPublicKeyDiscoveryInput::builder()
        .recipient_kms_identifier(ecc_recipient_key_arn)
        .build()?;

    let kms_ecdh_discovery_static_configuration =
        KmsEcdhStaticConfigurations::KmsPublicKeyDiscovery(
            kms_ecdh_discovery_static_configuration_input,
        );

    // 5. Create the KMS ECDH keyring.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    // Create a KMS ECDH Discovery keyring.
    // This keyring uses the KmsPublicKeyDiscovery configuration.
    // On encrypt, the keyring will fail as it is not allowed to encrypt data under this configuration.
    // On decrypt, the keyring will check if its corresponding public key is stored in the message header. It
    // will AWS KMS to derive the shared from the recipient's KMS ECC Key ARN and the sender's public key;
    // For more information on this configuration see:
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-kms-ecdh-keyring.html#kms-ecdh-discovery
    // This keyring takes in:
    //  - kmsClient
    //  - recipientKmsIdentifier: Must be an ARN representing a KMS ECC key meant for KeyAgreement
    //  - curveSpec: The curve name where the public keys lie
    let kms_ecdh_discovery_keyring = mpl
        .create_aws_kms_ecdh_keyring()
        .kms_client(kms_client.clone())
        .curve_spec(ecdh_curve_spec)
        .key_agreement_scheme(kms_ecdh_discovery_static_configuration)
        .send()
        .await?;

    // 6. Get ciphertext by creating a KMS ECDH keyring WITHOUT discovery
    // because the KMS ECDH keyring WITH discovery CANNOT encrypt data.
    let plaintext = example_data.as_bytes();

    // Get ciphertext by creating a KMS ECDH keyring WITHOUT discovery.
    // The recipient's public key used in the encrypting KMS ECDH keyring WITHOUT discovery
    // is a public key generated from ecc_recipient_key_arn, the same ecc key used
    // when creating the KMS ECDH keyring WITH discovery used for decryption in this example.
    // We then decrypt this ciphertext using a KMS ECDH keyring WITH discovery
    let ciphertext = get_ciphertext(
        example_data,
        encryption_context.clone(),
        ecc_recipient_key_arn,
        ecdh_curve_spec,
        kms_client,
        esdk_client.clone(),
    )
    .await?;

    // 7. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(kms_ecdh_discovery_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("KMS ECDH Discovery Keyring Example Completed Successfully");

    Ok(())
}

async fn get_ciphertext(
    example_data: &str,
    encryption_context: HashMap<String, String>,
    ecc_recipient_key_arn: &str,
    ecdh_curve_spec: EcdhCurveSpec,
    kms_client: aws_sdk_kms::Client,
    esdk_client: esdk_client::Client,
) -> Result<Blob, crate::BoxError> {
    // 1. Create the public keys for sender and recipient
    // Recipient keys are taken as input for this example
    // Sender ECC key used in this example is TEST_KMS_ECDH_KEY_ID_P256_SENDER
    let public_key_sender_utf8_bytes =
        generate_kms_ecc_public_key(TEST_KMS_ECDH_KEY_ID_P256_SENDER).await?;
    let public_key_recipient_utf8_bytes =
        generate_kms_ecc_public_key(ecc_recipient_key_arn).await?;

    // 2. Create the KmsPrivateKeyToStaticPublicKeyInput
    let kms_ecdh_static_configuration_input = KmsPrivateKeyToStaticPublicKeyInput::builder()
        .sender_kms_identifier(TEST_KMS_ECDH_KEY_ID_P256_SENDER)
        // Must be a UTF8 DER-encoded X.509 public key
        .sender_public_key(public_key_sender_utf8_bytes)
        // Must be a UTF8 DER-encoded X.509 public key
        .recipient_public_key(public_key_recipient_utf8_bytes)
        .build()?;

    let kms_ecdh_static_configuration = KmsEcdhStaticConfigurations::KmsPrivateKeyToStaticPublicKey(
        kms_ecdh_static_configuration_input,
    );

    // 3. Create the KMS ECDH keyring.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let kms_ecdh_keyring = mpl
        .create_aws_kms_ecdh_keyring()
        .kms_client(kms_client)
        .curve_spec(ecdh_curve_spec)
        .key_agreement_scheme(kms_ecdh_static_configuration)
        .send()
        .await?;

    // 4. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(kms_ecdh_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 5. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    Ok(ciphertext)
}

examples/keyring/ecdh/kms_ecdh_keyring_example.rs (line 165)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    ecc_key_arn: &str,
    ecdh_curve_spec: EcdhCurveSpec,
    ecc_recipient_key_arn: Option<&str>,
) -> Result<(), crate::BoxError> {
    // 1. If ecc_recipient_key_arn is not provided, set the private key for the recipient to TEST_KMS_ECDH_KEY_ID_P256_RECIPIENT
    let ecc_recipient_key_arn = ecc_recipient_key_arn
        .unwrap_or(crate::example_utils::utils::TEST_KMS_ECDH_KEY_ID_P256_RECIPIENT);

    // 2. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 3. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 4. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 5. You may provide your own ECC keys in the files located at
    // - EXAMPLE_KMS_ECC_PUBLIC_KEY_FILENAME_SENDER
    // - EXAMPLE_KMS_ECC_PUBLIC_KEY_FILENAME_RECIPIENT

    // If not, the main method in this class will call
    // the KMS ECC key, retrieve its public key, and store it
    // in a PEM file for example use.
    if should_generate_new_kms_ecc_public_key(EXAMPLE_KMS_ECC_PUBLIC_KEY_FILENAME_SENDER)? {
        write_kms_ecdh_ecc_public_key(ecc_key_arn, EXAMPLE_KMS_ECC_PUBLIC_KEY_FILENAME_SENDER)
            .await?;
    }

    if should_generate_new_kms_ecc_public_key(EXAMPLE_KMS_ECC_PUBLIC_KEY_FILENAME_RECIPIENT)? {
        write_kms_ecdh_ecc_public_key(
            ecc_recipient_key_arn,
            EXAMPLE_KMS_ECC_PUBLIC_KEY_FILENAME_RECIPIENT,
        )
        .await?;
    }

    // 6. Load public key from UTF-8 encoded PEM files into a DER encoded public key.
    let public_key_file_content_sender =
        std::fs::read_to_string(Path::new(EXAMPLE_KMS_ECC_PUBLIC_KEY_FILENAME_SENDER))?;
    let parsed_public_key_file_content_sender = parse(public_key_file_content_sender)?;
    let public_key_sender_utf8_bytes = parsed_public_key_file_content_sender.contents();

    let public_key_file_content_recipient =
        std::fs::read_to_string(Path::new(EXAMPLE_KMS_ECC_PUBLIC_KEY_FILENAME_RECIPIENT))?;
    let parsed_public_key_file_content_recipient = parse(public_key_file_content_recipient)?;
    let public_key_recipient_utf8_bytes = parsed_public_key_file_content_recipient.contents();

    // 7. Create the KmsPrivateKeyToStaticPublicKeyInput
    let kms_ecdh_static_configuration_input = KmsPrivateKeyToStaticPublicKeyInput::builder()
        .sender_kms_identifier(ecc_key_arn)
        // Must be a UTF8 DER-encoded X.509 public key
        .sender_public_key(public_key_sender_utf8_bytes)
        // Must be a UTF8 DER-encoded X.509 public key
        .recipient_public_key(public_key_recipient_utf8_bytes)
        .build()?;

    let kms_ecdh_static_configuration = KmsEcdhStaticConfigurations::KmsPrivateKeyToStaticPublicKey(
        kms_ecdh_static_configuration_input,
    );

    // 8. Create the KMS ECDH keyring.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    // Create a KMS ECDH keyring.
    // This keyring uses the KmsPrivateKeyToStaticPublicKey configuration. This configuration calls for both of
    // the keys to be on the same curve (P256, P384, P521).
    // On encrypt, the keyring calls AWS KMS to derive the shared secret from the sender's KMS ECC Key ARN and the recipient's public key.
    // For this example, on decrypt, the keyring calls AWS KMS to derive the shared secret from the sender's KMS ECC Key ARN and the recipient's public key;
    // however, on decrypt, the recipient can construct a keyring such that the shared secret is calculated with
    // the recipient's private key and the sender's public key. In both scenarios the shared secret will be the same.
    // For more information on this configuration see:
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-kms-ecdh-keyring.html#kms-ecdh-create
    // This keyring takes in:
    //  - kmsClient
    //  - kmsKeyId: Must be an ARN representing a KMS ECC key meant for KeyAgreement
    //  - curveSpec: The curve name where the public keys lie
    //  - senderPublicKey: A ByteBuffer of a UTF-8 encoded public
    //               key for the key passed into kmsKeyId in DER format
    //  - recipientPublicKey: A ByteBuffer of a UTF-8 encoded public
    //               key for the key passed into kmsKeyId in DER format
    let kms_ecdh_keyring = mpl
        .create_aws_kms_ecdh_keyring()
        .kms_client(kms_client)
        .curve_spec(ecdh_curve_spec)
        .key_agreement_scheme(kms_ecdh_static_configuration)
        .send()
        .await?;

    // 9. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(kms_ecdh_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 10. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 11. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(kms_ecdh_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 12. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("KMS ECDH Keyring Example Completed Successfully");

    Ok(())
}

impl Client

pub fn create_multi_keyring(&self) -> CreateMultiKeyringFluentBuilder

Constructs a fluent builder for the CreateMultiKeyring operation.

• The fluent builder is configurable:
  • child_keyrings(impl Into<Option<::std::vec::Vec<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>>>) / set_child_keyrings(Option<::std::vec::Vec<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>>): (undocumented)
    
  • generator(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>>) / set_generator(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
    
• On success, responds with CreateKeyringOutput with field(s):
  • keyring(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
• On failure, responds with SdkError<CreateMultiKeyringError>

Examples found in repository

examples/limit_encrypted_data_keys_example.rs (line 103)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    max_encrypted_data_keys: u16,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    // Also, set the EncryptionSDK's max_encrypted_data_keys parameter here
    let esdk_config = AwsEncryptionSdkConfig::builder()
        .max_encrypted_data_keys(max_encrypted_data_keys)
        .build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. The key namespace and key name are defined by you.
    // and are used by the Raw AES keyring to determine
    // whether it should attempt to decrypt an encrypted data key.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html
    let key_namespace: &str = "my-key-namespace";
    let key_name: &str = "my-aes-key-name";

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Generate `max_encrypted_data_keys` AES keyrings to use with your keyring.
    // In practice, you should get this key from a secure key management system such as an HSM.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let mut raw_aes_keyrings: Vec<KeyringRef> = vec![];

    assert!(
        max_encrypted_data_keys > 0,
        "max_encrypted_data_keys MUST be greater than 0"
    );

    let mut i = 0;
    while i < max_encrypted_data_keys {
        let aes_key_bytes = generate_aes_key_bytes();

        let raw_aes_keyring = mpl
            .create_raw_aes_keyring()
            .key_name(key_name)
            .key_namespace(key_namespace)
            .wrapping_key(aes_key_bytes)
            .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
            .send()
            .await?;

        raw_aes_keyrings.push(raw_aes_keyring);
        i += 1;
    }

    // 5. Create a Multi Keyring with `max_encrypted_data_keys` AES Keyrings
    let generator_keyring = raw_aes_keyrings.remove(0);

    let multi_keyring = mpl
        .create_multi_keyring()
        .generator(generator_keyring)
        .child_keyrings(raw_aes_keyrings)
        .send()
        .await?;

    // 6. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(multi_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 7. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 8. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .keyring(multi_keyring.clone())
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 9. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // 10. Demonstrate that an EncryptionSDK with a lower MaxEncryptedDataKeys
    // will fail to decrypt the encrypted message.
    let esdk_config = AwsEncryptionSdkConfig::builder()
        .max_encrypted_data_keys(max_encrypted_data_keys - 1)
        .build()?;
    let esdk_client_incorrect_max_encrypted_keys = esdk_client::Client::from_conf(esdk_config)?;

    let decryption_response_incorrect_max_encrypted_keys = esdk_client_incorrect_max_encrypted_keys
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(multi_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await;

    match decryption_response_incorrect_max_encrypted_keys {
        Ok(_) => panic!(
            "Decrypt using discovery keyring with wrong AWS Account ID MUST \
                            raise AwsCryptographicMaterialProvidersError"
        ),
        Err(AwsEncryptionSdkException { message: m }) => assert_eq!(
            m,
            "Ciphertext encrypted data keys exceed maxEncryptedDataKeys"
        ),
        _ => panic!("Unexpected error type"),
    }

    println!("Limit Encrypted Data Keys Example Completed Successfully");

    Ok(())
}

examples/keyring/multi_keyring_example.rs (line 124)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    kms_key_id: &str,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Create a KMS keyring
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let kms_keyring = mpl
        .create_aws_kms_keyring()
        .kms_key_id(kms_key_id)
        .kms_client(kms_client)
        .send()
        .await?;

    // 5. Create a raw AES keyring to additionally encrypt under as child_keyring

    // The key namespace and key name are defined by you.
    // and are used by the Raw AES keyring to determine
    // whether it should attempt to decrypt an encrypted data key.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html
    let key_namespace: &str = "my-key-namespace";
    let key_name: &str = "my-aes-key-name";

    // Generate a 256-bit AES key to use with your raw AES keyring.
    // In practice, you should get this key from a secure key management system such as an HSM.
    let aes_key_bytes = generate_aes_key_bytes();

    let raw_aes_keyring = mpl
        .create_raw_aes_keyring()
        .key_name(key_name)
        .key_namespace(key_namespace)
        .wrapping_key(aes_key_bytes)
        .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
        .send()
        .await?;

    // 6. Create a multi_keyring that consists of the previously created keyrings.
    // When using this multi_keyring to encrypt data, either `kms_keyring` or
    // `raw_aes_keyring` (or a multi_keyring containing either) may be used to decrypt the data.
    let multi_keyring = mpl
        .create_multi_keyring()
        .generator(kms_keyring.clone())
        .child_keyrings(vec![raw_aes_keyring.clone()])
        .send()
        .await?;

    // 7. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(multi_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 8. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 9a. Decrypt your encrypted data using the same multi_keyring you used on encrypt.
    let decryption_response_multi_keyring = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .keyring(multi_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext_multi_keyring = decryption_response_multi_keyring
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 9b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_multi_keyring,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // Because you used a multi_keyring on Encrypt, you can use either the
    // `kms_keyring` or `raw_aes_keyring` individually to decrypt the data.

    // 10. Demonstrate that you can successfully decrypt data using just the `kms_keyring`
    // directly.
    // (This is an example for demonstration; you do not need to do this in your own code.)

    // 10a. Decrypt your encrypted data using the kms_keyring.
    let decryption_response_kms_keyring = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .keyring(kms_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext_kms_keyring = decryption_response_kms_keyring
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 10b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_kms_keyring,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // 11. Demonstrate that you can also successfully decrypt data using the `raw_aes_keyring`
    // directly.
    // (This is an example for demonstration; you do not need to do this in your own code.)

    // 11a. Decrypt your encrypted data using the raw_aes_keyring.
    let decryption_response_raw_aes_keyring = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(raw_aes_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext_raw_aes_keyring = decryption_response_raw_aes_keyring
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 11b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_raw_aes_keyring,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("Multi Keyring Example Completed Successfully");

    Ok(())
}

impl Client

pub fn create_raw_aes_keyring(&self) -> CreateRawAesKeyringFluentBuilder

Constructs a fluent builder for the CreateRawAesKeyring operation.

• The fluent builder is configurable:
  • key_name(impl Into<Option<::std::string::String>>) / set_key_name(Option<::std::string::String>): (undocumented)
    
  • key_namespace(impl Into<Option<::std::string::String>>) / set_key_namespace(Option<::std::string::String>): (undocumented)
    
  • wrapping_alg(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::AesWrappingAlg>>) / set_wrapping_alg(Option<crate::deps::aws_cryptography_materialProviders::types::AesWrappingAlg>): (undocumented)
    
  • wrapping_key(impl Into<Option<::aws_smithy_types::Blob>>) / set_wrapping_key(Option<::aws_smithy_types::Blob>): (undocumented)
    
• On success, responds with CreateKeyringOutput with field(s):
  • keyring(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
• On failure, responds with SdkError<CreateRawAesKeyringError>

Examples found in repository

examples/keyring/raw_aes_keyring_example.rs (line 78)

pub async fn encrypt_and_decrypt_with_keyring(example_data: &str) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. The key namespace and key name are defined by you.
    // and are used by the Raw AES keyring to determine
    // whether it should attempt to decrypt an encrypted data key.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html
    let key_namespace: &str = "my-key-namespace";
    let key_name: &str = "my-aes-key-name";

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Generate a 256-bit AES key to use with your keyring.
    // In practice, you should get this key from a secure key management system such as an HSM.
    let aes_key_bytes = generate_aes_key_bytes();

    // 5. Create a Raw AES Keyring
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let raw_aes_keyring = mpl
        .create_raw_aes_keyring()
        .key_name(key_name)
        .key_namespace(key_namespace)
        .wrapping_key(aes_key_bytes)
        .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
        .send()
        .await?;

    // 6. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(raw_aes_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 7. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 8. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(raw_aes_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 9. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("Raw AES Keyring Example Completed Successfully");

    Ok(())
}

examples/set_encryption_algorithm_suite_example.rs (line 96)

pub async fn encrypt_and_decrypt_with_keyring(example_data: &str) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. The key namespace and key name are defined by you.
    // and are used by the Raw AES keyring to determine
    // whether it should attempt to decrypt an encrypted data key.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html
    let key_namespace: &str = "my-key-namespace";
    let key_name: &str = "my-aes-key-name";

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Generate a 256-bit AES key to use with your keyring.
    // In practice, you should get this key from a secure key management system such as an HSM.
    let aes_key_bytes = generate_aes_key_bytes();

    // 5. Create a Raw AES Keyring
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    // The wrapping algorithm here is NOT the algorithm suite we set in this example.
    let raw_aes_keyring = mpl
        .create_raw_aes_keyring()
        .key_name(key_name)
        .key_namespace(key_namespace)
        .wrapping_key(aes_key_bytes)
        .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
        .send()
        .await?;

    // 6. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    // This is the important step in this example where we specify the algorithm suite
    // you want to use for encrypting your data
    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(raw_aes_keyring.clone())
        .encryption_context(encryption_context.clone())
        .algorithm_suite_id(AlgAes256GcmHkdfSha512CommitKey)
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 7. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 8. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(raw_aes_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 9. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("Set Encryption Algorithm Suite Example Completed Successfully");

    Ok(())
}

examples/limit_encrypted_data_keys_example.rs (line 87)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    max_encrypted_data_keys: u16,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    // Also, set the EncryptionSDK's max_encrypted_data_keys parameter here
    let esdk_config = AwsEncryptionSdkConfig::builder()
        .max_encrypted_data_keys(max_encrypted_data_keys)
        .build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. The key namespace and key name are defined by you.
    // and are used by the Raw AES keyring to determine
    // whether it should attempt to decrypt an encrypted data key.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html
    let key_namespace: &str = "my-key-namespace";
    let key_name: &str = "my-aes-key-name";

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Generate `max_encrypted_data_keys` AES keyrings to use with your keyring.
    // In practice, you should get this key from a secure key management system such as an HSM.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let mut raw_aes_keyrings: Vec<KeyringRef> = vec![];

    assert!(
        max_encrypted_data_keys > 0,
        "max_encrypted_data_keys MUST be greater than 0"
    );

    let mut i = 0;
    while i < max_encrypted_data_keys {
        let aes_key_bytes = generate_aes_key_bytes();

        let raw_aes_keyring = mpl
            .create_raw_aes_keyring()
            .key_name(key_name)
            .key_namespace(key_namespace)
            .wrapping_key(aes_key_bytes)
            .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
            .send()
            .await?;

        raw_aes_keyrings.push(raw_aes_keyring);
        i += 1;
    }

    // 5. Create a Multi Keyring with `max_encrypted_data_keys` AES Keyrings
    let generator_keyring = raw_aes_keyrings.remove(0);

    let multi_keyring = mpl
        .create_multi_keyring()
        .generator(generator_keyring)
        .child_keyrings(raw_aes_keyrings)
        .send()
        .await?;

    // 6. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(multi_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 7. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 8. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .keyring(multi_keyring.clone())
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 9. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // 10. Demonstrate that an EncryptionSDK with a lower MaxEncryptedDataKeys
    // will fail to decrypt the encrypted message.
    let esdk_config = AwsEncryptionSdkConfig::builder()
        .max_encrypted_data_keys(max_encrypted_data_keys - 1)
        .build()?;
    let esdk_client_incorrect_max_encrypted_keys = esdk_client::Client::from_conf(esdk_config)?;

    let decryption_response_incorrect_max_encrypted_keys = esdk_client_incorrect_max_encrypted_keys
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(multi_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await;

    match decryption_response_incorrect_max_encrypted_keys {
        Ok(_) => panic!(
            "Decrypt using discovery keyring with wrong AWS Account ID MUST \
                            raise AwsCryptographicMaterialProvidersError"
        ),
        Err(AwsEncryptionSdkException { message: m }) => assert_eq!(
            m,
            "Ciphertext encrypted data keys exceed maxEncryptedDataKeys"
        ),
        _ => panic!("Unexpected error type"),
    }

    println!("Limit Encrypted Data Keys Example Completed Successfully");

    Ok(())
}

examples/keyring/multi_keyring_example.rs (line 112)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    kms_key_id: &str,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Create a KMS keyring
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let kms_keyring = mpl
        .create_aws_kms_keyring()
        .kms_key_id(kms_key_id)
        .kms_client(kms_client)
        .send()
        .await?;

    // 5. Create a raw AES keyring to additionally encrypt under as child_keyring

    // The key namespace and key name are defined by you.
    // and are used by the Raw AES keyring to determine
    // whether it should attempt to decrypt an encrypted data key.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html
    let key_namespace: &str = "my-key-namespace";
    let key_name: &str = "my-aes-key-name";

    // Generate a 256-bit AES key to use with your raw AES keyring.
    // In practice, you should get this key from a secure key management system such as an HSM.
    let aes_key_bytes = generate_aes_key_bytes();

    let raw_aes_keyring = mpl
        .create_raw_aes_keyring()
        .key_name(key_name)
        .key_namespace(key_namespace)
        .wrapping_key(aes_key_bytes)
        .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
        .send()
        .await?;

    // 6. Create a multi_keyring that consists of the previously created keyrings.
    // When using this multi_keyring to encrypt data, either `kms_keyring` or
    // `raw_aes_keyring` (or a multi_keyring containing either) may be used to decrypt the data.
    let multi_keyring = mpl
        .create_multi_keyring()
        .generator(kms_keyring.clone())
        .child_keyrings(vec![raw_aes_keyring.clone()])
        .send()
        .await?;

    // 7. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(multi_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 8. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 9a. Decrypt your encrypted data using the same multi_keyring you used on encrypt.
    let decryption_response_multi_keyring = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .keyring(multi_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext_multi_keyring = decryption_response_multi_keyring
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 9b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_multi_keyring,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // Because you used a multi_keyring on Encrypt, you can use either the
    // `kms_keyring` or `raw_aes_keyring` individually to decrypt the data.

    // 10. Demonstrate that you can successfully decrypt data using just the `kms_keyring`
    // directly.
    // (This is an example for demonstration; you do not need to do this in your own code.)

    // 10a. Decrypt your encrypted data using the kms_keyring.
    let decryption_response_kms_keyring = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .keyring(kms_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext_kms_keyring = decryption_response_kms_keyring
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 10b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_kms_keyring,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // 11. Demonstrate that you can also successfully decrypt data using the `raw_aes_keyring`
    // directly.
    // (This is an example for demonstration; you do not need to do this in your own code.)

    // 11a. Decrypt your encrypted data using the raw_aes_keyring.
    let decryption_response_raw_aes_keyring = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(raw_aes_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext_raw_aes_keyring = decryption_response_raw_aes_keyring
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 11b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_raw_aes_keyring,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("Multi Keyring Example Completed Successfully");

    Ok(())
}

impl Client

pub fn create_raw_rsa_keyring(&self) -> CreateRawRsaKeyringFluentBuilder

Constructs a fluent builder for the CreateRawRsaKeyring operation.

• The fluent builder is configurable:
  • key_name(impl Into<Option<::std::string::String>>) / set_key_name(Option<::std::string::String>): (undocumented)
    
  • key_namespace(impl Into<Option<::std::string::String>>) / set_key_namespace(Option<::std::string::String>): (undocumented)
    
  • padding_scheme(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::PaddingScheme>>) / set_padding_scheme(Option<crate::deps::aws_cryptography_materialProviders::types::PaddingScheme>): (undocumented)
    
  • private_key(impl Into<Option<::aws_smithy_types::Blob>>) / set_private_key(Option<::aws_smithy_types::Blob>): (undocumented)
    
  • public_key(impl Into<Option<::aws_smithy_types::Blob>>) / set_public_key(Option<::aws_smithy_types::Blob>): (undocumented)
    
• On success, responds with CreateKeyringOutput with field(s):
  • keyring(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
• On failure, responds with SdkError<CreateRawRsaKeyringError>

Examples found in repository

examples/keyring/raw_rsa_keyring_example.rs (line 123)

pub async fn encrypt_and_decrypt_with_keyring(example_data: &str) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 3. You may provide your own RSA key pair in the files located at
    //  - EXAMPLE_RSA_PRIVATE_KEY_FILENAME
    //  - EXAMPLE_RSA_PUBLIC_KEY_FILENAME
    // If these files are not present, this will generate a pair for you
    if should_generate_new_rsa_key_pair()? {
        generate_rsa_key_pair()?;
    }

    // 4. Load key pair from UTF-8 encoded PEM files.
    //    You may provide your own PEM files to use here.
    //    If you do not, the main method in this class will generate PEM
    //    files for example use. Do not use these files for any other purpose.
    let mut file = File::open(Path::new(EXAMPLE_RSA_PUBLIC_KEY_FILENAME))?;
    let mut public_key_utf8_bytes = Vec::new();
    file.read_to_end(&mut public_key_utf8_bytes)?;

    let mut file = File::open(Path::new(EXAMPLE_RSA_PRIVATE_KEY_FILENAME))?;
    let mut private_key_utf8_bytes = Vec::new();
    file.read_to_end(&mut private_key_utf8_bytes)?;

    // 5. The key namespace and key name are defined by you.
    // and are used by the Raw RSA keyring
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-rsa-keyring.html
    let key_namespace: &str = "my-key-namespace";
    let key_name: &str = "my-rsa-key-name";

    // 6. Create the Raw RSA keyring.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let raw_rsa_keyring = mpl
        .create_raw_rsa_keyring()
        .key_name(key_name)
        .key_namespace(key_namespace)
        .padding_scheme(PaddingScheme::OaepSha256Mgf1)
        .public_key(public_key_utf8_bytes)
        .private_key(private_key_utf8_bytes)
        .send()
        .await?;

    // 7. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(raw_rsa_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 8. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 9. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(raw_rsa_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 10. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("Raw RSA Keyring Example Completed Successfully");

    Ok(())
}

impl Client

pub fn create_raw_ecdh_keyring(&self) -> CreateRawEcdhKeyringFluentBuilder

Constructs a fluent builder for the CreateRawEcdhKeyring operation.

• The fluent builder is configurable:
  • key_agreement_scheme(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::RawEcdhStaticConfigurations>>) / set_key_agreement_scheme(Option<crate::deps::aws_cryptography_materialProviders::types::RawEcdhStaticConfigurations>): (undocumented)
    
  • curve_spec(impl Into<Option<crate::deps::aws_cryptography_primitives::types::EcdhCurveSpec>>) / set_curve_spec(Option<crate::deps::aws_cryptography_primitives::types::EcdhCurveSpec>): (undocumented)
    
• On success, responds with CreateKeyringOutput with field(s):
  • keyring(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
• On failure, responds with SdkError<CreateRawEcdhKeyringError>

Examples found in repository

examples/keyring/ecdh/public_key_discovery_raw_ecdh_keyring_example.rs (line 144)

pub async fn decrypt_with_keyring(
    example_data: &str,
    ecdh_curve_spec: EcdhCurveSpec,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    // 2. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 3. You may provide your own ECC keys in the files located at
    // - EXAMPLE_ECC_PRIVATE_KEY_FILENAME_RECIPIENT

    // If you do not provide these files, running this example through this
    // class' main method will generate three files required for all raw ECDH examples
    // EXAMPLE_ECC_PRIVATE_KEY_FILENAME_SENDER, EXAMPLE_ECC_PRIVATE_KEY_FILENAME_RECIPIENT
    // and EXAMPLE_ECC_PUBLIC_KEY_FILENAME_RECIPIENT for you.

    // Do not use these files for any other purpose.
    if should_generate_new_ecc_key_pair_discovery_raw_ecdh()? {
        write_raw_ecdh_ecc_keys(ecdh_curve_spec)?;
    }

    // 4. Load keys from UTF-8 encoded PEM files.
    let mut file = File::open(Path::new(EXAMPLE_ECC_PRIVATE_KEY_FILENAME_RECIPIENT))?;
    let mut private_key_recipient_utf8_bytes = Vec::new();
    file.read_to_end(&mut private_key_recipient_utf8_bytes)?;

    // Generate the ciphertext
    let ciphertext = get_ciphertext(
        example_data,
        ecdh_curve_spec,
        encryption_context.clone(),
        esdk_client.clone(),
        mpl.clone(),
    )
    .await?;

    // 5. Create the PublicKeyDiscoveryInput
    let discovery_raw_ecdh_static_configuration_input = PublicKeyDiscoveryInput::builder()
        // Must be a UTF8 PEM-encoded private key
        .recipient_static_private_key(private_key_recipient_utf8_bytes)
        .build()?;

    let discovery_raw_ecdh_static_configuration = RawEcdhStaticConfigurations::PublicKeyDiscovery(
        discovery_raw_ecdh_static_configuration_input,
    );

    // 6. Create the Public Key Discovery Raw ECDH keyring.

    // Create the keyring.
    // This keyring uses a discovery configuration. This configuration will check on decrypt
    // if it is meant to decrypt the message by checking if the configured public key is stored on the message.
    // The discovery configuration can only decrypt messages and CANNOT encrypt messages.
    let discovery_raw_ecdh_keyring = mpl
        .create_raw_ecdh_keyring()
        .curve_spec(ecdh_curve_spec)
        .key_agreement_scheme(discovery_raw_ecdh_static_configuration)
        .send()
        .await?;

    // 7. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(discovery_raw_ecdh_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    let plaintext = example_data.as_bytes();

    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("Public Key Discovery Raw ECDH Keyring Example Completed Successfully");

    Ok(())
}

fn should_generate_new_ecc_key_pair_discovery_raw_ecdh() -> Result<bool, String> {
    // If keys already exist: do not overwrite existing keys
    if exists(EXAMPLE_ECC_PRIVATE_KEY_FILENAME_RECIPIENT)
        && exists(EXAMPLE_ECC_PUBLIC_KEY_FILENAME_RECIPIENT)
    {
        Ok(false)
    }
    // If only one file is present: throw exception
    else if !exists(EXAMPLE_ECC_PRIVATE_KEY_FILENAME_RECIPIENT)
        && exists(EXAMPLE_ECC_PUBLIC_KEY_FILENAME_RECIPIENT)
    {
        Err("Missing key file at ".to_string() + EXAMPLE_ECC_PRIVATE_KEY_FILENAME_RECIPIENT)
    } else if exists(EXAMPLE_ECC_PRIVATE_KEY_FILENAME_RECIPIENT)
        && !exists(EXAMPLE_ECC_PUBLIC_KEY_FILENAME_RECIPIENT)
    {
        Err("Missing key file at ".to_string() + EXAMPLE_ECC_PUBLIC_KEY_FILENAME_RECIPIENT)
    }
    // If neither file is present, generate a new key pair
    else {
        Ok(true)
    }
}

async fn get_ciphertext(
    example_data: &str,
    ecdh_curve_spec: EcdhCurveSpec,
    encryption_context: HashMap<String, String>,
    esdk_client: esdk_client::Client,
    mpl: mpl_client::Client,
) -> Result<Blob, crate::BoxError> {
    // 1. Load keys from UTF-8 encoded PEM files.

    // Load public key from UTF-8 encoded PEM files into a DER encoded public key.
    let public_key_file_content =
        std::fs::read_to_string(Path::new(EXAMPLE_ECC_PUBLIC_KEY_FILENAME_RECIPIENT))?;
    let parsed_public_key_file_content = parse(public_key_file_content)?;
    let public_key_recipient_utf8_bytes = parsed_public_key_file_content.contents();

    // 2. Create the EphemeralPrivateKeyToStaticPublicKeyInput to generate the ciphertext
    let ephemeral_raw_ecdh_static_configuration_input =
        EphemeralPrivateKeyToStaticPublicKeyInput::builder()
            // Must be a UTF8 DER-encoded X.509 public key
            .recipient_public_key(public_key_recipient_utf8_bytes)
            .build()?;

    let ephemeral_raw_ecdh_static_configuration =
        RawEcdhStaticConfigurations::EphemeralPrivateKeyToStaticPublicKey(
            ephemeral_raw_ecdh_static_configuration_input,
        );

    // 3. Create the Ephemeral Raw ECDH keyring.

    // Create the keyring.
    // This keyring uses an ephemeral configuration. This configuration will always create a new
    // key pair as the sender key pair for the key agreement operation. The ephemeral configuration can only
    // encrypt data and CANNOT decrypt messages.
    let ephemeral_raw_ecdh_keyring = mpl
        .create_raw_ecdh_keyring()
        .curve_spec(ecdh_curve_spec)
        .key_agreement_scheme(ephemeral_raw_ecdh_static_configuration)
        .send()
        .await?;

    // 4. Encrypt the data with the encryption_context

    // A raw ecdh keyring with Ephemeral configuration cannot decrypt data since the key pair
    // used as the sender is ephemeral. This means that at decrypt time it does not have
    // the private key that corresponds to the public key that is stored on the message.
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(ephemeral_raw_ecdh_keyring)
        .encryption_context(encryption_context)
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 5. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    Ok(ciphertext)
}

examples/keyring/ecdh/ephemeral_raw_ecdh_keyring_example.rs (line 127)

pub async fn encrypt_with_keyring(
    example_data: &str,
    ecdh_curve_spec: EcdhCurveSpec,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 3. You may provide your own ECC keys in the files located at
    // - EXAMPLE_ECC_PUBLIC_KEY_FILENAME_RECIPIENT

    // If you do not provide these files, running this example through this
    // class' main method will generate three files required for all raw ECDH examples
    // EXAMPLE_ECC_PRIVATE_KEY_FILENAME_SENDER, EXAMPLE_ECC_PRIVATE_KEY_FILENAME_RECIPIENT
    // and EXAMPLE_ECC_PUBLIC_KEY_FILENAME_RECIPIENT for you.

    // Do not use these files for any other purpose.
    if should_generate_new_ecc_key_pair_ephemeral_raw_ecdh()? {
        write_raw_ecdh_ecc_keys(ecdh_curve_spec)?;
    }

    // 4. Load keys from UTF-8 encoded PEM files.

    // Load public key from UTF-8 encoded PEM files into a DER encoded public key.
    let public_key_file_content =
        std::fs::read_to_string(Path::new(EXAMPLE_ECC_PUBLIC_KEY_FILENAME_RECIPIENT))?;
    let parsed_public_key_file_content = parse(public_key_file_content)?;
    let public_key_recipient_utf8_bytes = parsed_public_key_file_content.contents();

    // 5. Create the EphemeralPrivateKeyToStaticPublicKeyInput
    let ephemeral_raw_ecdh_static_configuration_input =
        EphemeralPrivateKeyToStaticPublicKeyInput::builder()
            // Must be a UTF8 DER-encoded X.509 public key
            .recipient_public_key(public_key_recipient_utf8_bytes)
            .build()?;

    let ephemeral_raw_ecdh_static_configuration =
        RawEcdhStaticConfigurations::EphemeralPrivateKeyToStaticPublicKey(
            ephemeral_raw_ecdh_static_configuration_input,
        );

    // 6. Create the Ephemeral Raw ECDH keyring.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    // Create the keyring.
    // This keyring uses an ephemeral configuration. This configuration will always create a new
    // key pair as the sender key pair for the key agreement operation. The ephemeral configuration can only
    // encrypt data and CANNOT decrypt messages.
    let ephemeral_raw_ecdh_keyring = mpl
        .create_raw_ecdh_keyring()
        .curve_spec(ecdh_curve_spec)
        .key_agreement_scheme(ephemeral_raw_ecdh_static_configuration)
        .send()
        .await?;

    // 7. Encrypt the data with the encryption_context

    // A raw ecdh keyring with Ephemeral configuration cannot decrypt data since the key pair
    // used as the sender is ephemeral. This means that at decrypt time it does not have
    // the private key that corresponds to the public key that is stored on the message.
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(ephemeral_raw_ecdh_keyring)
        .encryption_context(encryption_context)
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 8. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    println!("Ephemeral Raw ECDH Keyring Example Completed Successfully");

    Ok(())
}

examples/keyring/ecdh/raw_ecdh_keyring_example.rs (line 146)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    ecdh_curve_spec: EcdhCurveSpec,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 3. You may provide your own ECC keys in the files located at
    // - EXAMPLE_ECC_PRIVATE_KEY_FILENAME_SENDER
    // - EXAMPLE_ECC_PUBLIC_KEY_FILENAME_RECIPIENT

    // If you do not provide these files, running this example through this
    // class' main method will generate three files required for all raw ECDH examples
    // EXAMPLE_ECC_PRIVATE_KEY_FILENAME_SENDER, EXAMPLE_ECC_PRIVATE_KEY_FILENAME_RECIPIENT
    // and EXAMPLE_ECC_PUBLIC_KEY_FILENAME_RECIPIENT for you.

    // Do not use these files for any other purpose.
    if should_generate_new_ecc_key_pair_raw_ecdh()? {
        write_raw_ecdh_ecc_keys(ecdh_curve_spec)?;
    }

    // 4. Load keys from UTF-8 encoded PEM files.
    let mut file = File::open(Path::new(EXAMPLE_ECC_PRIVATE_KEY_FILENAME_SENDER))?;
    let mut private_key_sender_utf8_bytes = Vec::new();
    file.read_to_end(&mut private_key_sender_utf8_bytes)?;

    // Load public key from UTF-8 encoded PEM files into a DER encoded public key.
    let public_key_file_content =
        std::fs::read_to_string(Path::new(EXAMPLE_ECC_PUBLIC_KEY_FILENAME_RECIPIENT))?;
    let parsed_public_key_file_content = parse(public_key_file_content)?;
    let public_key_recipient_utf8_bytes = parsed_public_key_file_content.contents();

    // 5. Create the RawPrivateKeyToStaticPublicKeyInput
    let raw_ecdh_static_configuration_input = RawPrivateKeyToStaticPublicKeyInput::builder()
        // Must be a UTF8 PEM-encoded private key
        .sender_static_private_key(private_key_sender_utf8_bytes)
        // Must be a UTF8 DER-encoded X.509 public key
        .recipient_public_key(public_key_recipient_utf8_bytes)
        .build()?;

    let raw_ecdh_static_configuration = RawEcdhStaticConfigurations::RawPrivateKeyToStaticPublicKey(
        raw_ecdh_static_configuration_input,
    );

    // 6. Create the Raw ECDH keyring.
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    // Create the keyring.
    // This keyring uses static sender and recipient keys. This configuration calls for both of
    // the keys to be on the same curve (P256 / P384 / P521).
    // On encrypt, the shared secret is derived from the sender's private key and the recipient's public key.
    // For this example, on decrypt, the shared secret is derived from the sender's private key and the recipient's public key;
    // However, on decrypt, the recipient can construct a keyring such that the shared secret is calculated with
    // the recipient's private key and the sender's public key. In both scenarios the shared secret will be the same.
    let raw_ecdh_keyring = mpl
        .create_raw_ecdh_keyring()
        .curve_spec(ecdh_curve_spec)
        .key_agreement_scheme(raw_ecdh_static_configuration)
        .send()
        .await?;

    // 7. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(raw_ecdh_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 8. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 9. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(raw_ecdh_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 10. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("Raw ECDH Keyring Example Completed Successfully");

    Ok(())
}

impl Client

pub fn create_default_cryptographic_materials_manager( &self, ) -> CreateDefaultCryptographicMaterialsManagerFluentBuilder

Constructs a fluent builder for the CreateDefaultCryptographicMaterialsManager operation.

• The fluent builder is configurable:
  • keyring(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>>) / set_keyring(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
    
• On success, responds with CreateCryptographicMaterialsManagerOutput with field(s):
  • materials_manager(Option<crate::deps::aws_cryptography_materialProviders::types::cryptographic_materials_manager::CryptographicMaterialsManagerRef>): (undocumented)
• On failure, responds with SdkError<CreateDefaultCryptographicMaterialsManagerError>

Examples found in repository

examples/cryptographic_materials_manager/restrict_algorithm_suite/signing_suite_only_cmm.rs (line 49)

    pub fn new(keyring: KeyringRef) -> Self {
        let mpl_config = MaterialProvidersConfig::builder().build().unwrap();
        let mpl = mpl_client::Client::from_conf(mpl_config).unwrap();

        Self {
            approved_algos: vec![
                EsdkAlgorithmSuiteId::AlgAes128GcmIv12Tag16HkdfSha256EcdsaP256,
                EsdkAlgorithmSuiteId::AlgAes192GcmIv12Tag16HkdfSha384EcdsaP384,
                EsdkAlgorithmSuiteId::AlgAes256GcmIv12Tag16HkdfSha384EcdsaP384,
                EsdkAlgorithmSuiteId::AlgAes256GcmHkdfSha512CommitKeyEcdsaP384,
            ],
            // Create a DefaultCryptographicMaterialsManager to facilitate
            // GetEncryptionMaterials and DecryptionMaterials
            // after this CMM approves the Algorithm Suite.
            cmm: tokio::task::block_in_place(|| {
                tokio::runtime::Handle::current().block_on(async {
                    mpl.create_default_cryptographic_materials_manager()
                        .keyring(keyring)
                        .send()
                        .await
                })
            })
            .unwrap(),
        }
    }

examples/cryptographic_materials_manager/required_encryption_context/required_encryption_context_example.rs (line 75)

pub async fn encrypt_and_decrypt_with_cmm(
    example_data: &str,
    kms_key_id: &str,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
        ("requiredKey1".to_string(), "requiredValue1".to_string()),
        ("requiredKey2".to_string(), "requiredValue2".to_string()),
    ]);

    // 4. Create your required encryption context keys.
    // These keys MUST be in your encryption context.
    // These keys and their corresponding values WILL NOT be stored on the message but will be used
    // for authentication.
    let required_encryption_context_keys: Vec<String> =
        vec!["requiredKey1".to_string(), "requiredKey2".to_string()];

    // 5. Create a KMS keyring
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let kms_keyring = mpl
        .create_aws_kms_keyring()
        .kms_key_id(kms_key_id)
        .kms_client(kms_client)
        .send()
        .await?;

    // 6. Create the required encryption context CMM.
    let underlying_cmm = mpl
        .create_default_cryptographic_materials_manager()
        .keyring(kms_keyring)
        .send()
        .await?;

    let required_ec_cmm = mpl
        .create_required_encryption_context_cmm()
        .underlying_cmm(underlying_cmm.clone())
        .required_encryption_context_keys(required_encryption_context_keys)
        .send()
        .await?;

    // 7. Encrypt the data with the encryption_context
    // NOTE: the keys "requiredKey1", and "requiredKey2"
    // WILL NOT be stored in the message header, but "encryption", "is not",
    // "but adds", "that can help you", and "the data you are handling" WILL be stored.
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .materials_manager(required_ec_cmm.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 8. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 9. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .materials_manager(required_ec_cmm.clone())
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 10. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // 11. Attempt to decrypt your encrypted data using the same cryptographic material manager
    // you used on encrypt, but we won't pass the encryption context we DID NOT store on the message.
    // This will fail
    let decryption_response_without_ec = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .materials_manager(required_ec_cmm.clone())
        .send()
        .await;

    match decryption_response_without_ec {
        Ok(_) => panic!(
            "Decrypt without encryption context MUST \
                            raise AwsCryptographicMaterialProvidersError"
        ),
        Err(AwsCryptographicMaterialProvidersError { error: _e }) => (),
        _ => panic!("Unexpected error type"),
    }

    // 12. Decrypt your encrypted data using the same cryptographic material manager
    // you used to encrypt, but supply encryption context that contains ONLY the encryption context that
    // was NOT stored. This will pass.
    let reproduced_encryption_context = HashMap::from([
        ("requiredKey1".to_string(), "requiredValue1".to_string()),
        ("requiredKey2".to_string(), "requiredValue2".to_string()),
    ]);

    let decryption_response_with_reproduced_ec = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .materials_manager(required_ec_cmm)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(reproduced_encryption_context)
        .send()
        .await?;

    let decrypted_plaintext_with_reproduced_ec = decryption_response_with_reproduced_ec
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_with_reproduced_ec,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // 13. You can decrypt the ciphertext using the underlying cmm, but not providing the
    // encryption context with the request will result in an AwsCryptographicMaterialProvidersError

    // This will pass
    let decryption_response_with_ec_underlying_cmm = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .materials_manager(underlying_cmm.clone())
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext_with_ec_underlying_cmm = decryption_response_with_ec_underlying_cmm
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_with_ec_underlying_cmm,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // This will fail
    let decryption_response_without_ec_underlying_cmm = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .materials_manager(underlying_cmm)
        .send()
        .await;

    match decryption_response_without_ec_underlying_cmm {
        Ok(_) => panic!(
            "Decrypt without encryption context MUST \
                            raise AwsCryptographicMaterialProvidersError"
        ),
        Err(AwsCryptographicMaterialProvidersError { error: _e }) => (),
        _ => panic!("Unexpected error type"),
    }

    println!("Required Encryption Context CMM Example Completed Successfully");

    Ok(())
}

impl Client

pub fn create_required_encryption_context_cmm( &self, ) -> CreateRequiredEncryptionContextCmmFluentBuilder

Constructs a fluent builder for the CreateRequiredEncryptionContextCMM operation.

• The fluent builder is configurable:
  • keyring(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>>) / set_keyring(Option<crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef>): (undocumented)
    
  • required_encryption_context_keys(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_required_encryption_context_keys(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
  • underlying_cmm(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::cryptographic_materials_manager::CryptographicMaterialsManagerRef>>) / set_underlying_cmm(Option<crate::deps::aws_cryptography_materialProviders::types::cryptographic_materials_manager::CryptographicMaterialsManagerRef>): (undocumented)
    
• On success, responds with CreateRequiredEncryptionContextCmmOutput with field(s):
  • materials_manager(Option<crate::deps::aws_cryptography_materialProviders::types::cryptographic_materials_manager::CryptographicMaterialsManagerRef>): (undocumented)
• On failure, responds with SdkError<CreateRequiredEncryptionContextCmmError>

Examples found in repository

examples/cryptographic_materials_manager/required_encryption_context/required_encryption_context_example.rs (line 81)

pub async fn encrypt_and_decrypt_with_cmm(
    example_data: &str,
    kms_key_id: &str,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
        ("requiredKey1".to_string(), "requiredValue1".to_string()),
        ("requiredKey2".to_string(), "requiredValue2".to_string()),
    ]);

    // 4. Create your required encryption context keys.
    // These keys MUST be in your encryption context.
    // These keys and their corresponding values WILL NOT be stored on the message but will be used
    // for authentication.
    let required_encryption_context_keys: Vec<String> =
        vec!["requiredKey1".to_string(), "requiredKey2".to_string()];

    // 5. Create a KMS keyring
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let kms_keyring = mpl
        .create_aws_kms_keyring()
        .kms_key_id(kms_key_id)
        .kms_client(kms_client)
        .send()
        .await?;

    // 6. Create the required encryption context CMM.
    let underlying_cmm = mpl
        .create_default_cryptographic_materials_manager()
        .keyring(kms_keyring)
        .send()
        .await?;

    let required_ec_cmm = mpl
        .create_required_encryption_context_cmm()
        .underlying_cmm(underlying_cmm.clone())
        .required_encryption_context_keys(required_encryption_context_keys)
        .send()
        .await?;

    // 7. Encrypt the data with the encryption_context
    // NOTE: the keys "requiredKey1", and "requiredKey2"
    // WILL NOT be stored in the message header, but "encryption", "is not",
    // "but adds", "that can help you", and "the data you are handling" WILL be stored.
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .materials_manager(required_ec_cmm.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 8. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 9. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .materials_manager(required_ec_cmm.clone())
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 10. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // 11. Attempt to decrypt your encrypted data using the same cryptographic material manager
    // you used on encrypt, but we won't pass the encryption context we DID NOT store on the message.
    // This will fail
    let decryption_response_without_ec = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .materials_manager(required_ec_cmm.clone())
        .send()
        .await;

    match decryption_response_without_ec {
        Ok(_) => panic!(
            "Decrypt without encryption context MUST \
                            raise AwsCryptographicMaterialProvidersError"
        ),
        Err(AwsCryptographicMaterialProvidersError { error: _e }) => (),
        _ => panic!("Unexpected error type"),
    }

    // 12. Decrypt your encrypted data using the same cryptographic material manager
    // you used to encrypt, but supply encryption context that contains ONLY the encryption context that
    // was NOT stored. This will pass.
    let reproduced_encryption_context = HashMap::from([
        ("requiredKey1".to_string(), "requiredValue1".to_string()),
        ("requiredKey2".to_string(), "requiredValue2".to_string()),
    ]);

    let decryption_response_with_reproduced_ec = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .materials_manager(required_ec_cmm)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(reproduced_encryption_context)
        .send()
        .await?;

    let decrypted_plaintext_with_reproduced_ec = decryption_response_with_reproduced_ec
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_with_reproduced_ec,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // 13. You can decrypt the ciphertext using the underlying cmm, but not providing the
    // encryption context with the request will result in an AwsCryptographicMaterialProvidersError

    // This will pass
    let decryption_response_with_ec_underlying_cmm = esdk_client
        .decrypt()
        .ciphertext(ciphertext.clone())
        .materials_manager(underlying_cmm.clone())
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext_with_ec_underlying_cmm = decryption_response_with_ec_underlying_cmm
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext_with_ec_underlying_cmm,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // This will fail
    let decryption_response_without_ec_underlying_cmm = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .materials_manager(underlying_cmm)
        .send()
        .await;

    match decryption_response_without_ec_underlying_cmm {
        Ok(_) => panic!(
            "Decrypt without encryption context MUST \
                            raise AwsCryptographicMaterialProvidersError"
        ),
        Err(AwsCryptographicMaterialProvidersError { error: _e }) => (),
        _ => panic!("Unexpected error type"),
    }

    println!("Required Encryption Context CMM Example Completed Successfully");

    Ok(())
}

impl Client

pub fn create_cryptographic_materials_cache( &self, ) -> CreateCryptographicMaterialsCacheFluentBuilder

Constructs a fluent builder for the CreateCryptographicMaterialsCache operation.

• The fluent builder is configurable:
  • cache(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::CacheType>>) / set_cache(Option<crate::deps::aws_cryptography_materialProviders::types::CacheType>): (undocumented)
    
• On success, responds with CreateCryptographicMaterialsCacheOutput with field(s):
  • materials_cache(Option<crate::deps::aws_cryptography_materialProviders::types::cryptographic_materials_cache::CryptographicMaterialsCacheRef>): (undocumented)
• On failure, responds with SdkError<CreateCryptographicMaterialsCacheError>

Examples found in repository

examples/keyring/aws_kms_hierarchical/shared_cache_across_hierarchical_keyrings_example.rs (line 94)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    key_store_table_name: &str,
    logical_key_store_name: &str,
    key_store_kms_key_id: &str,
) -> Result<(), crate::BoxError> {
    // 1a. Create the CryptographicMaterialsCache (CMC) to share across multiple Hierarchical Keyrings
    // using the Material Providers Library
    //    This CMC takes in:
    //     - CacheType
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let cache: CacheType = CacheType::Default(DefaultCache::builder().entry_capacity(100).build()?);

    let shared_cryptographic_materials_cache: CryptographicMaterialsCacheRef = mpl
        .create_cryptographic_materials_cache()
        .cache(cache)
        .send()
        .await?;

    // 1b. Create a CacheType object for the shared_cryptographic_materials_cache
    // Note that the `cache` parameter in the Hierarchical Keyring Input takes a `CacheType` as input
    // Here, we pass a `Shared` CacheType that passes an already initialized shared cache.

    // If you want to use a Shared Cache, you need to initialize it only once, and
    // pass the same cache `shared_cache` to different hierarchical keyrings.

    // CryptographicMaterialsCacheRef is an Rc (Reference Counted), so if you clone it to
    // pass it to different Hierarchical Keyrings, it will still point to the same
    // underlying cache, and increment the reference count accordingly.
    let shared_cache: CacheType = CacheType::Shared(shared_cryptographic_materials_cache);

    // 2. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 3. Configure your Key Store resource key_store1.
    //    This SHOULD be the same configuration that you used
    //    to initially create and populate your physical Key Store.
    // Note that key_store_table_name is the physical Key Store,
    // and key_store1 is instances of this physical Key Store.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let key_store_config = KeyStoreConfig::builder()
        .kms_client(aws_sdk_kms::Client::new(&sdk_config))
        .ddb_client(aws_sdk_dynamodb::Client::new(&sdk_config))
        .ddb_table_name(key_store_table_name)
        .logical_key_store_name(logical_key_store_name)
        .kms_configuration(KmsConfiguration::KmsKeyArn(
            key_store_kms_key_id.to_string(),
        ))
        .build()?;

    let key_store1 = keystore_client::Client::from_conf(key_store_config.clone())?;

    // 4. Call create_branch_key_id to create one new active branch key
    let branch_key_id: String = create_branch_key_id(
        key_store_table_name,
        logical_key_store_name,
        key_store_kms_key_id,
    )
    .await?;

    // 5. Create the Hierarchical Keyring HK1 with Key Store instance K1, partition_id,
    // the shared_cache and the branch_key_id.
    // Note that we are now providing an already initialized shared cache instead of just mentioning
    // the cache type and the Hierarchical Keyring initializing a cache at initialization.

    // partition_id for this example is a random UUID
    let partition_id = "91c1b6a2-6fc3-4539-ad5e-938d597ed730".to_string();

    // Please make sure that you read the guidance on how to set Partition ID, Logical Key Store Name and
    // Branch Key ID at the top of this example before creating Hierarchical Keyrings with a Shared Cache
    let keyring1 = mpl
        .create_aws_kms_hierarchical_keyring()
        .key_store(key_store1)
        .branch_key_id(branch_key_id.clone())
        // CryptographicMaterialsCacheRef is an Rc (Reference Counted), so if you clone it to
        // pass it to different Hierarchical Keyrings, it will still point to the same
        // underlying cache, and increment the reference count accordingly.
        .cache(shared_cache.clone())
        .ttl_seconds(600)
        .partition_id(partition_id.clone())
        .send()
        .await?;

    // 6. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 7. Encrypt the data for encryption_context using keyring1
    let plaintext = example_data.as_bytes();

    let encryption_response1 = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(keyring1.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext1 = encryption_response1
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 8. Demonstrate that the ciphertexts and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext1,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 9. Decrypt your encrypted data using the same keyring HK1 you used on encrypt.
    let decryption_response1 = esdk_client
        .decrypt()
        .ciphertext(ciphertext1)
        .keyring(keyring1)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let decrypted_plaintext1 = decryption_response1
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 10. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext1,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    // 11. Through the above encrypt and decrypt roundtrip, the cache will be populated and
    // the cache entries can be used by another Hierarchical Keyring with the
    // - Same Partition ID
    // - Same Logical Key Store Name of the Key Store for the Hierarchical Keyring
    // - Same Branch Key ID

    // Configure your Key Store resource key_store2.
    //    This SHOULD be the same configuration that you used
    //    to initially create and populate your physical Key Store.
    // Note that key_store_table_name is the physical Key Store,
    // and key_store2 is instances of this physical Key Store.

    // Note that for this example, key_store2 is identical to key_store1.
    // You can optionally change configurations like KMS Client or KMS Key ID based
    // on your use-case.
    // Make sure you have the required permissions to use different configurations.

    // - If you want to share cache entries across two keyrings HK1 and HK2,
    //   you should set the Logical Key Store Names for both
    //   Key Store instances (K1 and K2) to be the same.
    // - If you set the Logical Key Store Names for K1 and K2 to be different,
    //   HK1 (which uses Key Store instance K1) and HK2 (which uses Key Store
    //   instance K2) will NOT be able to share cache entries.
    let key_store2 = keystore_client::Client::from_conf(key_store_config.clone())?;

    // 12. Create the Hierarchical Keyring HK2 with Key Store instance K2, the shared_cache
    // and the same partition_id and branch_key_id used in HK1 because we want to share cache entries
    // (and experience cache HITS).

    // Please make sure that you read the guidance on how to set Partition ID, Logical Key Store Name and
    // Branch Key ID at the top of this example before creating Hierarchical Keyrings with a Shared Cache
    let keyring2 = mpl
        .create_aws_kms_hierarchical_keyring()
        .key_store(key_store2)
        .branch_key_id(branch_key_id)
        .cache(shared_cache)
        .ttl_seconds(600)
        .partition_id(partition_id)
        .send()
        .await?;

    // 13. This encrypt-decrypt roundtrip with HK2 will experience Cache HITS from previous HK1 roundtrip
    // Encrypt the data for encryption_context using keyring2
    let encryption_response2 = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(keyring2.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext2 = encryption_response2
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 14. Demonstrate that the ciphertexts and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext2,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 15. Decrypt your encrypted data using the same keyring HK2 you used on encrypt.
    let decryption_response2 = esdk_client
        .decrypt()
        .ciphertext(ciphertext2)
        .keyring(keyring2)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext2 = decryption_response2
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 10. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext2,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("Shared Cache Across Hierarchical Keyrings Example Completed Successfully");

    Ok(())
}

impl Client

pub fn create_default_client_supplier( &self, ) -> CreateDefaultClientSupplierFluentBuilder

Constructs a fluent builder for the CreateDefaultClientSupplier operation.

• The fluent builder is configurable:
• On success, responds with CreateDefaultClientSupplierOutput with field(s):
  • client(Option<crate::deps::aws_cryptography_materialProviders::types::client_supplier::ClientSupplierRef>): (undocumented)
• On failure, responds with SdkError<CreateDefaultClientSupplierError>

impl Client

pub fn initialize_encryption_materials( &self, ) -> InitializeEncryptionMaterialsFluentBuilder

Constructs a fluent builder for the InitializeEncryptionMaterials operation.

• The fluent builder is configurable:
  • algorithm_suite_id(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::AlgorithmSuiteId>>) / set_algorithm_suite_id(Option<crate::deps::aws_cryptography_materialProviders::types::AlgorithmSuiteId>): (undocumented)
    
  • encryption_context(impl Into<Option<::std::collections::HashMap<::std::string::String, ::std::string::String>>>) / set_encryption_context(Option<::std::collections::HashMap<::std::string::String, ::std::string::String>>): (undocumented)
    
  • required_encryption_context_keys(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_required_encryption_context_keys(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
  • signing_key(impl Into<Option<::aws_smithy_types::Blob>>) / set_signing_key(Option<::aws_smithy_types::Blob>): (undocumented)
    
  • verification_key(impl Into<Option<::aws_smithy_types::Blob>>) / set_verification_key(Option<::aws_smithy_types::Blob>): (undocumented)
    
• On success, responds with EncryptionMaterials with field(s):
  • algorithm_suite(Option<crate::deps::aws_cryptography_materialProviders::types::AlgorithmSuiteInfo>): (undocumented)
  • encrypted_data_keys(Option<::std::vec::Vec<crate::deps::aws_cryptography_materialProviders::types::EncryptedDataKey>>): (undocumented)
  • encryption_context(Option<::std::collections::HashMap<::std::string::String, ::std::string::String>>): (undocumented)
  • plaintext_data_key(Option<::aws_smithy_types::Blob>): (undocumented)
  • required_encryption_context_keys(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
  • signing_key(Option<::aws_smithy_types::Blob>): (undocumented)
  • symmetric_signing_keys(Option<::std::vec::Vec<::aws_smithy_types::Blob>>): (undocumented)
• On failure, responds with SdkError<InitializeEncryptionMaterialsError>

impl Client

pub fn initialize_decryption_materials( &self, ) -> InitializeDecryptionMaterialsFluentBuilder

Constructs a fluent builder for the InitializeDecryptionMaterials operation.

• The fluent builder is configurable:
  • algorithm_suite_id(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::AlgorithmSuiteId>>) / set_algorithm_suite_id(Option<crate::deps::aws_cryptography_materialProviders::types::AlgorithmSuiteId>): (undocumented)
    
  • encryption_context(impl Into<Option<::std::collections::HashMap<::std::string::String, ::std::string::String>>>) / set_encryption_context(Option<::std::collections::HashMap<::std::string::String, ::std::string::String>>): (undocumented)
    
  • required_encryption_context_keys(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_required_encryption_context_keys(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
• On success, responds with DecryptionMaterials with field(s):
  • algorithm_suite(Option<crate::deps::aws_cryptography_materialProviders::types::AlgorithmSuiteInfo>): (undocumented)
  • encryption_context(Option<::std::collections::HashMap<::std::string::String, ::std::string::String>>): (undocumented)
  • plaintext_data_key(Option<::aws_smithy_types::Blob>): (undocumented)
  • required_encryption_context_keys(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
  • symmetric_signing_key(Option<::aws_smithy_types::Blob>): (undocumented)
  • verification_key(Option<::aws_smithy_types::Blob>): (undocumented)
• On failure, responds with SdkError<InitializeDecryptionMaterialsError>

impl Client

pub fn valid_encryption_materials_transition( &self, ) -> ValidEncryptionMaterialsTransitionFluentBuilder

Constructs a fluent builder for the ValidEncryptionMaterialsTransition operation.

• The fluent builder is configurable:
  • start(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::EncryptionMaterials>>) / set_start(Option<crate::deps::aws_cryptography_materialProviders::types::EncryptionMaterials>): (undocumented)
    
  • stop(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::EncryptionMaterials>>) / set_stop(Option<crate::deps::aws_cryptography_materialProviders::types::EncryptionMaterials>): (undocumented)
    
• On success, responds with Unit with field(s):
• On failure, responds with SdkError<ValidEncryptionMaterialsTransitionError>

impl Client

pub fn valid_decryption_materials_transition( &self, ) -> ValidDecryptionMaterialsTransitionFluentBuilder

Constructs a fluent builder for the ValidDecryptionMaterialsTransition operation.

• The fluent builder is configurable:
  • start(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::DecryptionMaterials>>) / set_start(Option<crate::deps::aws_cryptography_materialProviders::types::DecryptionMaterials>): (undocumented)
    
  • stop(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::DecryptionMaterials>>) / set_stop(Option<crate::deps::aws_cryptography_materialProviders::types::DecryptionMaterials>): (undocumented)
    
• On success, responds with Unit with field(s):
• On failure, responds with SdkError<ValidDecryptionMaterialsTransitionError>

impl Client

pub fn encryption_materials_has_plaintext_data_key( &self, ) -> EncryptionMaterialsHasPlaintextDataKeyFluentBuilder

Constructs a fluent builder for the EncryptionMaterialsHasPlaintextDataKey operation.

• The fluent builder is configurable:
  • algorithm_suite(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::AlgorithmSuiteInfo>>) / set_algorithm_suite(Option<crate::deps::aws_cryptography_materialProviders::types::AlgorithmSuiteInfo>): (undocumented)
    
  • encrypted_data_keys(impl Into<Option<::std::vec::Vec<crate::deps::aws_cryptography_materialProviders::types::EncryptedDataKey>>>) / set_encrypted_data_keys(Option<::std::vec::Vec<crate::deps::aws_cryptography_materialProviders::types::EncryptedDataKey>>): (undocumented)
    
  • encryption_context(impl Into<Option<::std::collections::HashMap<::std::string::String, ::std::string::String>>>) / set_encryption_context(Option<::std::collections::HashMap<::std::string::String, ::std::string::String>>): (undocumented)
    
  • plaintext_data_key(impl Into<Option<::aws_smithy_types::Blob>>) / set_plaintext_data_key(Option<::aws_smithy_types::Blob>): (undocumented)
    
  • required_encryption_context_keys(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_required_encryption_context_keys(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
  • signing_key(impl Into<Option<::aws_smithy_types::Blob>>) / set_signing_key(Option<::aws_smithy_types::Blob>): (undocumented)
    
  • symmetric_signing_keys(impl Into<Option<::std::vec::Vec<::aws_smithy_types::Blob>>>) / set_symmetric_signing_keys(Option<::std::vec::Vec<::aws_smithy_types::Blob>>): (undocumented)
    
• On success, responds with Unit with field(s):
• On failure, responds with SdkError<EncryptionMaterialsHasPlaintextDataKeyError>

impl Client

pub fn decryption_materials_with_plaintext_data_key( &self, ) -> DecryptionMaterialsWithPlaintextDataKeyFluentBuilder

Constructs a fluent builder for the DecryptionMaterialsWithPlaintextDataKey operation.

• The fluent builder is configurable:
  • algorithm_suite(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::AlgorithmSuiteInfo>>) / set_algorithm_suite(Option<crate::deps::aws_cryptography_materialProviders::types::AlgorithmSuiteInfo>): (undocumented)
    
  • encryption_context(impl Into<Option<::std::collections::HashMap<::std::string::String, ::std::string::String>>>) / set_encryption_context(Option<::std::collections::HashMap<::std::string::String, ::std::string::String>>): (undocumented)
    
  • plaintext_data_key(impl Into<Option<::aws_smithy_types::Blob>>) / set_plaintext_data_key(Option<::aws_smithy_types::Blob>): (undocumented)
    
  • required_encryption_context_keys(impl Into<Option<::std::vec::Vec<::std::string::String>>>) / set_required_encryption_context_keys(Option<::std::vec::Vec<::std::string::String>>): (undocumented)
    
  • symmetric_signing_key(impl Into<Option<::aws_smithy_types::Blob>>) / set_symmetric_signing_key(Option<::aws_smithy_types::Blob>): (undocumented)
    
  • verification_key(impl Into<Option<::aws_smithy_types::Blob>>) / set_verification_key(Option<::aws_smithy_types::Blob>): (undocumented)
    
• On success, responds with Unit with field(s):
• On failure, responds with SdkError<DecryptionMaterialsWithPlaintextDataKeyError>

impl Client

pub fn get_algorithm_suite_info(&self) -> GetAlgorithmSuiteInfoFluentBuilder

Constructs a fluent builder for the GetAlgorithmSuiteInfo operation.

• The fluent builder is configurable:
  • binary_id(impl Into<Option<::aws_smithy_types::Blob>>) / set_binary_id(Option<::aws_smithy_types::Blob>): (undocumented)
    
• On success, responds with AlgorithmSuiteInfo with field(s):
  • binary_id(Option<::aws_smithy_types::Blob>): (undocumented)
  • commitment(Option<crate::deps::aws_cryptography_materialProviders::types::DerivationAlgorithm>): (undocumented)
  • edk_wrapping(Option<crate::deps::aws_cryptography_materialProviders::types::EdkWrappingAlgorithm>): (undocumented)
  • encrypt(Option<crate::deps::aws_cryptography_materialProviders::types::Encrypt>): (undocumented)
  • id(Option<crate::deps::aws_cryptography_materialProviders::types::AlgorithmSuiteId>): (undocumented)
  • kdf(Option<crate::deps::aws_cryptography_materialProviders::types::DerivationAlgorithm>): (undocumented)
  • message_version(Option<::std::primitive::i32>): (undocumented)
  • signature(Option<crate::deps::aws_cryptography_materialProviders::types::SignatureAlgorithm>): (undocumented)
  • symmetric_signature(Option<crate::deps::aws_cryptography_materialProviders::types::SymmetricSignatureAlgorithm>): (undocumented)
• On failure, responds with SdkError<GetAlgorithmSuiteInfoError>

impl Client

pub fn valid_algorithm_suite_info(&self) -> ValidAlgorithmSuiteInfoFluentBuilder

Constructs a fluent builder for the ValidAlgorithmSuiteInfo operation.

• The fluent builder is configurable:
  • binary_id(impl Into<Option<::aws_smithy_types::Blob>>) / set_binary_id(Option<::aws_smithy_types::Blob>): (undocumented)
    
  • commitment(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::DerivationAlgorithm>>) / set_commitment(Option<crate::deps::aws_cryptography_materialProviders::types::DerivationAlgorithm>): (undocumented)
    
  • edk_wrapping(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::EdkWrappingAlgorithm>>) / set_edk_wrapping(Option<crate::deps::aws_cryptography_materialProviders::types::EdkWrappingAlgorithm>): (undocumented)
    
  • encrypt(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::Encrypt>>) / set_encrypt(Option<crate::deps::aws_cryptography_materialProviders::types::Encrypt>): (undocumented)
    
  • id(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::AlgorithmSuiteId>>) / set_id(Option<crate::deps::aws_cryptography_materialProviders::types::AlgorithmSuiteId>): (undocumented)
    
  • kdf(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::DerivationAlgorithm>>) / set_kdf(Option<crate::deps::aws_cryptography_materialProviders::types::DerivationAlgorithm>): (undocumented)
    
  • message_version(impl Into<Option<::std::primitive::i32>>) / set_message_version(Option<::std::primitive::i32>): (undocumented)
    
  • signature(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::SignatureAlgorithm>>) / set_signature(Option<crate::deps::aws_cryptography_materialProviders::types::SignatureAlgorithm>): (undocumented)
    
  • symmetric_signature(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::SymmetricSignatureAlgorithm>>) / set_symmetric_signature(Option<crate::deps::aws_cryptography_materialProviders::types::SymmetricSignatureAlgorithm>): (undocumented)
    
• On success, responds with Unit with field(s):
• On failure, responds with SdkError<ValidAlgorithmSuiteInfoError>

impl Client

pub fn validate_commitment_policy_on_encrypt( &self, ) -> ValidateCommitmentPolicyOnEncryptFluentBuilder

Constructs a fluent builder for the ValidateCommitmentPolicyOnEncrypt operation.

• The fluent builder is configurable:
  • algorithm(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::AlgorithmSuiteId>>) / set_algorithm(Option<crate::deps::aws_cryptography_materialProviders::types::AlgorithmSuiteId>): (undocumented)
    
  • commitment_policy(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::CommitmentPolicy>>) / set_commitment_policy(Option<crate::deps::aws_cryptography_materialProviders::types::CommitmentPolicy>): (undocumented)
    
• On success, responds with Unit with field(s):
• On failure, responds with SdkError<ValidateCommitmentPolicyOnEncryptError>

impl Client

pub fn validate_commitment_policy_on_decrypt( &self, ) -> ValidateCommitmentPolicyOnDecryptFluentBuilder

Constructs a fluent builder for the ValidateCommitmentPolicyOnDecrypt operation.

• The fluent builder is configurable:
  • algorithm(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::AlgorithmSuiteId>>) / set_algorithm(Option<crate::deps::aws_cryptography_materialProviders::types::AlgorithmSuiteId>): (undocumented)
    
  • commitment_policy(impl Into<Option<crate::deps::aws_cryptography_materialProviders::types::CommitmentPolicy>>) / set_commitment_policy(Option<crate::deps::aws_cryptography_materialProviders::types::CommitmentPolicy>): (undocumented)
    
• On success, responds with Unit with field(s):
• On failure, responds with SdkError<ValidateCommitmentPolicyOnDecryptError>

impl Client

pub fn from_conf(input: MaterialProvidersConfig) -> Result<Self, Error>

Creates a new client from the service Config.

Examples found in repository

examples/cryptographic_materials_manager/restrict_algorithm_suite/signing_suite_only_cmm.rs (line 35)

    pub fn new(keyring: KeyringRef) -> Self {
        let mpl_config = MaterialProvidersConfig::builder().build().unwrap();
        let mpl = mpl_client::Client::from_conf(mpl_config).unwrap();

        Self {
            approved_algos: vec![
                EsdkAlgorithmSuiteId::AlgAes128GcmIv12Tag16HkdfSha256EcdsaP256,
                EsdkAlgorithmSuiteId::AlgAes192GcmIv12Tag16HkdfSha384EcdsaP384,
                EsdkAlgorithmSuiteId::AlgAes256GcmIv12Tag16HkdfSha384EcdsaP384,
                EsdkAlgorithmSuiteId::AlgAes256GcmHkdfSha512CommitKeyEcdsaP384,
            ],
            // Create a DefaultCryptographicMaterialsManager to facilitate
            // GetEncryptionMaterials and DecryptionMaterials
            // after this CMM approves the Algorithm Suite.
            cmm: tokio::task::block_in_place(|| {
                tokio::runtime::Handle::current().block_on(async {
                    mpl.create_default_cryptographic_materials_manager()
                        .keyring(keyring)
                        .send()
                        .await
                })
            })
            .unwrap(),
        }
    }

examples/keyring/aws_kms_keyring_example.rs (line 66)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    kms_key_id: &str,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Create a KMS keyring
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let kms_keyring = mpl
        .create_aws_kms_keyring()
        .kms_key_id(kms_key_id)
        .kms_client(kms_client)
        .send()
        .await?;

    // 5. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(kms_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 6. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 7. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(kms_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("KMS Keyring Example Completed Successfully");

    Ok(())
}

examples/keyring/aws_kms_rsa_keyring_example.rs (line 65)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    kms_rsa_key_id: &str,
    kms_rsa_public_key: &str,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Create a KMS RSA keyring
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    // For more information on the allowed encryption algorithms, please see
    // https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-rsa
    let kms_rsa_keyring = mpl
        .create_aws_kms_rsa_keyring()
        .kms_key_id(kms_rsa_key_id)
        .public_key(aws_smithy_types::Blob::new(kms_rsa_public_key))
        .encryption_algorithm(aws_sdk_kms::types::EncryptionAlgorithmSpec::RsaesOaepSha256)
        .kms_client(kms_client)
        .send()
        .await?;

    // 5. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(kms_rsa_keyring.clone())
        .encryption_context(encryption_context.clone())
        .algorithm_suite_id(EsdkAlgorithmSuiteId::AlgAes256GcmHkdfSha512CommitKey)
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 6. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 7. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(kms_rsa_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("KMS RSA Keyring Example Completed Successfully");

    Ok(())
}

examples/keyring/raw_aes_keyring_example.rs (line 75)

pub async fn encrypt_and_decrypt_with_keyring(example_data: &str) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. The key namespace and key name are defined by you.
    // and are used by the Raw AES keyring to determine
    // whether it should attempt to decrypt an encrypted data key.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html
    let key_namespace: &str = "my-key-namespace";
    let key_name: &str = "my-aes-key-name";

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Generate a 256-bit AES key to use with your keyring.
    // In practice, you should get this key from a secure key management system such as an HSM.
    let aes_key_bytes = generate_aes_key_bytes();

    // 5. Create a Raw AES Keyring
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let raw_aes_keyring = mpl
        .create_raw_aes_keyring()
        .key_name(key_name)
        .key_namespace(key_namespace)
        .wrapping_key(aes_key_bytes)
        .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
        .send()
        .await?;

    // 6. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(raw_aes_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 7. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 8. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(raw_aes_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 9. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("Raw AES Keyring Example Completed Successfully");

    Ok(())
}

examples/set_encryption_algorithm_suite_example.rs (line 92)

pub async fn encrypt_and_decrypt_with_keyring(example_data: &str) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
    // which enforces that this client only encrypts using committing algorithm suites and enforces
    // that this client will only decrypt encrypted messages that were created with a committing
    // algorithm suite.
    let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. The key namespace and key name are defined by you.
    // and are used by the Raw AES keyring to determine
    // whether it should attempt to decrypt an encrypted data key.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html
    let key_namespace: &str = "my-key-namespace";
    let key_name: &str = "my-aes-key-name";

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Generate a 256-bit AES key to use with your keyring.
    // In practice, you should get this key from a secure key management system such as an HSM.
    let aes_key_bytes = generate_aes_key_bytes();

    // 5. Create a Raw AES Keyring
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    // The wrapping algorithm here is NOT the algorithm suite we set in this example.
    let raw_aes_keyring = mpl
        .create_raw_aes_keyring()
        .key_name(key_name)
        .key_namespace(key_namespace)
        .wrapping_key(aes_key_bytes)
        .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
        .send()
        .await?;

    // 6. Encrypt the data with the encryption_context
    let plaintext = example_data.as_bytes();

    // This is the important step in this example where we specify the algorithm suite
    // you want to use for encrypting your data
    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(raw_aes_keyring.clone())
        .encryption_context(encryption_context.clone())
        .algorithm_suite_id(AlgAes256GcmHkdfSha512CommitKey)
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 7. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 8. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(raw_aes_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 9. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("Set Encryption Algorithm Suite Example Completed Successfully");

    Ok(())
}

examples/set_commitment_policy_example.rs (line 75)

pub async fn encrypt_and_decrypt_with_keyring(
    example_data: &str,
    kms_key_id: &str,
) -> Result<(), crate::BoxError> {
    // 1. Instantiate the encryption SDK client.
    // This example builds the client with the ForbidEncryptAllowDecrypt commitment policy,
    // which enforces that this client cannot encrypt with key commitment
    // and it can decrypt ciphertexts encrypted with or without key commitment.
    // The default commitment policy if you were to build the client like in
    // the `keyring/aws_kms_keyring_example.rs` is RequireEncryptRequireDecrypt.
    // We recommend that AWS Encryption SDK users use the default commitment policy
    // (RequireEncryptRequireDecrypt) whenever possible.
    let esdk_config = AwsEncryptionSdkConfig::builder()
        .commitment_policy(ForbidEncryptAllowDecrypt)
        .build()?;
    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;

    // 2. Create a KMS client.
    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
    let kms_client = aws_sdk_kms::Client::new(&sdk_config);

    // 3. Create encryption context.
    // Remember that your encryption context is NOT SECRET.
    // For more information, see
    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
    let encryption_context = HashMap::from([
        ("encryption".to_string(), "context".to_string()),
        ("is not".to_string(), "secret".to_string()),
        ("but adds".to_string(), "useful metadata".to_string()),
        (
            "that can help you".to_string(),
            "be confident that".to_string(),
        ),
        (
            "the data you are handling".to_string(),
            "is what you think it is".to_string(),
        ),
    ]);

    // 4. Create a KMS keyring
    let mpl_config = MaterialProvidersConfig::builder().build()?;
    let mpl = mpl_client::Client::from_conf(mpl_config)?;

    let kms_keyring = mpl
        .create_aws_kms_keyring()
        .kms_key_id(kms_key_id)
        .kms_client(kms_client)
        .send()
        .await?;

    // 5. Encrypt the data with the encryption_context. Make sure you use a non-committing algorithm
    // with the commitment policy ForbidEncryptAllowDecrypt. Otherwise esdk_client.encrypt() will throw
    // Error: AwsCryptographicMaterialProvidersError
    //   {
    //     error: InvalidAlgorithmSuiteInfoOnEncrypt
    //     {
    //       message: "Configuration conflict. Commitment policy requires only non-committing algorithm suites"
    //     }
    //   }
    // By default for ForbidEncryptAllowDecrypt, the algorithm used is
    // AlgAes256GcmIv12Tag16HkdfSha384EcdsaP384 which is a non-committing algorithm.
    let plaintext = example_data.as_bytes();

    let encryption_response = esdk_client
        .encrypt()
        .plaintext(plaintext)
        .keyring(kms_keyring.clone())
        .encryption_context(encryption_context.clone())
        .send()
        .await?;

    let ciphertext = encryption_response
        .ciphertext
        .expect("Unable to unwrap ciphertext from encryption response");

    // 6. Demonstrate that the ciphertext and plaintext are different.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_ne!(
        ciphertext,
        aws_smithy_types::Blob::new(plaintext),
        "Ciphertext and plaintext data are the same. Invalid encryption"
    );

    // 7. Decrypt your encrypted data using the same keyring you used on encrypt.
    let decryption_response = esdk_client
        .decrypt()
        .ciphertext(ciphertext)
        .keyring(kms_keyring)
        // Provide the encryption context that was supplied to the encrypt method
        .encryption_context(encryption_context)
        .send()
        .await?;

    let decrypted_plaintext = decryption_response
        .plaintext
        .expect("Unable to unwrap plaintext from decryption response");

    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
    // (This is an example for demonstration; you do not need to do this in your own code.)
    assert_eq!(
        decrypted_plaintext,
        aws_smithy_types::Blob::new(plaintext),
        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
    );

    println!("Set Commitment Policy Example Completed Successfully");

    Ok(())
}

Additional examples can be found in:

• examples/keyring/ecdh/public_key_discovery_raw_ecdh_keyring_example.rs
• examples/keyring/ecdh/ephemeral_raw_ecdh_keyring_example.rs
• examples/keyring/aws_kms_mrk_keyring_example.rs
• examples/keyring/raw_rsa_keyring_example.rs
• examples/cryptographic_materials_manager/restrict_algorithm_suite/signing_only_example.rs
• examples/keyring/ecdh/kms_ecdh_discovery_keyring_example.rs
• examples/keyring/aws_kms_mrk_discovery_keyring_example.rs
• examples/keyring/aws_kms_discovery_multi_keyring_example.rs
• examples/keyring/ecdh/raw_ecdh_keyring_example.rs
• examples/keyring/aws_kms_mrk_discovery_multi_keyring_example.rs
• examples/keyring/aws_kms_mrk_multi_keyring_example.rs
• examples/limit_encrypted_data_keys_example.rs
• examples/keyring/aws_kms_discovery_keyring_example.rs
• examples/client_supplier/client_supplier_example.rs
• examples/keyring/multi_keyring_example.rs
• examples/keyring/ecdh/kms_ecdh_keyring_example.rs
• examples/keyring/aws_kms_multi_keyring_example.rs
• examples/cryptographic_materials_manager/required_encryption_context/required_encryption_context_example.rs
• examples/keyring/aws_kms_hierarchical/aws_kms_hierarchical_keyring_example.rs
• examples/keyring/aws_kms_hierarchical/shared_cache_across_hierarchical_keyrings_example.rs

Trait Implementations

impl Clone for Client

fn clone(&self) -> Client

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Client

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl PartialEq for Client

fn eq(&self, other: &Client) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl StructuralPartialEq for Client