pub struct CreateMultiKeyringFluentBuilder { /* private fields */ }Expand description
Fluent builder constructing a request to CreateMultiKeyring.
Creates a Multi-Keyring comprised of one or more other Keyrings.
Implementations§
Source§impl CreateMultiKeyringFluentBuilder
impl CreateMultiKeyringFluentBuilder
Sourcepub fn as_input(&self) -> &CreateMultiKeyringInputBuilder
pub fn as_input(&self) -> &CreateMultiKeyringInputBuilder
Access the CreateMultiKeyring as a reference.
Sourcepub async fn send(self) -> Result<KeyringRef, Error>
pub async fn send(self) -> Result<KeyringRef, Error>
Sends the request and returns the response.
Examples found in repository?
examples/limit_encrypted_data_keys_example.rs (line 106)
29pub async fn encrypt_and_decrypt_with_keyring(
30 example_data: &str,
31 max_encrypted_data_keys: u16,
32) -> Result<(), crate::BoxError> {
33 // 1. Instantiate the encryption SDK client.
34 // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
35 // which enforces that this client only encrypts using committing algorithm suites and enforces
36 // that this client will only decrypt encrypted messages that were created with a committing
37 // algorithm suite.
38 // Also, set the EncryptionSDK's max_encrypted_data_keys parameter here
39 let esdk_config = AwsEncryptionSdkConfig::builder()
40 .max_encrypted_data_keys(max_encrypted_data_keys)
41 .build()?;
42 let esdk_client = esdk_client::Client::from_conf(esdk_config)?;
43
44 // 2. The key namespace and key name are defined by you.
45 // and are used by the Raw AES keyring to determine
46 // whether it should attempt to decrypt an encrypted data key.
47 // For more information, see
48 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html
49 let key_namespace: &str = "my-key-namespace";
50 let key_name: &str = "my-aes-key-name";
51
52 // 3. Create encryption context.
53 // Remember that your encryption context is NOT SECRET.
54 // For more information, see
55 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
56 let encryption_context = HashMap::from([
57 ("encryption".to_string(), "context".to_string()),
58 ("is not".to_string(), "secret".to_string()),
59 ("but adds".to_string(), "useful metadata".to_string()),
60 (
61 "that can help you".to_string(),
62 "be confident that".to_string(),
63 ),
64 (
65 "the data you are handling".to_string(),
66 "is what you think it is".to_string(),
67 ),
68 ]);
69
70 // 4. Generate `max_encrypted_data_keys` AES keyrings to use with your keyring.
71 // In practice, you should get this key from a secure key management system such as an HSM.
72 let mpl_config = MaterialProvidersConfig::builder().build()?;
73 let mpl = mpl_client::Client::from_conf(mpl_config)?;
74
75 let mut raw_aes_keyrings: Vec<KeyringRef> = vec![];
76
77 assert!(
78 max_encrypted_data_keys > 0,
79 "max_encrypted_data_keys MUST be greater than 0"
80 );
81
82 let mut i = 0;
83 while i < max_encrypted_data_keys {
84 let aes_key_bytes = generate_aes_key_bytes();
85
86 let raw_aes_keyring = mpl
87 .create_raw_aes_keyring()
88 .key_name(key_name)
89 .key_namespace(key_namespace)
90 .wrapping_key(aes_key_bytes)
91 .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
92 .send()
93 .await?;
94
95 raw_aes_keyrings.push(raw_aes_keyring);
96 i += 1;
97 }
98
99 // 5. Create a Multi Keyring with `max_encrypted_data_keys` AES Keyrings
100 let generator_keyring = raw_aes_keyrings.remove(0);
101
102 let multi_keyring = mpl
103 .create_multi_keyring()
104 .generator(generator_keyring)
105 .child_keyrings(raw_aes_keyrings)
106 .send()
107 .await?;
108
109 // 6. Encrypt the data with the encryption_context
110 let plaintext = example_data.as_bytes();
111
112 let encryption_response = esdk_client
113 .encrypt()
114 .plaintext(plaintext)
115 .keyring(multi_keyring.clone())
116 .encryption_context(encryption_context.clone())
117 .send()
118 .await?;
119
120 let ciphertext = encryption_response
121 .ciphertext
122 .expect("Unable to unwrap ciphertext from encryption response");
123
124 // 7. Demonstrate that the ciphertext and plaintext are different.
125 // (This is an example for demonstration; you do not need to do this in your own code.)
126 assert_ne!(
127 ciphertext,
128 aws_smithy_types::Blob::new(plaintext),
129 "Ciphertext and plaintext data are the same. Invalid encryption"
130 );
131
132 // 8. Decrypt your encrypted data using the same keyring you used on encrypt.
133 let decryption_response = esdk_client
134 .decrypt()
135 .ciphertext(ciphertext.clone())
136 .keyring(multi_keyring.clone())
137 // Provide the encryption context that was supplied to the encrypt method
138 .encryption_context(encryption_context.clone())
139 .send()
140 .await?;
141
142 let decrypted_plaintext = decryption_response
143 .plaintext
144 .expect("Unable to unwrap plaintext from decryption response");
145
146 // 9. Demonstrate that the decrypted plaintext is identical to the original plaintext.
147 // (This is an example for demonstration; you do not need to do this in your own code.)
148 assert_eq!(
149 decrypted_plaintext,
150 aws_smithy_types::Blob::new(plaintext),
151 "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
152 );
153
154 // 10. Demonstrate that an EncryptionSDK with a lower MaxEncryptedDataKeys
155 // will fail to decrypt the encrypted message.
156 let esdk_config = AwsEncryptionSdkConfig::builder()
157 .max_encrypted_data_keys(max_encrypted_data_keys - 1)
158 .build()?;
159 let esdk_client_incorrect_max_encrypted_keys = esdk_client::Client::from_conf(esdk_config)?;
160
161 let decryption_response_incorrect_max_encrypted_keys = esdk_client_incorrect_max_encrypted_keys
162 .decrypt()
163 .ciphertext(ciphertext)
164 .keyring(multi_keyring)
165 // Provide the encryption context that was supplied to the encrypt method
166 .encryption_context(encryption_context)
167 .send()
168 .await;
169
170 match decryption_response_incorrect_max_encrypted_keys {
171 Ok(_) => panic!(
172 "Decrypt using discovery keyring with wrong AWS Account ID MUST \
173 raise AwsCryptographicMaterialProvidersError"
174 ),
175 Err(AwsEncryptionSdkException { message: m }) => assert_eq!(
176 m,
177 "Ciphertext encrypted data keys exceed maxEncryptedDataKeys"
178 ),
179 _ => panic!("Unexpected error type"),
180 }
181
182 println!("Limit Encrypted Data Keys Example Completed Successfully");
183
184 Ok(())
185}More examples
examples/keyring/multi_keyring_example.rs (line 127)
52pub async fn encrypt_and_decrypt_with_keyring(
53 example_data: &str,
54 kms_key_id: &str,
55) -> Result<(), crate::BoxError> {
56 // 1. Instantiate the encryption SDK client.
57 // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
58 // which enforces that this client only encrypts using committing algorithm suites and enforces
59 // that this client will only decrypt encrypted messages that were created with a committing
60 // algorithm suite.
61 let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
62 let esdk_client = esdk_client::Client::from_conf(esdk_config)?;
63
64 // 2. Create a KMS client.
65 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
66 let kms_client = aws_sdk_kms::Client::new(&sdk_config);
67
68 // 3. Create encryption context.
69 // Remember that your encryption context is NOT SECRET.
70 // For more information, see
71 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
72 let encryption_context = HashMap::from([
73 ("encryption".to_string(), "context".to_string()),
74 ("is not".to_string(), "secret".to_string()),
75 ("but adds".to_string(), "useful metadata".to_string()),
76 (
77 "that can help you".to_string(),
78 "be confident that".to_string(),
79 ),
80 (
81 "the data you are handling".to_string(),
82 "is what you think it is".to_string(),
83 ),
84 ]);
85
86 // 4. Create a KMS keyring
87 let mpl_config = MaterialProvidersConfig::builder().build()?;
88 let mpl = mpl_client::Client::from_conf(mpl_config)?;
89
90 let kms_keyring = mpl
91 .create_aws_kms_keyring()
92 .kms_key_id(kms_key_id)
93 .kms_client(kms_client)
94 .send()
95 .await?;
96
97 // 5. Create a raw AES keyring to additionally encrypt under as child_keyring
98
99 // The key namespace and key name are defined by you.
100 // and are used by the Raw AES keyring to determine
101 // whether it should attempt to decrypt an encrypted data key.
102 // For more information, see
103 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html
104 let key_namespace: &str = "my-key-namespace";
105 let key_name: &str = "my-aes-key-name";
106
107 // Generate a 256-bit AES key to use with your raw AES keyring.
108 // In practice, you should get this key from a secure key management system such as an HSM.
109 let aes_key_bytes = generate_aes_key_bytes();
110
111 let raw_aes_keyring = mpl
112 .create_raw_aes_keyring()
113 .key_name(key_name)
114 .key_namespace(key_namespace)
115 .wrapping_key(aes_key_bytes)
116 .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
117 .send()
118 .await?;
119
120 // 6. Create a multi_keyring that consists of the previously created keyrings.
121 // When using this multi_keyring to encrypt data, either `kms_keyring` or
122 // `raw_aes_keyring` (or a multi_keyring containing either) may be used to decrypt the data.
123 let multi_keyring = mpl
124 .create_multi_keyring()
125 .generator(kms_keyring.clone())
126 .child_keyrings(vec![raw_aes_keyring.clone()])
127 .send()
128 .await?;
129
130 // 7. Encrypt the data with the encryption_context
131 let plaintext = example_data.as_bytes();
132
133 let encryption_response = esdk_client
134 .encrypt()
135 .plaintext(plaintext)
136 .keyring(multi_keyring.clone())
137 .encryption_context(encryption_context.clone())
138 .send()
139 .await?;
140
141 let ciphertext = encryption_response
142 .ciphertext
143 .expect("Unable to unwrap ciphertext from encryption response");
144
145 // 8. Demonstrate that the ciphertext and plaintext are different.
146 // (This is an example for demonstration; you do not need to do this in your own code.)
147 assert_ne!(
148 ciphertext,
149 aws_smithy_types::Blob::new(plaintext),
150 "Ciphertext and plaintext data are the same. Invalid encryption"
151 );
152
153 // 9a. Decrypt your encrypted data using the same multi_keyring you used on encrypt.
154 let decryption_response_multi_keyring = esdk_client
155 .decrypt()
156 .ciphertext(ciphertext.clone())
157 .keyring(multi_keyring)
158 // Provide the encryption context that was supplied to the encrypt method
159 .encryption_context(encryption_context.clone())
160 .send()
161 .await?;
162
163 let decrypted_plaintext_multi_keyring = decryption_response_multi_keyring
164 .plaintext
165 .expect("Unable to unwrap plaintext from decryption response");
166
167 // 9b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
168 // (This is an example for demonstration; you do not need to do this in your own code.)
169 assert_eq!(
170 decrypted_plaintext_multi_keyring,
171 aws_smithy_types::Blob::new(plaintext),
172 "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
173 );
174
175 // Because you used a multi_keyring on Encrypt, you can use either the
176 // `kms_keyring` or `raw_aes_keyring` individually to decrypt the data.
177
178 // 10. Demonstrate that you can successfully decrypt data using just the `kms_keyring`
179 // directly.
180 // (This is an example for demonstration; you do not need to do this in your own code.)
181
182 // 10a. Decrypt your encrypted data using the kms_keyring.
183 let decryption_response_kms_keyring = esdk_client
184 .decrypt()
185 .ciphertext(ciphertext.clone())
186 .keyring(kms_keyring)
187 // Provide the encryption context that was supplied to the encrypt method
188 .encryption_context(encryption_context.clone())
189 .send()
190 .await?;
191
192 let decrypted_plaintext_kms_keyring = decryption_response_kms_keyring
193 .plaintext
194 .expect("Unable to unwrap plaintext from decryption response");
195
196 // 10b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
197 // (This is an example for demonstration; you do not need to do this in your own code.)
198 assert_eq!(
199 decrypted_plaintext_kms_keyring,
200 aws_smithy_types::Blob::new(plaintext),
201 "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
202 );
203
204 // 11. Demonstrate that you can also successfully decrypt data using the `raw_aes_keyring`
205 // directly.
206 // (This is an example for demonstration; you do not need to do this in your own code.)
207
208 // 11a. Decrypt your encrypted data using the raw_aes_keyring.
209 let decryption_response_raw_aes_keyring = esdk_client
210 .decrypt()
211 .ciphertext(ciphertext)
212 .keyring(raw_aes_keyring)
213 // Provide the encryption context that was supplied to the encrypt method
214 .encryption_context(encryption_context)
215 .send()
216 .await?;
217
218 let decrypted_plaintext_raw_aes_keyring = decryption_response_raw_aes_keyring
219 .plaintext
220 .expect("Unable to unwrap plaintext from decryption response");
221
222 // 11b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
223 // (This is an example for demonstration; you do not need to do this in your own code.)
224 assert_eq!(
225 decrypted_plaintext_raw_aes_keyring,
226 aws_smithy_types::Blob::new(plaintext),
227 "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
228 );
229
230 println!("Multi Keyring Example Completed Successfully");
231
232 Ok(())
233}Sourcepub fn child_keyrings(self, input: impl Into<Vec<KeyringRef>>) -> Self
pub fn child_keyrings(self, input: impl Into<Vec<KeyringRef>>) -> Self
A list of keyrings (other than the generator) responsible for wrapping and unwrapping the data key.
Examples found in repository?
examples/limit_encrypted_data_keys_example.rs (line 105)
29pub async fn encrypt_and_decrypt_with_keyring(
30 example_data: &str,
31 max_encrypted_data_keys: u16,
32) -> Result<(), crate::BoxError> {
33 // 1. Instantiate the encryption SDK client.
34 // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
35 // which enforces that this client only encrypts using committing algorithm suites and enforces
36 // that this client will only decrypt encrypted messages that were created with a committing
37 // algorithm suite.
38 // Also, set the EncryptionSDK's max_encrypted_data_keys parameter here
39 let esdk_config = AwsEncryptionSdkConfig::builder()
40 .max_encrypted_data_keys(max_encrypted_data_keys)
41 .build()?;
42 let esdk_client = esdk_client::Client::from_conf(esdk_config)?;
43
44 // 2. The key namespace and key name are defined by you.
45 // and are used by the Raw AES keyring to determine
46 // whether it should attempt to decrypt an encrypted data key.
47 // For more information, see
48 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html
49 let key_namespace: &str = "my-key-namespace";
50 let key_name: &str = "my-aes-key-name";
51
52 // 3. Create encryption context.
53 // Remember that your encryption context is NOT SECRET.
54 // For more information, see
55 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
56 let encryption_context = HashMap::from([
57 ("encryption".to_string(), "context".to_string()),
58 ("is not".to_string(), "secret".to_string()),
59 ("but adds".to_string(), "useful metadata".to_string()),
60 (
61 "that can help you".to_string(),
62 "be confident that".to_string(),
63 ),
64 (
65 "the data you are handling".to_string(),
66 "is what you think it is".to_string(),
67 ),
68 ]);
69
70 // 4. Generate `max_encrypted_data_keys` AES keyrings to use with your keyring.
71 // In practice, you should get this key from a secure key management system such as an HSM.
72 let mpl_config = MaterialProvidersConfig::builder().build()?;
73 let mpl = mpl_client::Client::from_conf(mpl_config)?;
74
75 let mut raw_aes_keyrings: Vec<KeyringRef> = vec![];
76
77 assert!(
78 max_encrypted_data_keys > 0,
79 "max_encrypted_data_keys MUST be greater than 0"
80 );
81
82 let mut i = 0;
83 while i < max_encrypted_data_keys {
84 let aes_key_bytes = generate_aes_key_bytes();
85
86 let raw_aes_keyring = mpl
87 .create_raw_aes_keyring()
88 .key_name(key_name)
89 .key_namespace(key_namespace)
90 .wrapping_key(aes_key_bytes)
91 .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
92 .send()
93 .await?;
94
95 raw_aes_keyrings.push(raw_aes_keyring);
96 i += 1;
97 }
98
99 // 5. Create a Multi Keyring with `max_encrypted_data_keys` AES Keyrings
100 let generator_keyring = raw_aes_keyrings.remove(0);
101
102 let multi_keyring = mpl
103 .create_multi_keyring()
104 .generator(generator_keyring)
105 .child_keyrings(raw_aes_keyrings)
106 .send()
107 .await?;
108
109 // 6. Encrypt the data with the encryption_context
110 let plaintext = example_data.as_bytes();
111
112 let encryption_response = esdk_client
113 .encrypt()
114 .plaintext(plaintext)
115 .keyring(multi_keyring.clone())
116 .encryption_context(encryption_context.clone())
117 .send()
118 .await?;
119
120 let ciphertext = encryption_response
121 .ciphertext
122 .expect("Unable to unwrap ciphertext from encryption response");
123
124 // 7. Demonstrate that the ciphertext and plaintext are different.
125 // (This is an example for demonstration; you do not need to do this in your own code.)
126 assert_ne!(
127 ciphertext,
128 aws_smithy_types::Blob::new(plaintext),
129 "Ciphertext and plaintext data are the same. Invalid encryption"
130 );
131
132 // 8. Decrypt your encrypted data using the same keyring you used on encrypt.
133 let decryption_response = esdk_client
134 .decrypt()
135 .ciphertext(ciphertext.clone())
136 .keyring(multi_keyring.clone())
137 // Provide the encryption context that was supplied to the encrypt method
138 .encryption_context(encryption_context.clone())
139 .send()
140 .await?;
141
142 let decrypted_plaintext = decryption_response
143 .plaintext
144 .expect("Unable to unwrap plaintext from decryption response");
145
146 // 9. Demonstrate that the decrypted plaintext is identical to the original plaintext.
147 // (This is an example for demonstration; you do not need to do this in your own code.)
148 assert_eq!(
149 decrypted_plaintext,
150 aws_smithy_types::Blob::new(plaintext),
151 "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
152 );
153
154 // 10. Demonstrate that an EncryptionSDK with a lower MaxEncryptedDataKeys
155 // will fail to decrypt the encrypted message.
156 let esdk_config = AwsEncryptionSdkConfig::builder()
157 .max_encrypted_data_keys(max_encrypted_data_keys - 1)
158 .build()?;
159 let esdk_client_incorrect_max_encrypted_keys = esdk_client::Client::from_conf(esdk_config)?;
160
161 let decryption_response_incorrect_max_encrypted_keys = esdk_client_incorrect_max_encrypted_keys
162 .decrypt()
163 .ciphertext(ciphertext)
164 .keyring(multi_keyring)
165 // Provide the encryption context that was supplied to the encrypt method
166 .encryption_context(encryption_context)
167 .send()
168 .await;
169
170 match decryption_response_incorrect_max_encrypted_keys {
171 Ok(_) => panic!(
172 "Decrypt using discovery keyring with wrong AWS Account ID MUST \
173 raise AwsCryptographicMaterialProvidersError"
174 ),
175 Err(AwsEncryptionSdkException { message: m }) => assert_eq!(
176 m,
177 "Ciphertext encrypted data keys exceed maxEncryptedDataKeys"
178 ),
179 _ => panic!("Unexpected error type"),
180 }
181
182 println!("Limit Encrypted Data Keys Example Completed Successfully");
183
184 Ok(())
185}More examples
examples/keyring/multi_keyring_example.rs (line 126)
52pub async fn encrypt_and_decrypt_with_keyring(
53 example_data: &str,
54 kms_key_id: &str,
55) -> Result<(), crate::BoxError> {
56 // 1. Instantiate the encryption SDK client.
57 // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
58 // which enforces that this client only encrypts using committing algorithm suites and enforces
59 // that this client will only decrypt encrypted messages that were created with a committing
60 // algorithm suite.
61 let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
62 let esdk_client = esdk_client::Client::from_conf(esdk_config)?;
63
64 // 2. Create a KMS client.
65 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
66 let kms_client = aws_sdk_kms::Client::new(&sdk_config);
67
68 // 3. Create encryption context.
69 // Remember that your encryption context is NOT SECRET.
70 // For more information, see
71 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
72 let encryption_context = HashMap::from([
73 ("encryption".to_string(), "context".to_string()),
74 ("is not".to_string(), "secret".to_string()),
75 ("but adds".to_string(), "useful metadata".to_string()),
76 (
77 "that can help you".to_string(),
78 "be confident that".to_string(),
79 ),
80 (
81 "the data you are handling".to_string(),
82 "is what you think it is".to_string(),
83 ),
84 ]);
85
86 // 4. Create a KMS keyring
87 let mpl_config = MaterialProvidersConfig::builder().build()?;
88 let mpl = mpl_client::Client::from_conf(mpl_config)?;
89
90 let kms_keyring = mpl
91 .create_aws_kms_keyring()
92 .kms_key_id(kms_key_id)
93 .kms_client(kms_client)
94 .send()
95 .await?;
96
97 // 5. Create a raw AES keyring to additionally encrypt under as child_keyring
98
99 // The key namespace and key name are defined by you.
100 // and are used by the Raw AES keyring to determine
101 // whether it should attempt to decrypt an encrypted data key.
102 // For more information, see
103 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html
104 let key_namespace: &str = "my-key-namespace";
105 let key_name: &str = "my-aes-key-name";
106
107 // Generate a 256-bit AES key to use with your raw AES keyring.
108 // In practice, you should get this key from a secure key management system such as an HSM.
109 let aes_key_bytes = generate_aes_key_bytes();
110
111 let raw_aes_keyring = mpl
112 .create_raw_aes_keyring()
113 .key_name(key_name)
114 .key_namespace(key_namespace)
115 .wrapping_key(aes_key_bytes)
116 .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
117 .send()
118 .await?;
119
120 // 6. Create a multi_keyring that consists of the previously created keyrings.
121 // When using this multi_keyring to encrypt data, either `kms_keyring` or
122 // `raw_aes_keyring` (or a multi_keyring containing either) may be used to decrypt the data.
123 let multi_keyring = mpl
124 .create_multi_keyring()
125 .generator(kms_keyring.clone())
126 .child_keyrings(vec![raw_aes_keyring.clone()])
127 .send()
128 .await?;
129
130 // 7. Encrypt the data with the encryption_context
131 let plaintext = example_data.as_bytes();
132
133 let encryption_response = esdk_client
134 .encrypt()
135 .plaintext(plaintext)
136 .keyring(multi_keyring.clone())
137 .encryption_context(encryption_context.clone())
138 .send()
139 .await?;
140
141 let ciphertext = encryption_response
142 .ciphertext
143 .expect("Unable to unwrap ciphertext from encryption response");
144
145 // 8. Demonstrate that the ciphertext and plaintext are different.
146 // (This is an example for demonstration; you do not need to do this in your own code.)
147 assert_ne!(
148 ciphertext,
149 aws_smithy_types::Blob::new(plaintext),
150 "Ciphertext and plaintext data are the same. Invalid encryption"
151 );
152
153 // 9a. Decrypt your encrypted data using the same multi_keyring you used on encrypt.
154 let decryption_response_multi_keyring = esdk_client
155 .decrypt()
156 .ciphertext(ciphertext.clone())
157 .keyring(multi_keyring)
158 // Provide the encryption context that was supplied to the encrypt method
159 .encryption_context(encryption_context.clone())
160 .send()
161 .await?;
162
163 let decrypted_plaintext_multi_keyring = decryption_response_multi_keyring
164 .plaintext
165 .expect("Unable to unwrap plaintext from decryption response");
166
167 // 9b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
168 // (This is an example for demonstration; you do not need to do this in your own code.)
169 assert_eq!(
170 decrypted_plaintext_multi_keyring,
171 aws_smithy_types::Blob::new(plaintext),
172 "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
173 );
174
175 // Because you used a multi_keyring on Encrypt, you can use either the
176 // `kms_keyring` or `raw_aes_keyring` individually to decrypt the data.
177
178 // 10. Demonstrate that you can successfully decrypt data using just the `kms_keyring`
179 // directly.
180 // (This is an example for demonstration; you do not need to do this in your own code.)
181
182 // 10a. Decrypt your encrypted data using the kms_keyring.
183 let decryption_response_kms_keyring = esdk_client
184 .decrypt()
185 .ciphertext(ciphertext.clone())
186 .keyring(kms_keyring)
187 // Provide the encryption context that was supplied to the encrypt method
188 .encryption_context(encryption_context.clone())
189 .send()
190 .await?;
191
192 let decrypted_plaintext_kms_keyring = decryption_response_kms_keyring
193 .plaintext
194 .expect("Unable to unwrap plaintext from decryption response");
195
196 // 10b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
197 // (This is an example for demonstration; you do not need to do this in your own code.)
198 assert_eq!(
199 decrypted_plaintext_kms_keyring,
200 aws_smithy_types::Blob::new(plaintext),
201 "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
202 );
203
204 // 11. Demonstrate that you can also successfully decrypt data using the `raw_aes_keyring`
205 // directly.
206 // (This is an example for demonstration; you do not need to do this in your own code.)
207
208 // 11a. Decrypt your encrypted data using the raw_aes_keyring.
209 let decryption_response_raw_aes_keyring = esdk_client
210 .decrypt()
211 .ciphertext(ciphertext)
212 .keyring(raw_aes_keyring)
213 // Provide the encryption context that was supplied to the encrypt method
214 .encryption_context(encryption_context)
215 .send()
216 .await?;
217
218 let decrypted_plaintext_raw_aes_keyring = decryption_response_raw_aes_keyring
219 .plaintext
220 .expect("Unable to unwrap plaintext from decryption response");
221
222 // 11b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
223 // (This is an example for demonstration; you do not need to do this in your own code.)
224 assert_eq!(
225 decrypted_plaintext_raw_aes_keyring,
226 aws_smithy_types::Blob::new(plaintext),
227 "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
228 );
229
230 println!("Multi Keyring Example Completed Successfully");
231
232 Ok(())
233}Sourcepub fn set_child_keyrings(self, input: Option<Vec<KeyringRef>>) -> Self
pub fn set_child_keyrings(self, input: Option<Vec<KeyringRef>>) -> Self
A list of keyrings (other than the generator) responsible for wrapping and unwrapping the data key.
Sourcepub fn get_child_keyrings(&self) -> &Option<Vec<KeyringRef>>
pub fn get_child_keyrings(&self) -> &Option<Vec<KeyringRef>>
A list of keyrings (other than the generator) responsible for wrapping and unwrapping the data key.
Sourcepub fn generator(self, input: impl Into<KeyringRef>) -> Self
pub fn generator(self, input: impl Into<KeyringRef>) -> Self
A keyring responsible for wrapping and unwrapping the data key. This is the first keyring that will be used to wrap the data key, and may be responsible for additionally generating the data key.
Examples found in repository?
examples/limit_encrypted_data_keys_example.rs (line 104)
29pub async fn encrypt_and_decrypt_with_keyring(
30 example_data: &str,
31 max_encrypted_data_keys: u16,
32) -> Result<(), crate::BoxError> {
33 // 1. Instantiate the encryption SDK client.
34 // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
35 // which enforces that this client only encrypts using committing algorithm suites and enforces
36 // that this client will only decrypt encrypted messages that were created with a committing
37 // algorithm suite.
38 // Also, set the EncryptionSDK's max_encrypted_data_keys parameter here
39 let esdk_config = AwsEncryptionSdkConfig::builder()
40 .max_encrypted_data_keys(max_encrypted_data_keys)
41 .build()?;
42 let esdk_client = esdk_client::Client::from_conf(esdk_config)?;
43
44 // 2. The key namespace and key name are defined by you.
45 // and are used by the Raw AES keyring to determine
46 // whether it should attempt to decrypt an encrypted data key.
47 // For more information, see
48 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html
49 let key_namespace: &str = "my-key-namespace";
50 let key_name: &str = "my-aes-key-name";
51
52 // 3. Create encryption context.
53 // Remember that your encryption context is NOT SECRET.
54 // For more information, see
55 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
56 let encryption_context = HashMap::from([
57 ("encryption".to_string(), "context".to_string()),
58 ("is not".to_string(), "secret".to_string()),
59 ("but adds".to_string(), "useful metadata".to_string()),
60 (
61 "that can help you".to_string(),
62 "be confident that".to_string(),
63 ),
64 (
65 "the data you are handling".to_string(),
66 "is what you think it is".to_string(),
67 ),
68 ]);
69
70 // 4. Generate `max_encrypted_data_keys` AES keyrings to use with your keyring.
71 // In practice, you should get this key from a secure key management system such as an HSM.
72 let mpl_config = MaterialProvidersConfig::builder().build()?;
73 let mpl = mpl_client::Client::from_conf(mpl_config)?;
74
75 let mut raw_aes_keyrings: Vec<KeyringRef> = vec![];
76
77 assert!(
78 max_encrypted_data_keys > 0,
79 "max_encrypted_data_keys MUST be greater than 0"
80 );
81
82 let mut i = 0;
83 while i < max_encrypted_data_keys {
84 let aes_key_bytes = generate_aes_key_bytes();
85
86 let raw_aes_keyring = mpl
87 .create_raw_aes_keyring()
88 .key_name(key_name)
89 .key_namespace(key_namespace)
90 .wrapping_key(aes_key_bytes)
91 .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
92 .send()
93 .await?;
94
95 raw_aes_keyrings.push(raw_aes_keyring);
96 i += 1;
97 }
98
99 // 5. Create a Multi Keyring with `max_encrypted_data_keys` AES Keyrings
100 let generator_keyring = raw_aes_keyrings.remove(0);
101
102 let multi_keyring = mpl
103 .create_multi_keyring()
104 .generator(generator_keyring)
105 .child_keyrings(raw_aes_keyrings)
106 .send()
107 .await?;
108
109 // 6. Encrypt the data with the encryption_context
110 let plaintext = example_data.as_bytes();
111
112 let encryption_response = esdk_client
113 .encrypt()
114 .plaintext(plaintext)
115 .keyring(multi_keyring.clone())
116 .encryption_context(encryption_context.clone())
117 .send()
118 .await?;
119
120 let ciphertext = encryption_response
121 .ciphertext
122 .expect("Unable to unwrap ciphertext from encryption response");
123
124 // 7. Demonstrate that the ciphertext and plaintext are different.
125 // (This is an example for demonstration; you do not need to do this in your own code.)
126 assert_ne!(
127 ciphertext,
128 aws_smithy_types::Blob::new(plaintext),
129 "Ciphertext and plaintext data are the same. Invalid encryption"
130 );
131
132 // 8. Decrypt your encrypted data using the same keyring you used on encrypt.
133 let decryption_response = esdk_client
134 .decrypt()
135 .ciphertext(ciphertext.clone())
136 .keyring(multi_keyring.clone())
137 // Provide the encryption context that was supplied to the encrypt method
138 .encryption_context(encryption_context.clone())
139 .send()
140 .await?;
141
142 let decrypted_plaintext = decryption_response
143 .plaintext
144 .expect("Unable to unwrap plaintext from decryption response");
145
146 // 9. Demonstrate that the decrypted plaintext is identical to the original plaintext.
147 // (This is an example for demonstration; you do not need to do this in your own code.)
148 assert_eq!(
149 decrypted_plaintext,
150 aws_smithy_types::Blob::new(plaintext),
151 "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
152 );
153
154 // 10. Demonstrate that an EncryptionSDK with a lower MaxEncryptedDataKeys
155 // will fail to decrypt the encrypted message.
156 let esdk_config = AwsEncryptionSdkConfig::builder()
157 .max_encrypted_data_keys(max_encrypted_data_keys - 1)
158 .build()?;
159 let esdk_client_incorrect_max_encrypted_keys = esdk_client::Client::from_conf(esdk_config)?;
160
161 let decryption_response_incorrect_max_encrypted_keys = esdk_client_incorrect_max_encrypted_keys
162 .decrypt()
163 .ciphertext(ciphertext)
164 .keyring(multi_keyring)
165 // Provide the encryption context that was supplied to the encrypt method
166 .encryption_context(encryption_context)
167 .send()
168 .await;
169
170 match decryption_response_incorrect_max_encrypted_keys {
171 Ok(_) => panic!(
172 "Decrypt using discovery keyring with wrong AWS Account ID MUST \
173 raise AwsCryptographicMaterialProvidersError"
174 ),
175 Err(AwsEncryptionSdkException { message: m }) => assert_eq!(
176 m,
177 "Ciphertext encrypted data keys exceed maxEncryptedDataKeys"
178 ),
179 _ => panic!("Unexpected error type"),
180 }
181
182 println!("Limit Encrypted Data Keys Example Completed Successfully");
183
184 Ok(())
185}More examples
examples/keyring/multi_keyring_example.rs (line 125)
52pub async fn encrypt_and_decrypt_with_keyring(
53 example_data: &str,
54 kms_key_id: &str,
55) -> Result<(), crate::BoxError> {
56 // 1. Instantiate the encryption SDK client.
57 // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
58 // which enforces that this client only encrypts using committing algorithm suites and enforces
59 // that this client will only decrypt encrypted messages that were created with a committing
60 // algorithm suite.
61 let esdk_config = AwsEncryptionSdkConfig::builder().build()?;
62 let esdk_client = esdk_client::Client::from_conf(esdk_config)?;
63
64 // 2. Create a KMS client.
65 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
66 let kms_client = aws_sdk_kms::Client::new(&sdk_config);
67
68 // 3. Create encryption context.
69 // Remember that your encryption context is NOT SECRET.
70 // For more information, see
71 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
72 let encryption_context = HashMap::from([
73 ("encryption".to_string(), "context".to_string()),
74 ("is not".to_string(), "secret".to_string()),
75 ("but adds".to_string(), "useful metadata".to_string()),
76 (
77 "that can help you".to_string(),
78 "be confident that".to_string(),
79 ),
80 (
81 "the data you are handling".to_string(),
82 "is what you think it is".to_string(),
83 ),
84 ]);
85
86 // 4. Create a KMS keyring
87 let mpl_config = MaterialProvidersConfig::builder().build()?;
88 let mpl = mpl_client::Client::from_conf(mpl_config)?;
89
90 let kms_keyring = mpl
91 .create_aws_kms_keyring()
92 .kms_key_id(kms_key_id)
93 .kms_client(kms_client)
94 .send()
95 .await?;
96
97 // 5. Create a raw AES keyring to additionally encrypt under as child_keyring
98
99 // The key namespace and key name are defined by you.
100 // and are used by the Raw AES keyring to determine
101 // whether it should attempt to decrypt an encrypted data key.
102 // For more information, see
103 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html
104 let key_namespace: &str = "my-key-namespace";
105 let key_name: &str = "my-aes-key-name";
106
107 // Generate a 256-bit AES key to use with your raw AES keyring.
108 // In practice, you should get this key from a secure key management system such as an HSM.
109 let aes_key_bytes = generate_aes_key_bytes();
110
111 let raw_aes_keyring = mpl
112 .create_raw_aes_keyring()
113 .key_name(key_name)
114 .key_namespace(key_namespace)
115 .wrapping_key(aes_key_bytes)
116 .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
117 .send()
118 .await?;
119
120 // 6. Create a multi_keyring that consists of the previously created keyrings.
121 // When using this multi_keyring to encrypt data, either `kms_keyring` or
122 // `raw_aes_keyring` (or a multi_keyring containing either) may be used to decrypt the data.
123 let multi_keyring = mpl
124 .create_multi_keyring()
125 .generator(kms_keyring.clone())
126 .child_keyrings(vec![raw_aes_keyring.clone()])
127 .send()
128 .await?;
129
130 // 7. Encrypt the data with the encryption_context
131 let plaintext = example_data.as_bytes();
132
133 let encryption_response = esdk_client
134 .encrypt()
135 .plaintext(plaintext)
136 .keyring(multi_keyring.clone())
137 .encryption_context(encryption_context.clone())
138 .send()
139 .await?;
140
141 let ciphertext = encryption_response
142 .ciphertext
143 .expect("Unable to unwrap ciphertext from encryption response");
144
145 // 8. Demonstrate that the ciphertext and plaintext are different.
146 // (This is an example for demonstration; you do not need to do this in your own code.)
147 assert_ne!(
148 ciphertext,
149 aws_smithy_types::Blob::new(plaintext),
150 "Ciphertext and plaintext data are the same. Invalid encryption"
151 );
152
153 // 9a. Decrypt your encrypted data using the same multi_keyring you used on encrypt.
154 let decryption_response_multi_keyring = esdk_client
155 .decrypt()
156 .ciphertext(ciphertext.clone())
157 .keyring(multi_keyring)
158 // Provide the encryption context that was supplied to the encrypt method
159 .encryption_context(encryption_context.clone())
160 .send()
161 .await?;
162
163 let decrypted_plaintext_multi_keyring = decryption_response_multi_keyring
164 .plaintext
165 .expect("Unable to unwrap plaintext from decryption response");
166
167 // 9b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
168 // (This is an example for demonstration; you do not need to do this in your own code.)
169 assert_eq!(
170 decrypted_plaintext_multi_keyring,
171 aws_smithy_types::Blob::new(plaintext),
172 "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
173 );
174
175 // Because you used a multi_keyring on Encrypt, you can use either the
176 // `kms_keyring` or `raw_aes_keyring` individually to decrypt the data.
177
178 // 10. Demonstrate that you can successfully decrypt data using just the `kms_keyring`
179 // directly.
180 // (This is an example for demonstration; you do not need to do this in your own code.)
181
182 // 10a. Decrypt your encrypted data using the kms_keyring.
183 let decryption_response_kms_keyring = esdk_client
184 .decrypt()
185 .ciphertext(ciphertext.clone())
186 .keyring(kms_keyring)
187 // Provide the encryption context that was supplied to the encrypt method
188 .encryption_context(encryption_context.clone())
189 .send()
190 .await?;
191
192 let decrypted_plaintext_kms_keyring = decryption_response_kms_keyring
193 .plaintext
194 .expect("Unable to unwrap plaintext from decryption response");
195
196 // 10b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
197 // (This is an example for demonstration; you do not need to do this in your own code.)
198 assert_eq!(
199 decrypted_plaintext_kms_keyring,
200 aws_smithy_types::Blob::new(plaintext),
201 "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
202 );
203
204 // 11. Demonstrate that you can also successfully decrypt data using the `raw_aes_keyring`
205 // directly.
206 // (This is an example for demonstration; you do not need to do this in your own code.)
207
208 // 11a. Decrypt your encrypted data using the raw_aes_keyring.
209 let decryption_response_raw_aes_keyring = esdk_client
210 .decrypt()
211 .ciphertext(ciphertext)
212 .keyring(raw_aes_keyring)
213 // Provide the encryption context that was supplied to the encrypt method
214 .encryption_context(encryption_context)
215 .send()
216 .await?;
217
218 let decrypted_plaintext_raw_aes_keyring = decryption_response_raw_aes_keyring
219 .plaintext
220 .expect("Unable to unwrap plaintext from decryption response");
221
222 // 11b. Demonstrate that the decrypted plaintext is identical to the original plaintext.
223 // (This is an example for demonstration; you do not need to do this in your own code.)
224 assert_eq!(
225 decrypted_plaintext_raw_aes_keyring,
226 aws_smithy_types::Blob::new(plaintext),
227 "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
228 );
229
230 println!("Multi Keyring Example Completed Successfully");
231
232 Ok(())
233}Sourcepub fn set_generator(self, input: Option<KeyringRef>) -> Self
pub fn set_generator(self, input: Option<KeyringRef>) -> Self
A keyring responsible for wrapping and unwrapping the data key. This is the first keyring that will be used to wrap the data key, and may be responsible for additionally generating the data key.
Sourcepub fn get_generator(&self) -> &Option<KeyringRef>
pub fn get_generator(&self) -> &Option<KeyringRef>
A keyring responsible for wrapping and unwrapping the data key. This is the first keyring that will be used to wrap the data key, and may be responsible for additionally generating the data key.
Trait Implementations§
Source§impl Clone for CreateMultiKeyringFluentBuilder
impl Clone for CreateMultiKeyringFluentBuilder
Source§fn clone(&self) -> CreateMultiKeyringFluentBuilder
fn clone(&self) -> CreateMultiKeyringFluentBuilder
Returns a duplicate of the value. Read more
1.0.0 · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
Performs copy-assignment from
source. Read moreAuto Trait Implementations§
impl Freeze for CreateMultiKeyringFluentBuilder
impl !RefUnwindSafe for CreateMultiKeyringFluentBuilder
impl Send for CreateMultiKeyringFluentBuilder
impl Sync for CreateMultiKeyringFluentBuilder
impl Unpin for CreateMultiKeyringFluentBuilder
impl !UnwindSafe for CreateMultiKeyringFluentBuilder
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
Converts
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
Converts
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreCreates a shared type from an unshared type.