This API enables you to encrypt a DEK using a specified CMK.
POST /v1.0/{project_id}/kms/encrypt-datakey
Parameter | Mandatory | Type | Description |
|---|---|---|---|
project_id | Yes | String | Project ID |
Parameter | Mandatory | Type | Description |
|---|---|---|---|
X-Auth-Token | Yes | String | User token. It can be obtained by calling the IAM API (value of X-Subject-Token in the response header). |
Content-Type | Yes | String | application/json |
Parameter | Mandatory | Type | Description |
|---|---|---|---|
key_id | Yes | String | The value can be a key ID, alias (key_alias), or URN.
|
encryption_context | No | Object | Key-value pairs with a maximum length of 8192 characters. This parameter is used to record resource context information, excluding sensitive information, to ensure data integrity. If this parameter is specified during encryption, it is also required for decryption. Example: {"Key1":"Value1","Key2":"Value2"} |
plain_text | Yes | String | Hexadecimal character string concatenated from plaintext of a DEK and the plaintext digest (32-byte character string generated using SHA256) For details, see Example. |
datakey_plain_length | Yes | String | Number of bytes of a DEK in plaintext. The value range is 1 to 1024. |
sequence | No | String | A 36-byte serial number of a request message. For example, 919c82d4-8046-4722-9094-35c3c6524cff |
Parameter | Mandatory | Type | Description |
|---|---|---|---|
key_id | Yes | String | CMK ID |
cipher_text | Yes | String | The ciphertext of a DEK is expressed in hexadecimal format, and two characters indicate one byte. |
datakey_length | Yes | String | Number of bytes in the length of a DEK |
In the following example, the 512-bit plaintext DEK (7549d9aea901767bf3c0b3e14b10722eaf6f59053bbd82045d04e075e809a0fe6ccab48f8e5efe74e4b18ff0512525e527b10331100f357bf42125d8d5ced94f) generated from the customer master key whose key ID is 0d0466b0-e727-4d9c-b35d-f84bb474a37f can be obtained through the API in Creating a DEK.
The digest of the plaintext DEK is fbc8ac72b0785ca7fe33eb6776ce3990b11e32b299d9c0a9ee0305fb9540f797. The method for calculating the digest is as follows:
//Digest calculationpublic static byte[] sha256(byte[] cmkData) {byte[] digest = new byte[0];try {MessageDigest md = MessageDigest.getInstance("SHA-256");md.update(cmkData);digest = md.digest();} catch (Exception e) {System.out.println("calculate digest failure, exception is " + e.toString());}return digest;}//Convert the obtained digest into a hexadecimal character string.public static String bytesToHexString(byte[] digest) {...}
The value of plain_text (a hexadecimal character string concatenated from plaintext of the DEK and the plaintext digest) is 7549d9aea901767bf3c0b3e14b10722eaf6f59053bbd82045d04e075e809a0fe6ccab48f8e5efe74e4b18ff0512525e527b10331100f357bf42125d8d5ced94f fbc8ac72b0785ca7fe33eb6776ce3990b11e32b299d9c0a9ee0305fb9540f797.
{"key_id": "0d0466b0-e727-4d9c-b35d-f84bb474a37f","plain_text": "7549d9aea901767bf3c0b3e14b10722eaf6f59053bbd82045d04e075e809a0fe6ccab48f8e5efe74e4b18ff0512525e527b10331100f357bf42125d8d5ced94f fbc8ac72b0785ca7fe33eb6776ce3990b11e32b299d9c0a9ee0305fb9540f797","datakey_plain_length": "64"}
{"key_id": "0d0466b0-e727-4d9c-b35d-f84bb474a37f","cipher_text": "020098005273E14E6E8E95F5463BECDC27E80AF820B9FC086CB47861899149F67CF07DAFF2810B7D27BDF19AB7632488E0926A48DB2FC85BEA905119411B46244C5E6B8036C60A0B0B4842FFE6994518E89C19B1C1D688D9043BCD6053EA7BA0652642CE59F2543C80669139F4F71ABB9BD9A24330643034363662302D653732372D346439632D623335642D66383462623437346133376600000000D34457984F9730D57F228C210FD22CA6017913964B21D4ECE45D81092BB9112E","datakey_length": "64"}
or
{"error": {"error_code": "KMS.XXXX","error_msg": "XXX"}}
Table 5 lists the normal status code returned by the response.
Status Code | Status | Description |
|---|---|---|
200 | OK | Request processed successfully. |
Exception status code. For details, see Status Codes.