com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers

Class DirectKmsMaterialProvider

java.lang.Object

com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.DirectKmsMaterialProvider

All Implemented Interfaces:

EncryptionMaterialsProvider

public class DirectKmsMaterialProvider
extends Object
implements EncryptionMaterialsProvider

Generates a unique data key for each record in DynamoDB and protects that key using AWSKMS. Currently, the HashKey, RangeKey, and TableName will be included in the KMS EncryptionContext for wrapping/unwrapping the key. This means that records cannot be copied/moved between tables without re-encryption.

See Also:

KMS Encryption Context

Constructor Summary

Constructors

Constructor and Description
DirectKmsMaterialProvider(com.amazonaws.services.kms.AWSKMS kms)
DirectKmsMaterialProvider(com.amazonaws.services.kms.AWSKMS kms, String encryptionKeyId)
DirectKmsMaterialProvider(com.amazonaws.services.kms.AWSKMS kms, String encryptionKeyId, Map<String,String> materialDescription)

Method Summary

Modifier and Type	Method and Description
DecryptionMaterials	getDecryptionMaterials(EncryptionContext context) Retrieves encryption materials matching the specified description from some source.
protected String	getEncryptionKeyId() Get encryption key id.
EncryptionMaterials	getEncryptionMaterials(EncryptionContext context) Returns EncryptionMaterials which the caller can use for encryption.
void	refresh() Forces this encryption materials provider to refresh its encryption material.
protected String	selectEncryptionKeyId(EncryptionContext context) Select encryption key id to be used to generate data key.
protected void	validateEncryptionKeyId(String encryptionKeyId, EncryptionContext context) Validate the encryption key id.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DirectKmsMaterialProvider

public DirectKmsMaterialProvider(com.amazonaws.services.kms.AWSKMS kms)

DirectKmsMaterialProvider

public DirectKmsMaterialProvider(com.amazonaws.services.kms.AWSKMS kms,
                                 String encryptionKeyId,
                                 Map<String,String> materialDescription)

DirectKmsMaterialProvider

public DirectKmsMaterialProvider(com.amazonaws.services.kms.AWSKMS kms,
                                 String encryptionKeyId)

Method Detail

getDecryptionMaterials

public DecryptionMaterials getDecryptionMaterials(EncryptionContext context)

Description copied from interface: EncryptionMaterialsProvider

Retrieves encryption materials matching the specified description from some source.

Specified by:

getDecryptionMaterials in interface EncryptionMaterialsProvider

Parameters:

context - Information to assist in selecting a the proper return value. The implementation is free to determine the minimum necessary for successful processing.

Returns:

The encryption materials that match the description, or null if no matching encryption materials found.

getEncryptionMaterials

public EncryptionMaterials getEncryptionMaterials(EncryptionContext context)

Description copied from interface: EncryptionMaterialsProvider

Returns EncryptionMaterials which the caller can use for encryption. Each implementation of EncryptionMaterialsProvider can choose its own strategy for loading encryption material. For example, an implementation might load encryption material from an existing key management system, or load new encryption material when keys are rotated.

Specified by:

getEncryptionMaterials in interface EncryptionMaterialsProvider

Parameters:

context - Information to assist in selecting a the proper return value. The implementation is free to determine the minimum necessary for successful processing.

Returns:

EncryptionMaterials which the caller can use to encrypt or decrypt data.

getEncryptionKeyId

protected String getEncryptionKeyId()

Get encryption key id.

Returns:

encryption key id.

selectEncryptionKeyId

protected String selectEncryptionKeyId(EncryptionContext context)
                                throws com.amazonaws.services.dynamodbv2.datamodeling.DynamoDBMappingException

Select encryption key id to be used to generate data key. The default implementation of this method returns encryptionKeyId.

Parameters:

context - encryption context.

Returns:

the encryptionKeyId.

Throws:

com.amazonaws.services.dynamodbv2.datamodeling.DynamoDBMappingException - when we fails to select a valid encryption key id.

validateEncryptionKeyId

protected void validateEncryptionKeyId(String encryptionKeyId,
                                       EncryptionContext context)
                                throws com.amazonaws.services.dynamodbv2.datamodeling.DynamoDBMappingException

Validate the encryption key id. The default implementation of this method does nothing.

Parameters:

encryptionKeyId - encryption key id from DecryptResult.

context - encryption context.

Throws:

com.amazonaws.services.dynamodbv2.datamodeling.DynamoDBMappingException - when encryptionKeyId is invalid.

refresh

public void refresh()

Description copied from interface: EncryptionMaterialsProvider

Forces this encryption materials provider to refresh its encryption material. For many implementations of encryption materials provider, this may simply be a no-op, such as any encryption materials provider implementation that vends static/non-changing encryption material. For other implementations that vend different encryption material throughout their lifetime, this method should force the encryption materials provider to refresh its encryption material.

Specified by:

refresh in interface EncryptionMaterialsProvider