Generate data keys - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Generate data keys

Data keys are symmetric keys you can use to encrypt data, including large amounts of data and other data encryption keys. Unlike symmetric KMS keys, which can't be downloaded, data keys are returned to you for use outside of Amazon KMS.

When Amazon KMS generates data keys, it returns a plaintext data key for immediate use (optional) and an encrypted copy of the data key that you can safely store with the data. When you are ready to decrypt the data, you first ask Amazon KMS to decrypt the encrypted data key.

Amazon KMS generates, encrypts, and decrypts data keys. However, Amazon KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys. You must use and manage data keys outside of Amazon KMS. For help using the data keys securely, see the Amazon Encryption SDK.

Create a data key

To create a data key, call the GenerateDataKey operation. Amazon KMS generates the data key. Then it encrypts a copy of the data key under a symmetric encryption KMS key that you specify. The operation returns a plaintext copy of the data key and the copy of the data key encrypted under the KMS key. The following image shows this operation.

Generate a data key

Amazon KMS also supports the GenerateDataKeyWithoutPlaintext operation, which returns only an encrypted data key. When you need to use the data key, ask Amazon KMS to decrypt it.

How cryptographic operations with data keys work

The following topics explain how data keys generated by a GenerateDataKey or GenerateDataKeyWithoutPlaintext operation work.

Encrypt data with a data key

Amazon KMS cannot use a data key to encrypt data. But you can use the data key outside of Amazon KMS, such as by using OpenSSL or a cryptographic library like the Amazon Encryption SDK.

After using the plaintext data key to encrypt data, remove it from memory as soon as possible. You can safely store the encrypted data key with the encrypted data so it is available to decrypt the data.

Encrypt user data outside of Amazon KMS

Decrypt data with a data key

To decrypt your data, pass the encrypted data key to the Decrypt operation. Amazon KMS uses your KMS key to decrypt the data key and then returns the plaintext data key. Use the plaintext data key to decrypt your data and then remove the plaintext data key from memory as soon as possible.

The following diagram shows how to use the Decrypt operation to decrypt an encrypted data key.

Decrypting a data key