# Generate data keys
<a name="data-keys"></a>

*Data keys* are symmetric keys you can use to encrypt data, including large amounts of data and other data encryption keys. Unlike symmetric KMS keys, which can't be downloaded, data keys are returned to you for use outside of Amazon KMS. 

When Amazon KMS generates data keys, it returns a plaintext data key for immediate use (optional) and an encrypted copy of the data key that you can safely store with the data. When you are ready to decrypt the data, you first ask Amazon KMS to decrypt the encrypted data key. 

Amazon KMS generates, encrypts, and decrypts data keys. However, Amazon KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys. You must use and manage data keys outside of Amazon KMS. For help using the data keys securely, see the [Amazon Encryption SDK](https://docs.amazonaws.cn/encryption-sdk/latest/developer-guide/).

**Topics**
+ [Create a data key](#data-keys-create)
+ [How cryptographic operations with data keys work](#use-data-keys)
+ [How unusable KMS keys affect data keys](unusable-kms-keys.md)

## Create a data key
<a name="data-keys-create"></a>

To create a data key, call the [GenerateDataKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKey.html) operation. Amazon KMS generates the data key. Then it encrypts a copy of the data key under a [symmetric encryption KMS key](symm-asymm-choose-key-spec.md#symmetric-cmks) that you specify. The operation returns a plaintext copy of the data key and the copy of the data key encrypted under the KMS key. The following image shows this operation.

![\[Generate a data key\]](http://docs.amazonaws.cn/en_us/kms/latest/developerguide/images/generate-data-key.png)


Amazon KMS also supports the [GenerateDataKeyWithoutPlaintext](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html) operation, which returns only an encrypted data key. When you need to use the data key, ask Amazon KMS to [decrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_Decrypt.html) it.

## How cryptographic operations with data keys work
<a name="use-data-keys"></a>

The following topics explain how data keys generated by a [GenerateDataKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKey.html) or [GenerateDataKeyWithoutPlaintext](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html) operation work.

### Encrypt data with a data key
<a name="data-keys-encrypt"></a>

Amazon KMS cannot use a data key to encrypt data. But you can use the data key outside of Amazon KMS, such as by using OpenSSL or a cryptographic library like the [Amazon Encryption SDK](https://docs.amazonaws.cn/encryption-sdk/latest/developer-guide/).

After using the plaintext data key to encrypt data, remove it from memory as soon as possible. You can safely store the encrypted data key with the encrypted data so it is available to decrypt the data.

![\[Encrypt user data outside of Amazon KMS\]](http://docs.amazonaws.cn/en_us/kms/latest/developerguide/images/encrypt-with-data-key.png)


### Decrypt data with a data key
<a name="data-keys-decrypt"></a>

To decrypt your data, pass the encrypted data key to the [Decrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_Decrypt.html) operation. Amazon KMS uses your KMS key to decrypt the data key and then returns the plaintext data key. Use the plaintext data key to decrypt your data and then remove the plaintext data key from memory as soon as possible.

The following diagram shows how to use the `Decrypt` operation to decrypt an encrypted data key.

![\[Decrypting a data key\]](http://docs.amazonaws.cn/en_us/kms/latest/developerguide/images/decrypt.png)