Amazon KMS examples using SDK for Java 2.x - Amazon SDK for Java 2.x
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon KMS examples using SDK for Java 2.x

The following code examples show you how to perform actions and implement common scenarios by using the Amazon SDK for Java 2.x with Amazon KMS.

Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios and cross-service examples.

Scenarios are code examples that show you how to accomplish a specific task by calling multiple functions within the same service.

Each example includes a link to GitHub, where you can find instructions on how to set up and run the code in context.

Topics

Actions

The following code example shows how to use CreateAlias.

SDK for Java 2.x
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.CreateAliasRequest; import software.amazon.awssdk.services.kms.model.KmsException; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class CreateAlias { public static void main(String[] args) { final String usage = """ Usage: <targetKeyId> <aliasName>\s Where: targetKeyId - The key ID or the Amazon Resource Name (ARN) of the customer master key (CMK).\s aliasName - An alias name (for example, alias/myAlias).\s """; if (args.length != 2) { System.out.println(usage); System.exit(1); } String targetKeyId = args[0]; String aliasName = args[1]; Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); createCustomAlias(kmsClient, targetKeyId, aliasName); kmsClient.close(); } public static void createCustomAlias(KmsClient kmsClient, String targetKeyId, String aliasName) { try { CreateAliasRequest aliasRequest = CreateAliasRequest.builder() .aliasName(aliasName) .targetKeyId(targetKeyId) .build(); kmsClient.createAlias(aliasRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } }
  • For API details, see CreateAlias in Amazon SDK for Java 2.x API Reference.

The following code example shows how to use CreateGrant.

SDK for Java 2.x
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.CreateGrantRequest; import software.amazon.awssdk.services.kms.model.CreateGrantResponse; import software.amazon.awssdk.services.kms.model.KmsException; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class CreateGrant { public static void main(String[] args) { final String usage = """ Usage: <keyId> <granteePrincipal> <operation>\s Where: keyId - The unique identifier for the customer master key (CMK) that the grant applies to.\s granteePrincipal - The principal that is given permission to perform the operations that the grant permits.\s operation - An operation (for example, Encrypt).\s """; if (args.length != 3) { System.out.println(usage); System.exit(1); } String keyId = args[0]; String granteePrincipal = args[1]; String operation = args[2]; Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); String grantId = createGrant(kmsClient, keyId, granteePrincipal, operation); System.out.printf("Successfully created a grant with ID %s%n", grantId); kmsClient.close(); } public static String createGrant(KmsClient kmsClient, String keyId, String granteePrincipal, String operation) { try { CreateGrantRequest grantRequest = CreateGrantRequest.builder() .keyId(keyId) .granteePrincipal(granteePrincipal) .operationsWithStrings(operation) .build(); CreateGrantResponse response = kmsClient.createGrant(grantRequest); return response.grantId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; } }
  • For API details, see CreateGrant in Amazon SDK for Java 2.x API Reference.

The following code example shows how to use CreateKey.

SDK for Java 2.x
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.CreateKeyRequest; import software.amazon.awssdk.services.kms.model.CustomerMasterKeySpec; import software.amazon.awssdk.services.kms.model.CreateKeyResponse; import software.amazon.awssdk.services.kms.model.KmsException; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class CreateCustomerKey { public static void main(String[] args) { Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); String keyDesc = "Created by the AWS KMS API"; System.out.println("The key id is " + createKey(kmsClient, keyDesc)); kmsClient.close(); } public static String createKey(KmsClient kmsClient, String keyDesc) { try { CreateKeyRequest keyRequest = CreateKeyRequest.builder() .description(keyDesc) .customerMasterKeySpec(CustomerMasterKeySpec.SYMMETRIC_DEFAULT) .keyUsage("ENCRYPT_DECRYPT") .build(); CreateKeyResponse result = kmsClient.createKey(keyRequest); System.out.printf("Created a customer key with id \"%s\"%n", result.keyMetadata().arn()); return result.keyMetadata().keyId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; } }
  • For API details, see CreateKey in Amazon SDK for Java 2.x API Reference.

The following code example shows how to use Decrypt.

SDK for Java 2.x
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.

public static void decryptData(KmsClient kmsClient, SdkBytes encryptedData, String keyId) { try { DecryptRequest decryptRequest = DecryptRequest.builder() .ciphertextBlob(encryptedData) .keyId(keyId) .build(); DecryptResponse decryptResponse = kmsClient.decrypt(decryptRequest); decryptResponse.plaintext(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }
  • For API details, see Decrypt in Amazon SDK for Java 2.x API Reference.

The following code example shows how to use DescribeKey.

SDK for Java 2.x
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.DescribeKeyRequest; import software.amazon.awssdk.services.kms.model.DescribeKeyResponse; import software.amazon.awssdk.services.kms.model.KmsException; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class DescribeKey { public static void main(String[] args) { final String usage = """ Usage: <keyId>\s Where: keyId - A key id value to describe (for example, xxxxxbcd-12ab-34cd-56ef-1234567890ab).\s """; if (args.length != 1) { System.out.println(usage); System.exit(1); } String keyId = args[0]; Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); describeSpecifcKey(kmsClient, keyId); kmsClient.close(); } public static void describeSpecifcKey(KmsClient kmsClient, String keyId) { try { DescribeKeyRequest keyRequest = DescribeKeyRequest.builder() .keyId(keyId) .build(); DescribeKeyResponse response = kmsClient.describeKey(keyRequest); System.out.println("The key description is " + response.keyMetadata().description()); System.out.println("The key ARN is " + response.keyMetadata().arn()); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } }
  • For API details, see DescribeKey in Amazon SDK for Java 2.x API Reference.

The following code example shows how to use DisableKey.

SDK for Java 2.x
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.DisableKeyRequest; import software.amazon.awssdk.services.kms.model.KmsException; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class DisableCustomerKey { public static void main(String[] args) { final String usage = """ Usage: <keyId>\s Where: keyId - A key id value to disable (for example, xxxxxbcd-12ab-34cd-56ef-1234567890ab).\s """; if (args.length != 1) { System.out.println(usage); System.exit(1); } String keyId = args[0]; Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); disableKey(kmsClient, keyId); kmsClient.close(); } public static void disableKey(KmsClient kmsClient, String keyId) { try { DisableKeyRequest keyRequest = DisableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.disableKey(keyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } }
  • For API details, see DisableKey in Amazon SDK for Java 2.x API Reference.

The following code example shows how to use EnableKey.

SDK for Java 2.x
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.model.EnableKeyRequest; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class EnableCustomerKey { public static void main(String[] args) { final String usage = """ Usage: <keyId>\s Where: keyId - A key id value to enable (for example, xxxxxbcd-12ab-34cd-56ef-1234567890ab).\s """; if (args.length != 1) { System.out.println(usage); System.exit(1); } String keyId = args[0]; Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); enableKey(kmsClient, keyId); kmsClient.close(); } public static void enableKey(KmsClient kmsClient, String keyId) { try { EnableKeyRequest enableKeyRequest = EnableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.enableKey(enableKeyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } }
  • For API details, see EnableKey in Amazon SDK for Java 2.x API Reference.

The following code example shows how to use Encrypt.

SDK for Java 2.x
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.

import software.amazon.awssdk.core.SdkBytes; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.EncryptRequest; import software.amazon.awssdk.services.kms.model.EncryptResponse; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.model.DecryptRequest; import software.amazon.awssdk.services.kms.model.DecryptResponse; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class EncryptDataKey { public static void main(String[] args) { final String usage = """ Usage: <keyId>\s Where: keyId - A key id value to use to encrypt/decrypt the data (for example, xxxxxbcd-12ab-34cd-56ef-1234567890ab).\s """; if (args.length != 1) { System.out.println(usage); System.exit(1); } String keyId = args[0]; Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); SdkBytes encryData = encryptData(kmsClient, keyId); decryptData(kmsClient, encryData, keyId); System.out.println("Done"); kmsClient.close(); } public static SdkBytes encryptData(KmsClient kmsClient, String keyId) { try { SdkBytes myBytes = SdkBytes.fromByteArray(new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 0 }); EncryptRequest encryptRequest = EncryptRequest.builder() .keyId(keyId) .plaintext(myBytes) .build(); EncryptResponse response = kmsClient.encrypt(encryptRequest); String algorithm = response.encryptionAlgorithm().toString(); System.out.println("The encryption algorithm is " + algorithm); // Get the encrypted data. SdkBytes encryptedData = response.ciphertextBlob(); return encryptedData; } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return null; } public static void decryptData(KmsClient kmsClient, SdkBytes encryptedData, String keyId) { try { DecryptRequest decryptRequest = DecryptRequest.builder() .ciphertextBlob(encryptedData) .keyId(keyId) .build(); DecryptResponse decryptResponse = kmsClient.decrypt(decryptRequest); decryptResponse.plaintext(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } }
  • For API details, see Encrypt in Amazon SDK for Java 2.x API Reference.

The following code example shows how to use ListAliases.

SDK for Java 2.x
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.AliasListEntry; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.model.ListAliasesRequest; import software.amazon.awssdk.services.kms.model.ListAliasesResponse; import java.util.List; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class ListAliases { public static void main(String[] args) { Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); listAllAliases(kmsClient); kmsClient.close(); } public static void listAllAliases(KmsClient kmsClient) { try { ListAliasesRequest aliasesRequest = ListAliasesRequest.builder() .limit(15) .build(); ListAliasesResponse aliasesResponse = kmsClient.listAliases(aliasesRequest); List<AliasListEntry> aliases = aliasesResponse.aliases(); for (AliasListEntry alias : aliases) { System.out.println("The alias name is: " + alias.aliasName()); } } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } }
  • For API details, see ListAliases in Amazon SDK for Java 2.x API Reference.

The following code example shows how to use ListGrants.

SDK for Java 2.x
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.GrantListEntry; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.model.ListGrantsRequest; import software.amazon.awssdk.services.kms.model.ListGrantsResponse; import java.util.List; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class ListGrants { public static void main(String[] args) { final String usage = """ Usage: <keyId>\s Where: keyId - a key id value to use (for example, xxxxxbcd-12ab-34cd-56ef-1234567890ab).\s """; if (args.length != 1) { System.out.println(usage); System.exit(1); } String keyId = args[0]; Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); displayGrantIds(kmsClient, keyId); kmsClient.close(); } public static void displayGrantIds(KmsClient kmsClient, String keyId) { try { ListGrantsRequest grantsRequest = ListGrantsRequest.builder() .keyId(keyId) .limit(15) .build(); ListGrantsResponse response = kmsClient.listGrants(grantsRequest); List<GrantListEntry> grants = response.grants(); for (GrantListEntry grant : grants) { System.out.println("The grant Id is : " + grant.grantId()); } } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } }
  • For API details, see ListGrants in Amazon SDK for Java 2.x API Reference.

The following code example shows how to use ListKeys.

SDK for Java 2.x
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.KeyListEntry; import software.amazon.awssdk.services.kms.model.ListKeysRequest; import software.amazon.awssdk.services.kms.model.ListKeysResponse; import software.amazon.awssdk.services.kms.model.KmsException; import java.util.List; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class ListKeys { public static void main(String[] args) { Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); listAllKeys(kmsClient); kmsClient.close(); } public static void listAllKeys(KmsClient kmsClient) { try { ListKeysRequest listKeysRequest = ListKeysRequest.builder() .limit(15) .build(); ListKeysResponse keysResponse = kmsClient.listKeys(listKeysRequest); List<KeyListEntry> keyListEntries = keysResponse.keys(); for (KeyListEntry key : keyListEntries) { System.out.println("The key ARN is: " + key.keyArn()); System.out.println("The key Id is: " + key.keyId()); } } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } }
  • For API details, see ListKeys in Amazon SDK for Java 2.x API Reference.