You are viewing documentation for version 2 of the AWS SDK for Ruby. Version 3 documentation can be found here.

Class: Aws::KMS::Types::GenerateDataKeyRequest

  • Object
show all
Defined in:



When passing GenerateDataKeyRequest as input to an Aws::Client method, you can use a vanilla Hash:

  key_id: "KeyIdType", # required
  encryption_context: {
    "EncryptionContextKey" => "EncryptionContextValue",
  number_of_bytes: 1,
  key_spec: "AES_256", # accepts AES_256, AES_128
  grant_tokens: ["GrantTokenType"],

Instance Attribute Summary collapse

Instance Attribute Details


Specifies the encryption context that will be used when encrypting the data key.

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric CMK, but it is highly recommended.

For more information, see Encryption Context in the AWS Key Management Service Developer Guide.


  • (Hash<String,String>)

    Specifies the encryption context that will be used when encrypting the data key.


A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.


  • (Array<String>)

    A list of grant tokens.


Identifies the symmetric CMK that encrypts the data key.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

  • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

  • Alias name: alias/ExampleAlias

  • Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.


  • (String)

    Identifies the symmetric CMK that encrypts the data key.


Specifies the length of the data key. Use AES_128 to generate a 128-bit symmetric key, or AES_256 to generate a 256-bit symmetric key.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.

Possible values:

  • AES_256
  • AES_128


  • (String)

    Specifies the length of the data key.


Specifies the length of the data key in bytes. For example, use the value 64 to generate a 512-bit data key (64 bytes is 512 bits). For 128-bit (16-byte) and 256-bit (32-byte) data keys, use the KeySpec parameter.

You must specify either the KeySpec or the NumberOfBytes parameter (but not both) in every GenerateDataKey request.


  • (Integer)

    Specifies the length of the data key in bytes.