aws_encryption_sdk.key_providers.base¶
Base class interface for Master Key Providers.
Classes
MasterKey |
Parent interface for Master Key classes. |
MasterKeyConfig (key_id) |
Configuration object for MasterKey objects. |
MasterKeyProvider |
Parent interface for Master Key Provider classes. |
MasterKeyProviderConfig () |
Provides a common ancestor for MasterKeyProvider configuration objects and a stand-in point if common params are needed later. |
-
class
aws_encryption_sdk.key_providers.base.
MasterKey
¶ Bases:
aws_encryption_sdk.key_providers.base.MasterKeyProvider
Parent interface for Master Key classes.
New in version 1.5.0: Master key providers are deprecated. Use
aws_encryption_sdk.keyrings.base.Keyring
instead.Parameters: - key_id (bytes) – Key ID for Master Key
- config (aws_encryption_sdk.key_providers.base.MasterKeyConfig) – Configuration object
Performs universal prep work for all MasterKeys.
-
decrypt_data_key
(encrypted_data_key, algorithm, encryption_context)¶ Decrypts an encrypted data key and returns the plaintext.
Parameters: - data_key (aws_encryption_sdk.structures.EncryptedDataKey) – Encrypted data key
- algorithm (aws_encryption_sdk.identifiers.Algorithm) – Algorithm object which directs how this Master Key will encrypt the data key
- encryption_context (dict) – Encryption context to use in decryption
Returns: Decrypted data key
Return type: Raises: IncorrectMasterKeyError – if Data Key’s key provider does not match this Master Key
-
encrypt_data_key
(data_key, algorithm, encryption_context)¶ Encrypts a supplied data key.
Parameters: - data_key (
aws_encryption_sdk.structures.RawDataKey
oraws_encryption_sdk.structures.DataKey
) – Unencrypted data key - algorithm (aws_encryption_sdk.identifiers.Algorithm) – Algorithm object which directs how this Master Key will encrypt the data key
- encryption_context (dict) – Encryption context to use in encryption
Returns: Data key containing encrypted data key
Return type: Raises: IncorrectMasterKeyError – if Data Key’s key provider does not match this Master Key
- data_key (
-
generate_data_key
(algorithm, encryption_context)¶ Generates and returns data key for use encrypting message.
Parameters: - algorithm (aws_encryption_sdk.identifiers.Algorithm) – Algorithm on which to base data key
- encryption_context (dict) – Encryption context to use in encryption
Returns: Generated data key
Return type:
-
key_provider
¶ Provides the MasterKeyInfo object identifying this MasterKey.
Returns: This MasterKey’s Identifying Information Return type: aws_encryption_sdk.structures.MasterKeyInfo
-
master_keys_for_encryption
(encryption_context, plaintext_rostream, plaintext_length=None)¶ Returns self and a list containing self, to match the format of output for a Master Key Provider.
Warning
If plaintext_stream seek position is modified, it must be returned before leaving method.
Parameters: Returns: Tuple containing self and a list of self
Return type: tuple containing
aws_encryption_sdk.key_providers.base.MasterKey
and list ofaws_encryption_sdk.key_providers.base.MasterKey
-
owns_data_key
(data_key)¶ Determines if data_key object is owned by this MasterKey.
Parameters: data_key ( aws_encryption_sdk.structures.DataKey
,aws_encryption_sdk.structures.RawDataKey
, oraws_encryption_sdk.structures.EncryptedDataKey
) – Data key to evaluateReturns: Boolean statement of ownership Return type: bool
-
class
aws_encryption_sdk.key_providers.base.
MasterKeyConfig
(key_id)¶ Bases:
object
Configuration object for MasterKey objects.
Parameters: key_id (bytes) – Key ID for Master Key
-
class
aws_encryption_sdk.key_providers.base.
MasterKeyProvider
¶ Bases:
object
Parent interface for Master Key Provider classes.
New in version 1.5.0: Master key providers are deprecated. Use
aws_encryption_sdk.keyrings.base.Keyring
instead.Parameters: config (aws_encryption_sdk.key_providers.base.MasterKeyProviderConfig) – Configuration object Set key index and member set for all new instances here to avoid requiring child classes to call super init.
-
add_master_key
(key_id)¶ Adds a single Master Key to this provider.
Parameters: key_id (bytes) – Key ID with which to create MasterKey
-
add_master_key_provider
(key_provider)¶ Adds a single Master Key Provider to this provider.
Parameters: key_provider (aws_encryption_sdk.key_providers.base.MasterKeyProvider) – Master Key Provider to add to this provider
-
add_master_key_providers_from_list
(key_providers)¶ Adds multiple Master Key Providers to this provider.
Parameters: key_provider (list of aws_encryption_sdk.key_providers.base.MasterKeyProvider
) – List of Master Key Providers to add to this provider
-
add_master_keys_from_list
(key_ids)¶ Adds multiple Master Keys to this provider.
Parameters: key_ids (list) – List of Master Key IDs
-
decrypt_data_key
(encrypted_data_key, algorithm, encryption_context)¶ Iterates through all currently added Master Keys and Master Key Providers to attempt to decrypt data key.
Parameters: - encrypted_data_key (aws_encryption_sdk.structures.EncryptedDataKey) – Encrypted data key to decrypt
- algorithm (aws_encryption_sdk.identifiers.Algorithm) – Algorithm object which directs how this Master Key will encrypt the data key
- encryption_context (dict) – Encryption context to use in encryption
Returns: Decrypted data key
Return type: Raises: DecryptKeyError – if unable to decrypt encrypted data key
-
decrypt_data_key_from_list
(encrypted_data_keys, algorithm, encryption_context)¶ Receives a list of encrypted data keys and returns the first one which this provider is able to decrypt.
Parameters: - encrypted_data_keys (list of
aws_encryption_sdk.structures.EncryptedDataKey
) – List of encrypted data keys - algorithm (aws_encryption_sdk.identifiers.Algorithm) – Algorithm object which directs how this Master Key will encrypt the data key
- encryption_context (dict) – Encryption context to use in encryption
Returns: Decrypted data key
Return type: Raises: DecryptKeyError – if unable to decrypt any of the supplied encrypted data keys
- encrypted_data_keys (list of
-
master_key
(key_id)¶ Returns a master key for encrypt based on the specified key_id, adding it to this provider if not already present.
Parameters: key_id (bytes) – Key ID with which to find or create Master Key Returns: Master Key based on key_id Return type: aws_encryption_sdk.key_providers.base.MasterKey
-
master_key_for_decrypt
(key_info)¶ Returns a master key for decrypt based on the specified key_info. This is only added to this master key provider for the decrypt path.
Parameters: key_info (bytes) – Key info from encrypted data key Returns: Master Key based on key_info Return type: aws_encryption_sdk.key_providers.base.MasterKey
-
master_key_for_encrypt
(key_id)¶ Returns a master key for encrypt based on the specified key_id, adding it to this provider if not already present.
Parameters: key_id (bytes) – Key ID with which to find or create Master Key Returns: Master Key based on key_id Return type: aws_encryption_sdk.key_providers.base.MasterKey
-
master_keys_for_data_key
(data_key)¶ Locates the correct master keys from children for the specified data key.
Parameters: data_key ( EncryptedDataKey
,RawDataKey
, orDataKey
) – Data key for which to locate owning master keysReturns: Masters key that own data key Return type: iterator of MasterKey
Raises: UnknownIdentityError – if unable to locate the correct master key
-
master_keys_for_encryption
(encryption_context, plaintext_rostream, plaintext_length=None)¶ Returns a set containing all Master Keys added to this Provider, or any member Providers, which should be used to encrypt data keys for the specified data.
Note
This does not necessarily include all Master Keys accessible from this Provider.
Note
The Primary Master Key is the first Master Key added to this Master Key Provider and is the Master Key which will be used to generate the data key.
Warning
If plaintext_rostream seek position is modified, it must be returned before leaving method.
Parameters: Returns: Tuple containing Primary Master Key and List of all Master Keys added to this Provider and any member Providers
Return type: tuple containing
aws_encryption_sdk.key_providers.base.MasterKey
and list ofaws_encryption_sdk.key_providers.base.MasterKey
-
provider_id
¶ String defining provider ID.
Note
Must be implemented by specific MasterKeyProvider implementations.
-