aws_encryption_sdk.keyrings.raw¶
Resources required for Raw Keyrings.
Classes
RawAESKeyring (key_namespace, key_name, …) |
Generate an instance of Raw AES Keyring which encrypts using AES-GCM algorithm using wrapping key provided as a byte array |
RawRSAKeyring (key_namespace, key_name, …) |
Generate an instance of Raw RSA Keyring which performs asymmetric encryption and decryption using public and private keys provided |
-
class
aws_encryption_sdk.keyrings.raw.
RawAESKeyring
(key_namespace, key_name, wrapping_key)¶ Bases:
aws_encryption_sdk.keyrings.base.Keyring
Generate an instance of Raw AES Keyring which encrypts using AES-GCM algorithm using wrapping key provided as a byte array
New in version 2.0.0.
Parameters: key_namespace (str) – String defining the keyring. Note
key_namespace MUST NOT equal “aws-kms”.
Parameters: Note
Only one wrapping key can be specified in a Raw AES Keyring
-
on_decrypt
(decryption_materials, encrypted_data_keys)¶ Attempt to decrypt the encrypted data keys.
Parameters: - decryption_materials (DecryptionMaterials) – Decryption materials for the keyring to modify
- encrypted_data_keys (List[EncryptedDataKey]) – List of encrypted data keys
Returns: Decryption materials that MAY include a plaintext data key
Return type:
-
on_encrypt
(encryption_materials)¶ Generate a data key if not present and encrypt it using any available wrapping key
Parameters: encryption_materials (EncryptionMaterials) – Encryption materials for the keyring to modify Returns: Encryption materials containing data key and encrypted data key Return type: EncryptionMaterials
-
-
class
aws_encryption_sdk.keyrings.raw.
RawRSAKeyring
(key_namespace, key_name, wrapping_algorithm, private_wrapping_key=None, public_wrapping_key=None)¶ Bases:
aws_encryption_sdk.keyrings.base.Keyring
Generate an instance of Raw RSA Keyring which performs asymmetric encryption and decryption using public and private keys provided
New in version 2.0.0.
Parameters: key_namespace (str) – String defining the keyring ID Note
key_namespace MUST NOT equal “aws-kms”.
Parameters: - key_name (str) – Key ID
- private_wrapping_key (cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey) – Private encryption key with which to wrap plaintext data key (optional)
- public_wrapping_key (cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey) – Public encryption key with which to wrap plaintext data key (optional)
- wrapping_algorithm (WrappingAlgorithm) – Wrapping Algorithm with which to wrap plaintext data key
- key_provider (MasterKeyInfo) – Complete information about the key in the keyring
Note
At least one of public wrapping key or private wrapping key must be provided.
-
classmethod
from_der_encoding
(key_namespace, key_name, wrapping_algorithm, public_encoded_key=None, private_encoded_key=None, password=None)¶ Generate a raw RSA keyring using DER Encoded public and private keys
Parameters: - key_namespace (str) – String defining the keyring ID
- key_name (bytes) – Key ID
- wrapping_algorithm (WrappingAlgorithm) – Wrapping Algorithm with which to wrap plaintext data key
- public_encoded_key (bytes) – DER encoded public key (optional)
- private_encoded_key (bytes) – DER encoded private key (optional)
- password (bytes) – Password to load private key (optional)
Returns: RawRSAKeyring
constructed using required parameters
-
classmethod
from_pem_encoding
(key_namespace, key_name, wrapping_algorithm, public_encoded_key=None, private_encoded_key=None, password=None)¶ Generate a Raw RSA keyring using PEM Encoded public and private keys
Parameters: - key_namespace (str) – String defining the keyring ID
- key_name (bytes) – Key ID
- wrapping_algorithm (WrappingAlgorithm) – Wrapping Algorithm with which to wrap plaintext data key
- public_encoded_key (bytes) – PEM encoded public key (optional)
- private_encoded_key (bytes) – PEM encoded private key (optional)
- password (bytes) – Password to load private key (optional)
Returns: RawRSAKeyring
constructed using required parameters
-
on_decrypt
(decryption_materials, encrypted_data_keys)¶ Attempt to decrypt the encrypted data keys.
Parameters: - decryption_materials (DecryptionMaterials) – Decryption materials for keyring to modify.
- encrypted_data_keys – List of encrypted data keys.
Type: List[EncryptedDataKey]
Returns: Decryption materials that MAY include a plaintext data key
Return type:
-
on_encrypt
(encryption_materials)¶ Generate a data key using generator keyring and encrypt it using any available wrapping key in any child keyring.
Parameters: encryption_materials (EncryptionMaterials) – Encryption materials for keyring to modify. Returns: Encryption materials containing data key and encrypted data key Return type: EncryptionMaterials