public final class KmsEnvelopeAead extends Object implements Aead
In envelope encryption, a user generates a data encryption key (DEK) locally, encrypts data with the DEK, sends the DEK to a KMS to be encrypted (with a key managed by KMS), and then stores the encrypted DEK with the encrypted data. At a later point, a user can retrieve the encrypted data and the encyrpted DEK, use the KMS to decrypt the DEK, and use the decrypted DEK to decrypt the data.
The ciphertext structure is as follows:
| Constructor and Description |
|---|
KmsEnvelopeAead(KeyTemplate dekTemplate,
Aead remote)
Deprecated.
Instead, call
KmsEnvelopeAead.create as explained above. |
| Modifier and Type | Method and Description |
|---|---|
static Aead |
create(AeadParameters dekParameters,
Aead remote)
Creates a new instance of Tink's KMS Envelope AEAD.
|
byte[] |
decrypt(byte[] ciphertext,
byte[] associatedData)
Decrypts
ciphertext with associatedData as associated authenticated data. |
byte[] |
encrypt(byte[] plaintext,
byte[] associatedData)
Encrypts
plaintext with associatedData as associated authenticated data. |
static boolean |
isSupportedDekKeyType(String dekKeyTypeUrl) |
@Deprecated public KmsEnvelopeAead(KeyTemplate dekTemplate, Aead remote) throws GeneralSecurityException
KmsEnvelopeAead.create as explained above.This function should be avoided. Instead, if you use this with one of the predefined key templates, call create with the corresponding parameters object.
For example, if you use:
Aead aead = new KmsEnvelopeAead(AeadKeyTemplates.AES128_GCM, remote) you should
replace this with:
Aead aead = KmsEnvelopeAead.create(PredefinedAeadParameters.AES128_GCM, remote)
GeneralSecurityExceptionpublic static boolean isSupportedDekKeyType(String dekKeyTypeUrl)
public static Aead create(AeadParameters dekParameters, Aead remote) throws GeneralSecurityException
dekParameters must be any of these Tink AEAD parameters (any other will be
rejected): AesGcmParameters, ChaCha20Poly1305Parameters, XChaCha20Poly1305Parameters, AesCtrHmacAeadParameters, AesGcmSivParameters, or
AesEaxParameters.
GeneralSecurityExceptionpublic byte[] encrypt(byte[] plaintext,
byte[] associatedData)
throws GeneralSecurityException
Aeadplaintext with associatedData as associated authenticated data.
The resulting ciphertext allows for checking authenticity and integrity of associated data
(associatedData), but does not guarantee its secrecy.encrypt in interface Aeadplaintext - the plaintext to be encrypted. It must be non-null, but can also
be an empty (zero-length) byte arrayassociatedData - associated data to be authenticated, but not encrypted. Associated data
is optional, so this parameter can be null. In this case the null value
is equivalent to an empty (zero-length) byte array.
For successful decryption the same associatedData must be provided
along with the ciphertext.GeneralSecurityExceptionpublic byte[] decrypt(byte[] ciphertext,
byte[] associatedData)
throws GeneralSecurityException
Aeadciphertext with associatedData as associated authenticated data. The
decryption verifies the authenticity and integrity of the associated data, but there are no
guarantees wrt. secrecy of that data.decrypt in interface Aeadciphertext - the plaintext to be decrypted. It must be non-null.associatedData - associated data to be authenticated. For successful decryption it must be
the same as associatedData used during encryption. Can be null, which is equivalent to an
empty (zero-length) byte array.GeneralSecurityException - if decryption fails. Decryption must fail if ciphertext is not correctly authenticated for the given associatedData.