Skip to content

/AWS1/CL_KMSGENERATEDATAKEYP01

GenerateDataKeyPairResponse

CONSTRUCTOR

IMPORTING

Optional arguments:

iv_privatekeyciphertextblob TYPE /AWS1/KMSCIPHERTEXTTYPE /AWS1/KMSCIPHERTEXTTYPE

The encrypted copy of the private key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

iv_privatekeyplaintext TYPE /AWS1/KMSPLAINTEXTTYPE /AWS1/KMSPLAINTEXTTYPE

The plaintext copy of the private key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

If the response includes the CiphertextForRecipient field, the PrivateKeyPlaintext field is null or empty.

iv_publickey TYPE /AWS1/KMSPUBLICKEYTYPE /AWS1/KMSPUBLICKEYTYPE

The public key (in plaintext). When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

iv_keyid TYPE /AWS1/KMSKEYIDTYPE /AWS1/KMSKEYIDTYPE

The Amazon Resource Name (key ARN) of the KMS key that encrypted the private key.

iv_keypairspec TYPE /AWS1/KMSDATAKEYPAIRSPEC /AWS1/KMSDATAKEYPAIRSPEC

The type of data key pair that was generated.

iv_ciphertextforrecipient TYPE /AWS1/KMSCIPHERTEXTTYPE /AWS1/KMSCIPHERTEXTTYPE

The plaintext private data key encrypted with the public key from the attestation document. This ciphertext can be decrypted only by using a private key from the attested environment.

This field is included in the response only when the Recipient parameter in the request includes a valid attestation document from an Amazon Web Services Nitro enclave or NitroTPM. For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see Cryptographic attestation support in KMS in the Key Management Service Developer Guide.

iv_keymaterialid TYPE /AWS1/KMSBACKINGKEYIDTYPE /AWS1/KMSBACKINGKEYIDTYPE

The identifier of the key material used to encrypt the private key.

Queryable Attributes

PrivateKeyCiphertextBlob

The encrypted copy of the private key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

Accessible with the following methods

Method Description
GET_PRIVATEKEYCIPHERTEXTBLOB() Getter for PRIVATEKEYCIPHERTEXTBLOB, with configurable defau
ASK_PRIVATEKEYCIPHERTEXTBLOB() Getter for PRIVATEKEYCIPHERTEXTBLOB w/ exceptions if field h
HAS_PRIVATEKEYCIPHERTEXTBLOB() Determine if PRIVATEKEYCIPHERTEXTBLOB has a value

PrivateKeyPlaintext

The plaintext copy of the private key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

If the response includes the CiphertextForRecipient field, the PrivateKeyPlaintext field is null or empty.

Accessible with the following methods

Method Description
GET_PRIVATEKEYPLAINTEXT() Getter for PRIVATEKEYPLAINTEXT, with configurable default
ASK_PRIVATEKEYPLAINTEXT() Getter for PRIVATEKEYPLAINTEXT w/ exceptions if field has no
HAS_PRIVATEKEYPLAINTEXT() Determine if PRIVATEKEYPLAINTEXT has a value

PublicKey

The public key (in plaintext). When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

Accessible with the following methods

Method Description
GET_PUBLICKEY() Getter for PUBLICKEY, with configurable default
ASK_PUBLICKEY() Getter for PUBLICKEY w/ exceptions if field has no value
HAS_PUBLICKEY() Determine if PUBLICKEY has a value

KeyId

The Amazon Resource Name (key ARN) of the KMS key that encrypted the private key.

Accessible with the following methods

Method Description
GET_KEYID() Getter for KEYID, with configurable default
ASK_KEYID() Getter for KEYID w/ exceptions if field has no value
HAS_KEYID() Determine if KEYID has a value

KeyPairSpec

The type of data key pair that was generated.

Accessible with the following methods

Method Description
GET_KEYPAIRSPEC() Getter for KEYPAIRSPEC, with configurable default
ASK_KEYPAIRSPEC() Getter for KEYPAIRSPEC w/ exceptions if field has no value
HAS_KEYPAIRSPEC() Determine if KEYPAIRSPEC has a value

CiphertextForRecipient

The plaintext private data key encrypted with the public key from the attestation document. This ciphertext can be decrypted only by using a private key from the attested environment.

This field is included in the response only when the Recipient parameter in the request includes a valid attestation document from an Amazon Web Services Nitro enclave or NitroTPM. For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see Cryptographic attestation support in KMS in the Key Management Service Developer Guide.

Accessible with the following methods

Method Description
GET_CIPHERTEXTFORRECIPIENT() Getter for CIPHERTEXTFORRECIPIENT, with configurable default
ASK_CIPHERTEXTFORRECIPIENT() Getter for CIPHERTEXTFORRECIPIENT w/ exceptions if field has
HAS_CIPHERTEXTFORRECIPIENT() Determine if CIPHERTEXTFORRECIPIENT has a value

KeyMaterialId

The identifier of the key material used to encrypt the private key.

Accessible with the following methods

Method Description
GET_KEYMATERIALID() Getter for KEYMATERIALID, with configurable default
ASK_KEYMATERIALID() Getter for KEYMATERIALID w/ exceptions if field has no value
HAS_KEYMATERIALID() Determine if KEYMATERIALID has a value