com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers

Class WrappedMaterialsProvider

java.lang.Object

com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.WrappedMaterialsProvider

All Implemented Interfaces:

EncryptionMaterialsProvider

Direct Known Subclasses:

AsymmetricStaticProvider

public class WrappedMaterialsProvider
extends java.lang.Object
implements EncryptionMaterialsProvider

This provider will use create a unique (random) symmetric key upon each call to getEncryptionMaterials(EncryptionContext). Practically, this means each record in DynamoDB will be encrypted under a unique record key. A wrapped/encrypted copy of this record key is stored in the MaterialsDescription field of that record and is unwrapped/decrypted upon reading that record.

This is generally a more secure way of encrypting data than with the SymmetricStaticProvider.

See Also:

WrappedRawMaterials

Constructor Summary

Constructors

Constructor and Description
WrappedMaterialsProvider(java.security.Key wrappingKey, java.security.Key unwrappingKey, java.security.KeyPair signingPair)
WrappedMaterialsProvider(java.security.Key wrappingKey, java.security.Key unwrappingKey, java.security.KeyPair signingPair, java.util.Map<java.lang.String,java.lang.String> description)
WrappedMaterialsProvider(java.security.Key wrappingKey, java.security.Key unwrappingKey, javax.crypto.SecretKey macKey)
WrappedMaterialsProvider(java.security.Key wrappingKey, java.security.Key unwrappingKey, javax.crypto.SecretKey macKey, java.util.Map<java.lang.String,java.lang.String> description)

Method Summary

Modifier and Type	Method and Description
DecryptionMaterials	getDecryptionMaterials(EncryptionContext context) Retrieves encryption materials matching the specified description from some source.
EncryptionMaterials	getEncryptionMaterials(EncryptionContext context) Returns EncryptionMaterials which the caller can use for encryption.
void	refresh() Forces this encryption materials provider to refresh its encryption material.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

WrappedMaterialsProvider

public WrappedMaterialsProvider(java.security.Key wrappingKey,
                                java.security.Key unwrappingKey,
                                java.security.KeyPair signingPair)

Parameters:

wrappingKey - The key used to wrap/encrypt the symmetric record key. (May be the same as the unwrappingKey.)

unwrappingKey - The key used to unwrap/decrypt the symmetric record key. (May be the same as the wrappingKey.) If null, then this provider may only be used for decryption, but not encryption.

signingPair - the keypair used to sign/verify the data stored in Dynamo. If only the public key is provided, then this provider may only be used for decryption, but not encryption.

WrappedMaterialsProvider

public WrappedMaterialsProvider(java.security.Key wrappingKey,
                                java.security.Key unwrappingKey,
                                java.security.KeyPair signingPair,
                                java.util.Map<java.lang.String,java.lang.String> description)

Parameters:

wrappingKey - The key used to wrap/encrypt the symmetric record key. (May be the same as the unwrappingKey.)

unwrappingKey - The key used to unwrap/decrypt the symmetric record key. (May be the same as the wrappingKey.) If null, then this provider may only be used for decryption, but not encryption.

signingPair - the keypair used to sign/verify the data stored in Dynamo. If only the public key is provided, then this provider may only be used for decryption, but not encryption.

description - description the value to be returned by CryptographicMaterials.getMaterialDescription() for any CryptographicMaterials returned by this object.

WrappedMaterialsProvider

public WrappedMaterialsProvider(java.security.Key wrappingKey,
                                java.security.Key unwrappingKey,
                                javax.crypto.SecretKey macKey)

Parameters:

wrappingKey - The key used to wrap/encrypt the symmetric record key. (May be the same as the unwrappingKey.)

unwrappingKey - The key used to unwrap/decrypt the symmetric record key. (May be the same as the wrappingKey.) If null, then this provider may only be used for decryption, but not encryption.

macKey - the key used to sign/verify the data stored in Dynamo.

WrappedMaterialsProvider

public WrappedMaterialsProvider(java.security.Key wrappingKey,
                                java.security.Key unwrappingKey,
                                javax.crypto.SecretKey macKey,
                                java.util.Map<java.lang.String,java.lang.String> description)

Parameters:

wrappingKey - The key used to wrap/encrypt the symmetric record key. (May be the same as the unwrappingKey.)

unwrappingKey - The key used to unwrap/decrypt the symmetric record key. (May be the same as the wrappingKey.) If null, then this provider may only be used for decryption, but not encryption.

macKey - the key used to sign/verify the data stored in Dynamo.

description - description the value to be returned by CryptographicMaterials.getMaterialDescription() for any CryptographicMaterials returned by this object.

Method Detail

getDecryptionMaterials

public DecryptionMaterials getDecryptionMaterials(EncryptionContext context)

Description copied from interface: EncryptionMaterialsProvider

Retrieves encryption materials matching the specified description from some source.

Specified by:

getDecryptionMaterials in interface EncryptionMaterialsProvider

Parameters:

context - Information to assist in selecting a the proper return value. The implementation is free to determine the minimum necessary for successful processing.

Returns:

The encryption materials that match the description, or null if no matching encryption materials found.

getEncryptionMaterials

public EncryptionMaterials getEncryptionMaterials(EncryptionContext context)

Description copied from interface: EncryptionMaterialsProvider

Returns EncryptionMaterials which the caller can use for encryption. Each implementation of EncryptionMaterialsProvider can choose its own strategy for loading encryption material. For example, an implementation might load encryption material from an existing key management system, or load new encryption material when keys are rotated.

Specified by:

getEncryptionMaterials in interface EncryptionMaterialsProvider

Parameters:

context - Information to assist in selecting a the proper return value. The implementation is free to determine the minimum necessary for successful processing.

Returns:

EncryptionMaterials which the caller can use to encrypt or decrypt data.

refresh

public void refresh()

Description copied from interface: EncryptionMaterialsProvider

Forces this encryption materials provider to refresh its encryption material. For many implementations of encryption materials provider, this may simply be a no-op, such as any encryption materials provider implementation that vends static/non-changing encryption material. For other implementations that vend different encryption material throughout their lifetime, this method should force the encryption materials provider to refresh its encryption material.

Specified by:

refresh in interface EncryptionMaterialsProvider