How can I be sure that authenticated encryption with associated data encryption is used when I'm calling the AWS Key Management Service (AWS KMS) Encrypt, Decrypt, and ReEncrypt APIs?

AWS KMS provides an Encryption Context that you can use to verify the authenticity of AWS KMS API calls and to be sure of the integrity of the ciphertext that is returned by the AWS Decrypt API. 

To be sure of the integrity of data encrypted with the AWS KMS APIs, you pass an a set of name value pairs as an Encryption Context during AWS KMS encryption and again when you call the Decrypt or ReEncrypt APIs. As long as the encryption context that you pass to the Decrypt API is identical to the encryption context that you pass to the Encrypt or ReEncrypt APIs, the integrity of the ciphertext returned is confirmed. To learn more about using encryption context to protect the integrity of encrypted data, see Encryption Context and the post How to Protect the Integrity of Your Encrypted Data by Using AWS Key Management Service and EncryptionContext on the AWS Security Blog.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-02-26

Updated: 2018-05-09