Static Materials Provider - AWS Database Encryption SDK
How to use itHow it works

Static Materials Provider

Note

Our client-side encryption library was renamed to AWS Database Encryption SDK. The following topic provides information on versions 1.x—2.x of the DynamoDB Encryption Client for Java and versions 1.x—3.x of the DynamoDB Encryption Client for Python. For more information, see AWS Database Encryption SDK for DynamoDB version support.

The Static Materials Provider (Static CMP) is a very simple cryptographic materials provider (CMP) that is intended for testing, proof-of-concept demonstrations, and legacy compatibility.

To use the Static CMP to encrypt a table item, you supply an Advanced Encryption Standard (AES) symmetric encryption key and a signing key or key pair. You must supply the same keys to decrypt the encrypted item. The Static CMP does not perform any cryptographic operations. Instead, it passes the encryption keys that you supply to the item encryptor unchanged. The item encryptor encrypts the items directly under the encryption key. Then, it uses the signing key directly to sign them.

Because the Static CMP does not generate any unique cryptographic materials, all table items that you process are encrypted with the same encryption key and signed by the same signing key. When you use the same key to encrypt the attributes values in numerous items or use the same key or key pair to sign all items, you risk exceeding the cryptographic limits of the keys.

Note

The Asymmetric Static Provider in the Java library is not a static provider. It just supplies alternate constructors for the Wrapped CMP. It's safe for production use, but you should use the Wrapped CMP directly whenever possible.

The Static CMP is one of several cryptographic materials providers (CMPs) that the DynamoDB Encryption Client supports. For information about the other CMPs, see Cryptographic materials provider.

For example code, see:

How to use it

To create a static provider, supply an encryption key or key pair and a signing key or key pair. You need to provide key material to encrypt and decrypt table items.

Java
// To encrypt
SecretKey cek = ...;        // Encryption key
SecretKey macKey =  ...;    // Signing key
EncryptionMaterialsProvider provider = new SymmetricStaticProvider(cek, macKey);

// To decrypt
SecretKey cek = ...;        // Encryption key
SecretKey macKey =  ...;    // Verification key
EncryptionMaterialsProvider provider = new SymmetricStaticProvider(cek, macKey);
Python
# You can provide encryption materials, decryption materials, or both
encrypt_keys = EncryptionMaterials(
    encryption_key = ...,
    signing_key = ...
)

decrypt_keys = DecryptionMaterials(
    decryption_key = ...,
    verification_key = ...
)

static_cmp = StaticCryptographicMaterialsProvider(
    encryption_materials=encrypt_keys
    decryption_materials=decrypt_keys
)

How it works

The Static Provider passes the encryption and signing keys that you supply to the item encryptor, where they are used directly to encrypt and sign your table items. Unless you supply different keys for each item, the same keys are used for every item.

The input, processing, and output of the Static Materials Provider in the DynamoDB Encryption Client

Get encryption materials

This section describes in detail the inputs, outputs, and processing of the Static Materials Provider (Static CMP) when it receives a request for encryption materials.

Input (from the application)

  • An encryption key – This must be a symmetric key, such as an Advanced Encryption Standard (AES) key.

  • A signing key – This can be a symmetric key or an asymmetric key pair.

Input (from the item encryptor)

Output (to the item encryptor)

  • The encryption key passed as input.

  • The signing key passed as input.

  • Actual material description: The requested material description, if any, unchanged.

Show moreShow less

Get decryption materials

This section describes in detail the inputs, outputs, and processing of the Static Materials Provider (Static CMP) when it receives a request for decryption materials.

Although it includes separate methods for getting encryption materials and getting decryption materials, the behavior is the same.

Input (from the application)

  • An encryption key – This must be a symmetric key, such as an Advanced Encryption Standard (AES) key.

  • A signing key – This can be a symmetric key or an asymmetric key pair.

Input (from the item encryptor)

Output (to the item encryptor)

  • The encryption key passed as input.

  • The signing key passed as input.

Show moreShow less