EncryptData - AWS Payment Cryptography Data Plane

EncryptData

Encrypts plaintext data to ciphertext using a symmetric (TDES, AES), asymmetric (RSA), or derived (DUKPT or EMV) encryption key scheme. For more information, see Encrypt data in the AWS Payment Cryptography User Guide.

You can generate an encryption key within AWS Payment Cryptography by calling CreateKey. You can import your own encryption key by calling ImportKey.

For this operation, the key must have KeyModesOfUse set to Encrypt. In asymmetric encryption, plaintext is encrypted using public component. You can import the public component of an asymmetric key pair created outside AWS Payment Cryptography by calling ImportKey.

This operation also supports dynamic keys, allowing you to pass a dynamic encryption key as a TR-31 WrappedKeyBlock. This can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into AWS Payment Cryptography. To encrypt using dynamic keys, the keyARN is the Key Encryption Key (KEK) of the TR-31 wrapped encryption key material. The incoming wrapped key shall have a key purpose of D0 with a mode of use of B or D. For more information, see Using Dynamic Keys in the AWS Payment Cryptography User Guide.

For symmetric and DUKPT encryption, AWS Payment Cryptography supports TDES and AES algorithms. For EMV encryption, AWS Payment Cryptography supports TDES algorithms.For asymmetric encryption, AWS Payment Cryptography supports RSA.

When you use TDES or TDES DUKPT, the plaintext data length must be a multiple of 8 bytes. For AES or AES DUKPT, the plaintext data length must be a multiple of 16 bytes. For RSA, it sould be equal to the key size unless padding is enabled.

To encrypt using DUKPT, you must already have a BDK (Base Derivation Key) key in your account with KeyModesOfUse set to DeriveKey, or you can generate a new DUKPT key by calling CreateKey. To encrypt using EMV, you must already have an IMK (Issuer Master Key) key in your account with KeyModesOfUse set to DeriveKey.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the AWS Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different AWS accounts.

Related operations:

Request Syntax

POST /keys/KeyIdentifier/encrypt HTTP/1.1 Content-type: application/json { "EncryptionAttributes": { ... }, "PlainText": "string", "WrappedKey": { "KeyCheckValueAlgorithm": "string", "WrappedKeyMaterial": { ... } } }

URI Request Parameters

The request uses the following URI parameters.

KeyIdentifier

The keyARN of the encryption key that AWS Payment Cryptography uses for plaintext encryption.

When a WrappedKeyBlock is provided, this value will be the identifier to the key wrapping key. Otherwise, it is the key identifier used to perform the operation.

Length Constraints: Minimum length of 7. Maximum length of 322.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:(key/[0-9a-zA-Z]{16,64}|alias/[a-zA-Z0-9/_-]+)$|^alias/[a-zA-Z0-9/_-]+

Required: Yes

Request Body

The request accepts the following data in JSON format.

EncryptionAttributes

The encryption key type and attributes for plaintext encryption.

Type: EncryptionDecryptionAttributes object

Note: This object is a Union. Only one member of this object can be specified or returned.

Required: Yes

PlainText

The plaintext to be encrypted.

Note

For encryption using asymmetric keys, plaintext data length is constrained by encryption key strength that you define in KeyAlgorithm and padding type that you define in AsymmetricEncryptionAttributes. For more information, see Encrypt data in the AWS Payment Cryptography User Guide.

Type: String

Length Constraints: Minimum length of 2. Maximum length of 4064.

Pattern: (?:[0-9a-fA-F][0-9a-fA-F])+

Required: Yes

WrappedKey

The WrappedKeyBlock containing the encryption key for plaintext encryption.

Type: WrappedKey object

Required: No

Response Syntax

HTTP/1.1 200 Content-type: application/json { "CipherText": "string", "KeyArn": "string", "KeyCheckValue": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

CipherText

The encrypted ciphertext.

Type: String

Length Constraints: Minimum length of 2. Maximum length of 4096.

Pattern: (?:[0-9a-fA-F][0-9a-fA-F])+

KeyArn

The keyARN of the encryption key that AWS Payment Cryptography uses for plaintext encryption.

Type: String

Length Constraints: Minimum length of 70. Maximum length of 150.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:key/[0-9a-zA-Z]{16,64}

KeyCheckValue

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

AWS Payment Cryptography computes the KCV according to the CMAC specification.

Type: String

Length Constraints: Minimum length of 4. Maximum length of 16.

Pattern: [0-9a-fA-F]+

Errors

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 403

InternalServerException

The request processing has failed because of an unknown error, exception, or failure.

HTTP Status Code: 500

ResourceNotFoundException

The request was denied due to an invalid resource error.

HTTP Status Code: 404

ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 429

ValidationException

The request was denied due to an invalid request error.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: