# ReEncryptData
<a name="API_ReEncryptData"></a>

Re-encrypt ciphertext using DUKPT or Symmetric data encryption keys. 

You can either generate an encryption key within AWS Payment Cryptography by calling [CreateKey](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_CreateKey.html) or import your own encryption key by calling [ImportKey](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html). The `KeyArn` for use with this operation must be in a compatible key state with `KeyModesOfUse` set to `Encrypt`. 

This operation also supports dynamic keys, allowing you to pass a dynamic encryption key as a TR-31 WrappedKeyBlock. This can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into AWS Payment Cryptography. To re-encrypt using dynamic keys, the `keyARN` is the Key Encryption Key (KEK) of the TR-31 wrapped encryption key material. The incoming wrapped key shall have a key purpose of D0 with a mode of use of B or D. For more information, see [Using Dynamic Keys](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html) in the * AWS Payment Cryptography User Guide*.

For symmetric and DUKPT encryption, AWS Payment Cryptography supports `TDES` and `AES` algorithms. To encrypt using DUKPT, a DUKPT key must already exist within your account with `KeyModesOfUse` set to `DeriveKey` or a new DUKPT can be generated by calling [CreateKey](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_CreateKey.html).

For information about valid keys for this operation, see [Understanding key attributes](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html) and [Key types for specific data operations](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html) in the * AWS Payment Cryptography User Guide*. 

 **Cross-account use**: This operation can't be used across different AWS accounts.

 **Related operations:** 
+  [DecryptData](API_DecryptData.md) 
+  [EncryptData](API_EncryptData.md) 
+  [GetPublicCertificate](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html) 
+  [ImportKey](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html) 

## Request Syntax
<a name="API_ReEncryptData_RequestSyntax"></a>

```
POST /keys/IncomingKeyIdentifier/reencrypt HTTP/1.1
Content-type: application/json

{
   "CipherText": "string",
   "IncomingEncryptionAttributes": { ... },
   "IncomingWrappedKey": { 
      "KeyCheckValueAlgorithm": "string",
      "WrappedKeyMaterial": { ... }
   },
   "OutgoingEncryptionAttributes": { ... },
   "OutgoingKeyIdentifier": "string",
   "OutgoingWrappedKey": { 
      "KeyCheckValueAlgorithm": "string",
      "WrappedKeyMaterial": { ... }
   }
}
```

## URI Request Parameters
<a name="API_ReEncryptData_RequestParameters"></a>

The request uses the following URI parameters.

 ** [IncomingKeyIdentifier](#API_ReEncryptData_RequestSyntax) **   <a name="paymentcryptographydata-ReEncryptData-request-uri-IncomingKeyIdentifier"></a>
The `keyARN` of the encryption key of incoming ciphertext data.  
When a WrappedKeyBlock is provided, this value will be the identifier to the key wrapping key. Otherwise, it is the key identifier used to perform the operation.  
Length Constraints: Minimum length of 7. Maximum length of 322.  
Pattern: `arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:(key/[0-9a-zA-Z]{16,64}|alias/[a-zA-Z0-9/_-]+)$|^alias/[a-zA-Z0-9/_-]+`   
Required: Yes

## Request Body
<a name="API_ReEncryptData_RequestBody"></a>

The request accepts the following data in JSON format.

 ** [CipherText](#API_ReEncryptData_RequestSyntax) **   <a name="paymentcryptographydata-ReEncryptData-request-CipherText"></a>
Ciphertext to be encrypted. The minimum allowed length is 16 bytes and maximum allowed length is 4096 bytes.  
Type: String  
Length Constraints: Minimum length of 2. Maximum length of 4224.  
Pattern: `(?:[0-9a-fA-F][0-9a-fA-F])+`   
Required: Yes

 ** [IncomingEncryptionAttributes](#API_ReEncryptData_RequestSyntax) **   <a name="paymentcryptographydata-ReEncryptData-request-IncomingEncryptionAttributes"></a>
The attributes and values for incoming ciphertext.  
Type: [ReEncryptionAttributes](API_ReEncryptionAttributes.md) object  
 **Note: **This object is a Union. Only one member of this object can be specified or returned.  
Required: Yes

 ** [IncomingWrappedKey](#API_ReEncryptData_RequestSyntax) **   <a name="paymentcryptographydata-ReEncryptData-request-IncomingWrappedKey"></a>
The WrappedKeyBlock containing the encryption key of incoming ciphertext data.  
Type: [WrappedKey](API_WrappedKey.md) object  
Required: No

 ** [OutgoingEncryptionAttributes](#API_ReEncryptData_RequestSyntax) **   <a name="paymentcryptographydata-ReEncryptData-request-OutgoingEncryptionAttributes"></a>
The attributes and values for outgoing ciphertext data after encryption by AWS Payment Cryptography.  
Type: [ReEncryptionAttributes](API_ReEncryptionAttributes.md) object  
 **Note: **This object is a Union. Only one member of this object can be specified or returned.  
Required: Yes

 ** [OutgoingKeyIdentifier](#API_ReEncryptData_RequestSyntax) **   <a name="paymentcryptographydata-ReEncryptData-request-OutgoingKeyIdentifier"></a>
The `keyARN` of the encryption key of outgoing ciphertext data after encryption by AWS Payment Cryptography.  
Type: String  
Length Constraints: Minimum length of 7. Maximum length of 322.  
Pattern: `arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:(key/[0-9a-zA-Z]{16,64}|alias/[a-zA-Z0-9/_-]+)$|^alias/[a-zA-Z0-9/_-]+`   
Required: Yes

 ** [OutgoingWrappedKey](#API_ReEncryptData_RequestSyntax) **   <a name="paymentcryptographydata-ReEncryptData-request-OutgoingWrappedKey"></a>
The WrappedKeyBlock containing the encryption key of outgoing ciphertext data after encryption by AWS Payment Cryptography.  
Type: [WrappedKey](API_WrappedKey.md) object  
Required: No

## Response Syntax
<a name="API_ReEncryptData_ResponseSyntax"></a>

```
HTTP/1.1 200
Content-type: application/json

{
   "CipherText": "string",
   "KeyArn": "string",
   "KeyCheckValue": "string"
}
```

## Response Elements
<a name="API_ReEncryptData_ResponseElements"></a>

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [CipherText](#API_ReEncryptData_ResponseSyntax) **   <a name="paymentcryptographydata-ReEncryptData-response-CipherText"></a>
The encrypted ciphertext.  
Type: String  
Length Constraints: Minimum length of 2. Maximum length of 4224.  
Pattern: `(?:[0-9a-fA-F][0-9a-fA-F])+` 

 ** [KeyArn](#API_ReEncryptData_ResponseSyntax) **   <a name="paymentcryptographydata-ReEncryptData-response-KeyArn"></a>
The keyARN (Amazon Resource Name) of the encryption key that AWS Payment Cryptography uses for plaintext encryption.  
Type: String  
Length Constraints: Minimum length of 70. Maximum length of 150.  
Pattern: `arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:key/[0-9a-zA-Z]{16,64}` 

 ** [KeyCheckValue](#API_ReEncryptData_ResponseSyntax) **   <a name="paymentcryptographydata-ReEncryptData-response-KeyCheckValue"></a>
The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.  
 AWS Payment Cryptography computes the KCV according to the CMAC specification.  
Type: String  
Length Constraints: Minimum length of 4. Maximum length of 16.  
Pattern: `[0-9a-fA-F]+` 

## Errors
<a name="API_ReEncryptData_Errors"></a>

 ** AccessDeniedException **   
You do not have sufficient access to perform this action.  
HTTP Status Code: 403

 ** InternalServerException **   
The request processing has failed because of an unknown error, exception, or failure.  
HTTP Status Code: 500

 ** ResourceNotFoundException **   
The request was denied due to an invalid resource error.    
 ** ResourceId **   
The resource that is missing.
HTTP Status Code: 404

 ** ThrottlingException **   
The request was denied due to request throttling.  
HTTP Status Code: 429

 ** ValidationException **   
The request was denied due to an invalid request error.    
 ** fieldList **   
The request was denied due to an invalid request error.
HTTP Status Code: 400

## See Also
<a name="API_ReEncryptData_SeeAlso"></a>

For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/payment-cryptography-data-2022-02-03/ReEncryptData) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/payment-cryptography-data-2022-02-03/ReEncryptData) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/payment-cryptography-data-2022-02-03/ReEncryptData) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/payment-cryptography-data-2022-02-03/ReEncryptData) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/payment-cryptography-data-2022-02-03/ReEncryptData) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/payment-cryptography-data-2022-02-03/ReEncryptData) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/payment-cryptography-data-2022-02-03/ReEncryptData) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/payment-cryptography-data-2022-02-03/ReEncryptData) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/payment-cryptography-data-2022-02-03/ReEncryptData) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/payment-cryptography-data-2022-02-03/ReEncryptData)