KMS Encryption Context

  • Additional Authenticated Data (AAD):

    • Non secret data that is provided to encryption and decryption operations to add an additional integrity and authenticity check on the encrypted data.

    • Typically, the decrypt operation fails if the AAD provided to the encrypt operation does not match the AAD provided to the decrypt operation.

  • All KMS cryptographic operations with symmetric CMKs accept an encryption context, an optional set of key-value pairs that can contain additional contextual information about the data.

  • KMS uses the encryption context as additional authenticated data (AAD) to support authenticated encryption.

  • You cannot specify an encryption context in a cryptographic operation with an asymmetric CMK.

PreviousMigrating Encrypted KMS Data Across RegionsNextCloudHSM vs KMS

Last updated

Was this helpful?