|
| 1 | +# AWS Encryption SDK Examples |
| 2 | + |
| 3 | +This section features examples that show you |
| 4 | +how to use the AWS Encryption SDK. |
| 5 | +We demonstrate how to use the encryption and decryption APIs |
| 6 | +and how to set up some common configuration patterns. |
| 7 | + |
| 8 | +## APIs |
| 9 | + |
| 10 | +The AWS Encryption SDK provides two high-level APIs: |
| 11 | +one-step APIs that process the entire operation in memory |
| 12 | +and streaming APIs. |
| 13 | + |
| 14 | +You can find examples that demonstrate these APIs |
| 15 | +in the [`examples`](./java/com/amazonaws/crypto/examples) directory. |
| 16 | + |
| 17 | +## Configuration |
| 18 | + |
| 19 | +To use the encryption and decryption APIs, |
| 20 | +you need to describe how you want the library to protect your data keys. |
| 21 | +You can do this by configuring |
| 22 | +[keyrings](#keyrings) or [cryptographic materials managers](#cryptographic-materials-managers), |
| 23 | +or by configuring [master key providers](#master-key-providers). |
| 24 | +These examples will show you how to use the configuration tools that we include for you |
| 25 | +and how to create some of your own. |
| 26 | +We start with AWS KMS examples, then show how to use other wrapping keys. |
| 27 | + |
| 28 | +* Using AWS Key Management Service (AWS KMS) |
| 29 | + * How to use one AWS KMS CMK |
| 30 | + * [with keyrings](./java/com/amazonaws/crypto/examples/keyring/awskms/SingleCmk.java) |
| 31 | + * How to use multiple AWS KMS CMKs in different regions |
| 32 | + * [with keyrings](./java/com/amazonaws/crypto/examples/keyring/awskms/MultipleRegions.java) |
| 33 | + * How to decrypt when you don't know the CMK |
| 34 | + * [with keyrings](./java/com/amazonaws/crypto/examples/keyring/awskms/DiscoveryDecrypt.java) |
| 35 | + * How to decrypt within a region |
| 36 | + * [with keyrings](./java/com/amazonaws/crypto/examples/keyring/awskms/DiscoveryDecryptInRegionOnly.java) |
| 37 | + * How to decrypt with a preferred region but failover to others |
| 38 | + * [with keyrings](./java/com/amazonaws/crypto/examples/keyring/awskms/DiscoveryDecryptWithPreferredRegions.java) |
| 39 | +* Using raw wrapping keys |
| 40 | + * How to use a raw AES wrapping key |
| 41 | + * [with keyrings](./java/com/amazonaws/crypto/examples/keyring/rawaes/RawAes.java) |
| 42 | + * How to use a raw RSA wrapping key |
| 43 | + * [with keyrings](./java/com/amazonaws/crypto/examples/keyring/rawrsa/RawRsa.java) |
| 44 | + * How to encrypt with a raw RSA public key wrapping key without access to the private key |
| 45 | + * [with keyrings](./java/com/amazonaws/crypto/examples/keyring/rawrsa/PublicPrivateKeySeparate.java) |
| 46 | + * How to use a raw RSA wrapping key when the key is DER encoded |
| 47 | + * [with keyrings](./java/com/amazonaws/crypto/examples/keyring/rawrsa/RawRsaDerEncoded.java) |
| 48 | +* Combining wrapping keys |
| 49 | + * How to combine AWS KMS with an offline escrow key |
| 50 | + * [with keyrings](./java/com/amazonaws/crypto/examples/keyring/multi/AwsKmsWithEscrow.java) |
| 51 | + |
| 52 | +### Keyrings |
| 53 | + |
| 54 | +Keyrings are the most common way for you to configure the AWS Encryption SDK. |
| 55 | +They determine how the AWS Encryption SDK protects your data. |
| 56 | +You can find these examples in ['examples/keyring`](./java/com/amazonaws/crypto/examples/keyring). |
| 57 | + |
| 58 | +### Cryptographic Materials Managers |
| 59 | + |
| 60 | +Keyrings define how your data keys are protected, |
| 61 | +but there is more going on here than just protecting data keys. |
| 62 | + |
| 63 | +Cryptographic materials managers give you higher-level controls |
| 64 | +over how the AWS Encryption SDK protects your data. |
| 65 | +This can include things like |
| 66 | +enforcing the use of certain algorithm suites or encryption context settings, |
| 67 | +reusing data keys across messages, |
| 68 | +or changing how you interact with keyrings. |
| 69 | +You can find these examples in |
| 70 | +[`examples/crypto_materials_manager`](./java/com/amazonaws/crypto/examples/cryptomaterialsmanager). |
| 71 | + |
| 72 | +### Master Key Providers |
| 73 | + |
| 74 | +Before there were keyrings, there were master key providers. |
| 75 | +Master key providers were the original configuration structure |
| 76 | +that we provided for defining how you want to protect your data keys. |
| 77 | +Keyrings provide a simpler experience and often more powerful configuration options, |
| 78 | +but if you need to use master key providers, |
| 79 | +need help migrating from master key providers to keyrings, |
| 80 | +or simply want to see the difference between these configuration experiences, |
| 81 | +you can find these examples in [`examples/masterkeyprovider`](./java/com/amazonaws/crypto/examples/masterkeyprovider). |
| 82 | + |
| 83 | +## Legacy |
| 84 | + |
| 85 | +This section includes older examples, |
| 86 | +including examples of using master keys and master key providers. |
| 87 | +You can use them as a reference, |
| 88 | +but we recommend looking at the newer examples, which explain the preferred ways of using this library. |
| 89 | +You can find these examples in [`examples/legacy`](./java/com/amazonaws/crypto/examples/legacy). |
| 90 | + |
| 91 | +# Writing Examples |
| 92 | + |
| 93 | +If you want to contribute a new example, that's awesome! |
| 94 | +To make sure that your example is tested in our CI, |
| 95 | +please make sure that it meets the following requirements: |
| 96 | + |
| 97 | +1. The example MUST be a distinct class in the [`examples`](./java/com/amazonaws/crypto/examples) directory. |
| 98 | +1. Each example file MUST contain exactly one example. |
| 99 | +1. Each example file MUST contain a static method called `run` that runs the example. |
| 100 | +1. If your `run` method needs any of the following inputs, |
| 101 | + the parameters MUST have the following types: |
| 102 | + * `com.amazonaws.encryptionsdk.kms.AwsKmsCmkId` : A single AWS KMS CMK ARN. |
| 103 | + * NOTE: You can assume that automatically discovered credentials have |
| 104 | + `kms:GenerateDataKey`, `kms:Encrypt`, and `kms:Decrypt` permissions on this CMK. |
| 105 | + * `List<com.amazonaws.encryptionsdk.kms.AwsKmsCmkId>` : |
| 106 | + A list of AWS KMS CMK ARNs to use for encrypting and decrypting data keys. |
| 107 | + * NOTE: You can assume that automatically discovered credentials have |
| 108 | + `kms:Encrypt` and `kms:Decrypt` permissions on these CMKs. |
| 109 | + * `byte[]` : Plaintext data to encrypt. |
| 110 | + * `java.io.File` : A path to a file containing plaintext to encrypt. |
| 111 | + * NOTE: You can assume that you have write access to the parent directory |
| 112 | + and that anything you do in that directory will be cleaned up |
| 113 | + by our test runners. |
| 114 | +1. Any additional parameters MUST be optional and nullable and not of the same type as the above parameters. |
0 commit comments