|
| 1 | +# AWS Encryption SDK Examples |
| 2 | + |
| 3 | +This section features examples that show you |
| 4 | +how to use the AWS Encryption SDK. |
| 5 | +We demonstrate how to use the encryption and decryption APIs |
| 6 | +and how to set up some common configuration patterns. |
| 7 | + |
| 8 | +## APIs |
| 9 | + |
| 10 | +The AWS Encryption SDK provides two high-level APIs: |
| 11 | +one-step APIs that process the entire operation in memory |
| 12 | +and streaming APIs. |
| 13 | + |
| 14 | +You can find examples that demonstrate these APIs |
| 15 | +in the [`examples`](./java/com/amazonaws/crypto/examples) directory. |
| 16 | + |
| 17 | +## Configuration |
| 18 | + |
| 19 | +To use the library APIs, |
| 20 | +you need to describe how you want the library to protect your data keys. |
| 21 | +You can do this using |
| 22 | +[keyrings](#keyrings) or [cryptographic materials managers](#cryptographic-materials-managers), |
| 23 | +or using [master key providers](#master-key-providers). |
| 24 | +These examples will show you how. |
| 25 | + |
| 26 | +### Keyrings |
| 27 | + |
| 28 | +Keyrings are the most common way for you to configure the AWS Encryption SDK. |
| 29 | +They determine how the AWS Encryption SDK protects your data. |
| 30 | +You can find these examples in ['examples/keyring`](./java/com/amazonaws/crypto/examples/keyring). |
| 31 | + |
| 32 | +### Cryptographic Materials Managers |
| 33 | + |
| 34 | +Keyrings define how your data keys are protected, |
| 35 | +but there is more going on here than just protecting data keys. |
| 36 | + |
| 37 | +Cryptographic materials managers give you higher-level controls |
| 38 | +over how the AWS Encryption SDK protects your data. |
| 39 | +This can include things like |
| 40 | +enforcing the use of certain algorithm suites or encryption context settings, |
| 41 | +reusing data keys across messages, |
| 42 | +or changing how you interact with keyrings. |
| 43 | +You can find these examples in |
| 44 | +[`examples/crypto_materials_manager`](./java/com/amazonaws/crypto/examples/cryptomaterialsmanager). |
| 45 | + |
| 46 | +### Master Key Providers |
| 47 | + |
| 48 | +Before there were keyrings, there were master key providers. |
| 49 | +Master key providers were the original configuration structure |
| 50 | +that we provided for defining how you want to protect your data keys. |
| 51 | +Keyrings provide a simpler experience and often more powerful configuration options, |
| 52 | +but if you need to use master key providers, |
| 53 | +need help migrating from master key providers to keyrings, |
| 54 | +or simply want to see the difference between these configuration experiences, |
| 55 | +you can find these examples in [`examples/masterkeyprovider`](./java/com/amazonaws/crypto/examples/masterkeyprovider). |
| 56 | + |
| 57 | +## Legacy |
| 58 | + |
| 59 | +This section includes older examples, |
| 60 | +including examples of using master keys and master key providers. |
| 61 | +You can use them as a reference, |
| 62 | +but we recommend looking at the newer examples, which explain the preferred ways of using this library. |
| 63 | +You can find these examples in [`examples/legacy`](./java/com/amazonaws/crypto/examples/legacy). |
| 64 | + |
| 65 | +# Writing Examples |
| 66 | + |
| 67 | +If you want to contribute a new example, that's awesome! |
| 68 | +To make sure that your example is tested in our CI, |
| 69 | +please make sure that it meets the following requirements: |
| 70 | + |
| 71 | +1. The example MUST be a distinct class in the [`examples`](./java/com/amazonaws/crypto/examples) directory. |
| 72 | +1. Each example file MUST contain exactly one example. |
| 73 | +1. Each example file MUST contain a static method called `run` that runs the example. |
| 74 | +1. If your `run` method needs any of the following inputs, |
| 75 | + the parameters MUST have the following types: |
| 76 | + * `com.amazonaws.encryptionsdk.kms.AwsKmsCmkId` : A single AWS KMS CMK ARN. |
| 77 | + * NOTE: You can assume that automatically discovered credentials have |
| 78 | + `kms:GenerateDataKey`, `kms:Encrypt`, and `kms:Decrypt` permissions on this CMK. |
| 79 | + * `List<com.amazonaws.encryptionsdk.kms.AwsKmsCmkId>` : |
| 80 | + A list of AWS KMS CMK ARNs to use for encrypting and decrypting data keys. |
| 81 | + * NOTE: You can assume that automatically discovered credentials have |
| 82 | + `kms:Encrypt` and `kms:Decrypt` permissions on these CMKs. |
| 83 | + * `byte[]` : Plaintext data to encrypt. |
| 84 | + * `java.io.File` : A path to a file containing plaintext to encrypt. |
| 85 | + * NOTE: You can assume that you have write access to the parent directory |
| 86 | + and that anything you do in that directory will be cleaned up |
| 87 | + by our test runners. |
| 88 | +1. Any additional parameters MUST be optional and nullable and not of the same type as the above parameters. |
0 commit comments