0.1.0
| Language | Confirmed Compatible with Spec Version | Minimum Version Confirmed | Implementation |
|---|---|---|---|
| C | 0.1.0 | 0.1.0 | session.c |
| NodeJS | 0.1.0 | 0.1.0 | index.ts |
| Browser JS | 0.1.0 | 0.1.0 | index.ts |
| Python | 0.1.0 | 0.1.0 | __init__.py |
| Java | 0.1.0 | 0.1.0 | AwsCrypto.java |
This document describes the client experience for the AWS Encryption SDK.
The top level client supports configuration settings that need to be coordinated between encrypt and decrypt. Coordinating static settings between encrypt and decrypt across hosts is complicated. It is important that all messages that could be sent to a host can be decrypted by that host. A top level client makes such settings hard to misuse because anything a client encrypts can be decrypted by the same client.
On client initialization, the caller MUST have the option to provide a:
If no commitment policy is provided the default MUST be REQUIRE_ENCRYPT_REQUIRE_DECRYPT. If no maximum number of encrypted data keys is provided the default MUST result in no limit on the number of encrypted data keys (aside from the limit imposed by the message format).
Once a commitment policy has been set it SHOULD be immutable.
Some algorithm suites provide a commitment that one and only one data key can be used to decrypt the plaintext. Commitment policies control which algorithm suites are enabled for encrypt and decrypt. As well as which algorithm suite is the default.
The AWS Encryption SDK MUST provide the following commitment policies:
- FORBID_ENCRYPT_ALLOW_DECRYPT
- REQUIRE_ENCRYPT_ALLOW_DECRYPT
- REQUIRE_ENCRYPT_REQUIRE_DECRYPT
A AWS Encryption SDK message can contain multiple encrypted data keys. This is the maximum number of encrypted data keys that the client will attempt to unwrap. Callers MUST have a way to disable this limit.
When the commitment policy FORBID_ENCRYPT_ALLOW_DECRYPT is configured:
03 78MUST be the default algorithm suite- encrypt MUST only support algorithm suites that have a Key Commitment value of False
- decrypt MUST support all algorithm suites
When the commitment policy REQUIRE_ENCRYPT_ALLOW_DECRYPT is configured:
05 78MUST be the default algorithm suite- encrypt MUST only support algorithm suites that have a Key Commitment value of True
- decrypt MUST support all algorithm suites
When the commitment policy REQUIRE_ENCRYPT_REQUIRE_DECRYPT is configured:
05 78MUST be the default algorithm suite- encrypt MUST only support algorithm suites that have a Key Commitment value of True
- decrypt MUST only support algorithm suites that have a Key Commitment value of True
The AWS Encryption SDK Client MUST provide an encrypt function that adheres to encrypt.
The AWS Encryption SDK Client MUST provide an decrypt function that adheres to decrypt.