KMS keys must be symmetric encryption keys

Author: juneb

doc_source/about-versions.md

@@ -62,7 +62,7 @@ There are no changes to constructors for AWS KMS keyrings\. Standard AWS KMS key
 
 **Passing a key ID to AWS KMS Decrypt**  
 Beginning in version 1\.7\.*x*, when decrypting encrypted data keys, the AWS Encryption SDK always specifies an AWS KMS key in its calls to the AWS KMS [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) operation\. The AWS Encryption SDK gets the key ID value for the AWS KMS key from the metadata in each encrypted data key\. This feature doesn't require any code changes\.  
-Specifying the key ID of the AWS KMS key is not required to decrypt ciphertext that was encrypted under a symmetric AWS KMS key, but it is an [AWS KMS best practice](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html#KMS-Decrypt-request-KeyId)\. Like specifying wrapping keys in your key provider, this practice assures that AWS KMS only decrypts using the wrapping key you intend to use\.
+Specifying the key ID of the AWS KMS key is not required to decrypt ciphertext that was encrypted under a symmetric encryption KMS key, but it is an [AWS KMS best practice](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html#KMS-Decrypt-request-KeyId)\. Like specifying wrapping keys in your key provider, this practice assures that AWS KMS only decrypts using the wrapping key you intend to use\.
 
 **Decrypt ciphertext with key commitment**  
 Version 1\.7\.*x* can decrypt ciphertext that was encrypted with or without [key commitment](concepts.md#key-commitment)\. However, it cannot encrypt ciphertext with key commitment\. This property allows you to fully deploy applications that can decrypt ciphertext encrypted with key commitment before they ever encounter any such ciphertext\. Because this version decrypts messages that are encrypted without key commitment, you don't need to re\-encrypt any ciphertext\.  

doc_source/configure.md

@@ -21,7 +21,7 @@ The AWS Encryption SDK is available in multiple [programming languages](programm
 
 The AWS Encryption SDK generates a unique symmetric data key to encrypt each message\. Unless you are using [data key caching](data-key-caching.md), you don't need to configure, manage, or use the data keys\. The AWS Encryption SDK does it for you\.
 
-However, you must select one or more wrapping keys to encrypt each data key\. The AWS Encryption SDK supports AES symmetric keys and RSA asymmetric keys in different sizes\. It also supports [AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/) \(AWS KMS\) symmetric AWS KMS keys\. You are responsible for the safety and durability of your wrapping keys, so we recommend that you use an encryption key in a hardware security module or a key infrastructure service, such as AWS KMS\. 
+However, you must select one or more wrapping keys to encrypt each data key\. The AWS Encryption SDK supports AES symmetric keys and RSA asymmetric keys in different sizes\. It also supports [AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/) \(AWS KMS\) symmetric encryption AWS KMS keys\. You are responsible for the safety and durability of your wrapping keys, so we recommend that you use an encryption key in a hardware security module or a key infrastructure service, such as AWS KMS\. 
 
 To specify your wrapping keys for encryption and decryption, you use a keyring \(C and JavaScript\) or a master key provider \(Java, Python, AWS Encryption CLI\)\. You can specify one wrapping key or multiple wrapping keys of the same or different types\. If you use multiple wrapping keys to wrap a data key, each wrapping key will encrypt a copy of the same data key\. The encrypted data keys \(one per wrapping key\) are stored with the encrypted data in the encrypted message that the AWS Encryption SDK returns\. To decrypt the data, the AWS Encryption SDK must first use one of your wrapping keys to decrypt an encrypted data key\. 
 

doc_source/introduction.md

@@ -49,7 +49,7 @@ The AWS Encryption SDK cannot decrypt data encrypted by the [DynamoDB Encryption
 **AWS Key Management Service \(AWS KMS\)**  <a name="ESDK-KMS"></a>
 The AWS Encryption SDK can use [AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) and [data keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys) to protect your data\. For example, you can configure the AWS Encryption SDK to encrypt your data under one or more AWS KMS keys in your AWS account\. However, you must use the AWS Encryption SDK to decrypt that data\.   
 The AWS Encryption SDK cannot decrypt the ciphertext that the AWS KMS [Encrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html) or [ReEncrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html) operations return\. Similarly, the AWS KMS [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) operation cannot decrypt the [encrypted message](concepts.md#message) the AWS Encryption SDK returns\.  
-The AWS Encryption SDK supports only [symmetric AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks)\. You cannot use an [asymmetric AWS KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks) for encryption or signing in the AWS Encryption SDK\. The AWS Encryption SDK generates its own ECDSA signing keys for [algorithm suites](supported-algorithms.md) that sign messages\.
+The AWS Encryption SDK supports only [symmetric encryption KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks)\. You cannot use an [asymmetric KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks) for encryption or signing in the AWS Encryption SDK\. The AWS Encryption SDK generates its own ECDSA signing keys for [algorithm suites](supported-algorithms.md) that sign messages\.
 
 For help deciding which library or service to use, see [How to Choose an Encryption Tool or Service](https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-overview.html) in *AWS Cryptographic Services and Tools*\.
 

doc_source/use-kms-keyring.md

@@ -46,7 +46,7 @@ If you specify an alias name or alias ARN for a KMS key in an encryption keyring
 
 ## Creating an AWS KMS keyring for encryption<a name="kms-keyring-encrypt"></a>
 
-You can configure each AWS KMS keyring with a single symmetric AWS KMS key or multiple symmetric AWS KMS keys in the same or different AWS accounts and AWS Regions\. You can also use a symmetric [multi\-Region KMS key](configure.md#config-mrks)\. As with all keyrings, you can use one or more AWS KMS keyrings in a [multi\-keyring](use-multi-keyring.md)\. 
+You can configure each AWS KMS keyring with a single AWS KMS key or multiple AWS KMS keys in the same or different AWS accounts and AWS Regions\. The AWS KMS keys must be symmetric encryption keys \(SYMMETRIC\_DEFAULT\)\. You can also use a symmetric encryption [multi\-Region KMS key](configure.md#config-mrks)\. As with all keyrings, you can use one or more AWS KMS keyrings in a [multi\-keyring](use-multi-keyring.md)\. 
 
 When you create an AWS KMS keyring to encrypt data, you must specify a *generator key*, which is an AWS KMS key that is used to generate a plaintext data key and encrypt it\. The data key is mathematically unrelated to the KMS key\. Then, if you choose, you can specify additional AWS KMS keys that encrypt the same plaintext data key\.