Domain name for API request: kms.tencentcloudapi.com.
This API generates a data key, which you can use to encrypt local data.
A maximum of 100 requests can be initiated per second for this API.
The following request parameter list only provides API request parameters and some common parameters. For the complete common parameter list, see Common Request Parameters.
Parameter Name | Required | Type | Description |
---|---|---|---|
Action | Yes | String | Common Params. The value used for this API: GenerateDataKey. |
Version | Yes | String | Common Params. The value used for this API: 2019-01-18. |
Region | No | String | Common Params. This parameter is not required for this API. |
KeyId | Yes | String | Globally unique CMK ID |
KeySpec | No | String | Specifies the encryption algorithm and size of the DataKey . Valid values: AES_128, AES_256. Either KeySpec or NumberOfBytes must be specified. |
NumberOfBytes | No | Integer | Length of the DataKey . If both NumberOfBytes and KeySpec are specified, NumberOfBytes will prevail. Minimum value: 1; maximum value: 1024. Either KeySpec or NumberOfBytes must be specified. |
EncryptionContext | No | String | JSON string of key-value pair. If this field is used, the same string should be entered when the returned DataKey is decrypted. |
EncryptionPublicKey | No | String | PEM-encoded public key (2048-bit RSA/SM2 key), which can be used to encrypt the Plaintext returned. If this field is left empty, the Plaintext will not be encrypted. |
EncryptionAlgorithm | No | String | Asymmetric encryption algorithm. Valid values: SM2 (C1C3C2 ciphertext is returned), SM2_C1C3C2_ASN1(C1C3C2 ASN1 ciphertext is returned), RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, and RSAES_OAEP_SHA_256. This field is used in combination with EncryptionPublicKey` for encryption. If it is left empty, an SM2 public key will be used by default. |
Parameter Name | Type | Description |
---|---|---|
KeyId | String | Globally unique CMK ID |
Plaintext | String | If EncryptionPublicKey is left empty, a Base64-encoded ciphertext will be returned. To get the plaintext, you need to decode the ciphertext first.If EncryptionPublicKey is specified, this field will return the Base64-encoded ciphertext encrypted with the specified public key. To get the plaintext, you need to decode the ciphertext and upload the corresponding private key. |
CiphertextBlob | String | Ciphertext of the data key, which should be kept by yourself. KMS does not host user data keys. You can call the Decrypt API to get the plaintext of the data key from CiphertextBlob . |
RequestId | String | The unique request ID, which is returned for each request. RequestId is required for locating a problem. |
This example shows you how to generate a DEK using the specified CMK.
https://kms.tencentcloudapi.com/?Action=GenerateDataKey
&KeyId=23e80852-1e38-11e9-b129-5cb9019b4b01
&KeySpec=AES_256
&<Common request parameters>
{
"Response": {
"RequestId": "fe11aa29-0cc2-4204-bfea-6ebb30cc00d7",
"KeyId": "23e80852-1e38-11e9-b129-5cb9019b4b01",
"Plaintext": "uW9wqntw+FAgnfsIrxOpOA==",
"CiphertextBlob": "g2F8eQk44QrTbfj09TL17AZyFPgs8BTtZe2j27Wuw1YzTBCxnd0T/gwFQSasmtzxZi6mmvD7DCjCE+LxJmdhXQ==-k-fKVP3WIlGpg8m9LMW4jEkQ==-k-h/nUfRbaTUY7/KWXwuSK1Py+ZFRTK5WQiUz6yQE5XBFUN3UwPOUbl8P3A3caow2rlqTjUw=="
}
}
TencentCloud API 3.0 integrates SDKs that support various programming languages to make it easier for you to call APIs.
The following only lists the error codes related to the API business logic. For other error codes, see Common Error Codes.
Error Code | Description |
---|---|
FailedOperation.EncryptionError | Encryption failed. |
InternalError | Internal error. |
InvalidParameter | Invalid parameter. |
InvalidParameterValue.InvalidKeyId | Invalid KeyId . |
ResourceUnavailable.CmkDisabled | The CMK has been disabled. |
ResourceUnavailable.CmkNotFound | The CMK does not exist. |
ResourceUnavailable.KeyPendingDelete | The key is not available as it’s pending deleted. |
UnauthorizedOperation | Unauthorized operation. |
Was this page helpful?