Re-encryption

Function

This API is used to decrypt the ciphertext using the source key and then encrypt the ciphertext using the specified new key.

The DEK ciphertext encrypted by CreateDatakey, ** CreateDatakeyWithoutPlainText**, or EncryptDatakey can be re-encrypted into a new DEK ciphertext.

The ciphertext encrypted by EncryptData can be re-encrypted into a new ciphertext.

Note:

A DEK can only be re-encrypted into a DEK.

Calling Method

For details, see Calling APIs.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
If you are using identity policy-based authorization, no identity policy-based permission required for calling this API.

URI

POST /v1.0/{project_id}/kms/re-encrypt

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Definition Project ID. For details, see Obtaining a Project ID. Constraints N/A Range The value returned by the IAM API is used, which contains 32 characters. Default Value N/A

Request Parameters

**Table 2** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	Definition User token. It can be obtained by calling the IAM API. The value of X-Subject-Token in the response header is the user token. Constraints N/A Range Obtain the value by calling the IAM API for obtaining the user token. Default Value N/A

**Table 3** Request body parameters
Parameter	Mandatory	Type	Description
source_key_id	No	String	Definition ID of the original key, which is used to decrypt the ciphertext. For asymmetric key encryption, source_key_id is mandatory. For symmetric key encryption, you are advised to set source_key_id. KMS uses the specified source_key_id for decryption. If this parameter is left blank, KMS attempts to obtain the key ID used for encryption from the ciphertext, and then use the key ID for decryption. Constraints N/A Range N/A Default Value N/A
source_additional_authenticated_data	No	String	Definition Additional information used during the encryption of the original ciphertext. If no AAD is specified during encryption, this parameter cannot be set. Otherwise, decryption fails. Constraints N/A Range N/A Default Value N/A
source_encryption_algorithm	No	String	Definition Encryption algorithm used during the encryption of the original ciphertext. Constraints Note: RSAES_OAEP_SHA_1 is no longer secure. Exercise caution. Range SYMMETRIC_DEFAULT RSAES_OAEP_SHA_1 RSAES_OAEP_SHA_256 SM2_ENCRYPT Default Value SYMMETRIC_DEFAULT
destination_key_id	Yes	String	Definition ID of the target key, which is used to encrypt the decrypted plaintext. Constraints The value must be a 36-byte ID. The value must match the regular expression ^[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}$. Range N/A Default Value N/A
destination_additional_authenticated_data	No	String	Definition If a value is specified, the value is used as AAD during re-encryption. Constraints N/A Range N/A Default Value N/A
destination_encryption_algorithm	No	String	Definition Encryption algorithm used during re-encryption of the new ciphertext Constraints Note: RSAES_OAEP_SHA_1 is no longer secure. Exercise caution. Range SYMMETRIC_DEFAULT RSAES_OAEP_SHA_1 RSAES_OAEP_SHA_256 SM2_ENCRYPT Default Value SYMMETRIC_DEFAULT
datakey_cipher_length	No	String	Definition If the ciphertext is a DEK encrypted in CBC mode, datakey_cipher_length must be specified. This parameter indicates the number of bytes in the plaintext key material. Constraints N/A Range N/A Default Value N/A
cipher_text	Yes	String	Definition Ciphertext to be re-encrypted Constraints N/A Range N/A Default Value N/A

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
key_id	String	Definition Key ID used during the re-encryption Range N/A
source_key_id	String	Definition Key ID used during the encryption of the original ciphertext Range N/A
source_encryption_algorithm	String	Definition Encryption algorithm used during the encryption of the original ciphertext Range N/A
destination_encryption_algorithm	String	Definition Encryption algorithm used during the re-encryption Range N/A
cipher_text	String	Definition Ciphertext after re-encryption Range N/A

Example Requests

https://kms.cn-north-4.myhuaweicloud.com/v1.0/d4e559b49b3b403da5279723299ed4a6/kms/re-encrypt

{
  "source_key_id" : "054faae3-ffc2-4b23-8d94-c05bfc8f596a",
  "source_additional_authenticated_data" : "",
  "source_encryption_algorithm" : "SYMMETRIC_DEFAULT",
  "destination_key_id" : "8ad47b5b-037e-4ff9-bf04-6900e3213c17",
  "destination_additional_authenticated_data" : "123",
  "destination_encryption_algorithm" : "SYMMETRIC_DEFAULT",
  "datakey_cipher_length" : "32",
  "cipher_text" : "020078000871efb21bfdc0712becf0dabfcc115a25eae06efb652aa9afa9689a4c4ec46b4bbeb3a902369b1a53eab67e9b8e730ced3879d1fb62c27cc314f2a44943687741a5d250403c861e4410936d422ef2d330353466616165332d666663322d346232332d386439342d63303562666338663539366100000000ed7fb70234ac273dedc19752900c6f7e4577fc2c1f1482539d0142ab0ff9fdda"
}

Example Responses

None

SDK Sample Code

The SDK sample code is as follows.

     package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.kms.v2.region.KmsRegion;
import com.huaweicloud.sdk.kms.v2.*;
import com.huaweicloud.sdk.kms.v2.model.*;


public class ReEncryptSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        KmsClient client = KmsClient.newBuilder()
                .withCredential(auth)
                .withRegion(KmsRegion.valueOf("<YOUR REGION>"))
                .build();
        ReEncryptRequest request = new ReEncryptRequest();
        ReEncryptRequestBody body = new ReEncryptRequestBody();
        body.withCipherText("020078000871efb21bfdc0712becf0dabfcc115a25eae06efb652aa9afa9689a4c4ec46b4bbeb3a902369b1a53eab67e9b8e730ced3879d1fb62c27cc314f2a44943687741a5d250403c861e4410936d422ef2d330353466616165332d666663322d346232332d386439342d63303562666338663539366100000000ed7fb70234ac273dedc19752900c6f7e4577fc2c1f1482539d0142ab0ff9fdda");
        body.withDatakeyCipherLength("32");
        body.withDestinationEncryptionAlgorithm("SYMMETRIC_DEFAULT");
        body.withDestinationAdditionalAuthenticatedData("123");
        body.withDestinationKeyId("8ad47b5b-037e-4ff9-bf04-6900e3213c17");
        body.withSourceEncryptionAlgorithm("SYMMETRIC_DEFAULT");
        body.withSourceAdditionalAuthenticatedData("");
        body.withSourceKeyId("054faae3-ffc2-4b23-8d94-c05bfc8f596a");
        request.withBody(body);
        try {
            ReEncryptResponse response = client.reEncrypt(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}
 
 
  

     # coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkkms.v2.region.kms_region import KmsRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkkms.v2 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = KmsClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(KmsRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ReEncryptRequest()
        request.body = ReEncryptRequestBody(
            cipher_text="020078000871efb21bfdc0712becf0dabfcc115a25eae06efb652aa9afa9689a4c4ec46b4bbeb3a902369b1a53eab67e9b8e730ced3879d1fb62c27cc314f2a44943687741a5d250403c861e4410936d422ef2d330353466616165332d666663322d346232332d386439342d63303562666338663539366100000000ed7fb70234ac273dedc19752900c6f7e4577fc2c1f1482539d0142ab0ff9fdda",
            datakey_cipher_length="32",
            destination_encryption_algorithm="SYMMETRIC_DEFAULT",
            destination_additional_authenticated_data="123",
            destination_key_id="8ad47b5b-037e-4ff9-bf04-6900e3213c17",
            source_encryption_algorithm="SYMMETRIC_DEFAULT",
            source_additional_authenticated_data="",
            source_key_id="054faae3-ffc2-4b23-8d94-c05bfc8f596a"
        )
        response = client.re_encrypt(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)
 
 
  

     package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    kms "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/kms/v2"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/kms/v2/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/kms/v2/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth, err := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        SafeBuild()

    if err != nil {
        fmt.Println(err)
        return
    }

    hcClient, err := kms.KmsClientBuilder().
         WithRegion(region.ValueOf("<YOUR REGION>")).
         WithCredential(auth).
         SafeBuild()


    if err != nil {
        fmt.Println(err)
        return
    }

    client := kms.NewKmsClient(hcClient)

    request := &model.ReEncryptRequest{}
	datakeyCipherLengthReEncryptRequestBody:= "32"
	destinationEncryptionAlgorithmReEncryptRequestBody:= "SYMMETRIC_DEFAULT"
	destinationAdditionalAuthenticatedDataReEncryptRequestBody:= "123"
	sourceEncryptionAlgorithmReEncryptRequestBody:= "SYMMETRIC_DEFAULT"
	sourceAdditionalAuthenticatedDataReEncryptRequestBody:= ""
	sourceKeyIdReEncryptRequestBody:= "054faae3-ffc2-4b23-8d94-c05bfc8f596a"
	request.Body = &model.ReEncryptRequestBody{
		CipherText: "020078000871efb21bfdc0712becf0dabfcc115a25eae06efb652aa9afa9689a4c4ec46b4bbeb3a902369b1a53eab67e9b8e730ced3879d1fb62c27cc314f2a44943687741a5d250403c861e4410936d422ef2d330353466616165332d666663322d346232332d386439342d63303562666338663539366100000000ed7fb70234ac273dedc19752900c6f7e4577fc2c1f1482539d0142ab0ff9fdda",
		DatakeyCipherLength: &datakeyCipherLengthReEncryptRequestBody,
		DestinationEncryptionAlgorithm: &destinationEncryptionAlgorithmReEncryptRequestBody,
		DestinationAdditionalAuthenticatedData: &destinationAdditionalAuthenticatedDataReEncryptRequestBody,
		DestinationKeyId: "8ad47b5b-037e-4ff9-bf04-6900e3213c17",
		SourceEncryptionAlgorithm: &sourceEncryptionAlgorithmReEncryptRequestBody,
		SourceAdditionalAuthenticatedData: &sourceAdditionalAuthenticatedDataReEncryptRequestBody,
		SourceKeyId: &sourceKeyIdReEncryptRequestBody,
	}
	response, err := client.ReEncrypt(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}
 
 
  