Updated on 2025-10-16 GMT+08:00

ReEncrypt

Function

This API is used to decrypt the ciphertext using the source key and then encrypt the ciphertext using the specified new key.

The data key ciphertext encrypted by CreateDatakey, ** CreateDatakeyWithoutPlainText**, or EncryptDatakey can be re-encrypted into a new data key ciphertext.

The ciphertext encrypted by EncryptData can be re-encrypted into a new ciphertext.

Notes:

A data key can only be re-encrypted into a data key.

Calling Method

For details, see Calling APIs.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

  • If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
  • If you are using identity policy-based authorization, no identity policy-based permission required for calling this API.

URI

POST /v1.0/{project_id}/kms/re-encrypt

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

-

Request Parameters

Table 2 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token, which can be obtained by calling the IAM API. (The token is the value of X-Subject-Token in the response header.)

Table 3 Request body parameters

Parameter

Mandatory

Type

Description

source_key_id

No

String

ID of the original key, which is used to decrypt the ciphertext. For asymmetric key encryption, source_key_id is mandatory. For symmetric key encryption, you are advised to set source_key_id. KMS uses the specified source_key_id for decryption. If this parameter is left blank, KMS attempts to obtain the key ID used for encryption from the ciphertext, and then use the key ID for decryption.

source_additional_authenticated_data

No

String

AAD information used during encryption of the original ciphertext. If no AAD is specified during encryption, this parameter cannot be set. Otherwise, decryption fails.

source_encryption_algorithm

No

String

Encryption algorithm used during encryption of the original ciphertext. The default value is SYMMETRIC_DEFAULT. The value can be:

SYMMETRIC_DEFAULT

RSAES_OAEP_SHA_1

RSAES_OAEP_SHA_256

SM2_ENCRYPT

Note: RSAES_OAEP_SHA_1 is no longer secure. Exercise caution when using it.

destination_key_id

Yes

String

ID of the target key, which is used to encrypt the decrypted plaintext.

destination_additional_authenticated_data

No

String

If a value is specified, the value is used as AAD during re-encryption.

destination_encryption_algorithm

No

String

Encryption algorithm used during re-encryption of the new ciphertext. The default value is SYMMETRIC_DEFAULT. The value can be:

SYMMETRIC_DEFAULT

RSAES_OAEP_SHA_1

RSAES_OAEP_SHA_256

SM2_ENCRYPT

Note: RSAES_OAEP_SHA_1 is no longer secure. Exercise caution when using it.

datakey_cipher_length

No

String

If the ciphertext is a data key encrypted in CBC mode, datakey_cipher_length must be specified. Number of bytes in the plaintext key material.

cipher_text

Yes

String

Ciphertext to be re-encrypted.

Response Parameters

Status code: 200

Table 4 Response body parameters

Parameter

Type

Description

key_id

String

Key ID used during re-encryption.

source_key_id

String

Key ID used during the encryption of the original ciphertext.

source_encryption_algorithm

String

Encryption algorithm used during the encryption of the original ciphertext.

destination_encryption_algorithm

String

Encryption algorithm used during re-encryption.

cipher_text

String

Ciphertext after re-encryption.

Example Requests

https://kms.cn-north-4.myhuaweicloud.com/v1.0/d4e559b49b3b403da5279723299ed4a6/kms/re-encrypt

{
  "source_key_id" : "054faae3-ffc2-4b23-8d94-c05bfc8f596a",
  "source_additional_authenticated_data" : "",
  "source_encryption_algorithm" : "SYMMETRIC_DEFAULT",
  "destination_key_id" : "8ad47b5b-037e-4ff9-bf04-6900e3213c17",
  "destination_additional_authenticated_data" : "123",
  "destination_encryption_algorithm" : "SYMMETRIC_DEFAULT",
  "datakey_cipher_length" : "32",
  "cipher_text" : "020078000871efb21bfdc0712becf0dabfcc115a25eae06efb652aa9afa9689a4c4ec46b4bbeb3a902369b1a53eab67e9b8e730ced3879d1fb62c27cc314f2a44943687741a5d250403c861e4410936d422ef2d330353466616165332d666663322d346232332d386439342d63303562666338663539366100000000ed7fb70234ac273dedc19752900c6f7e4577fc2c1f1482539d0142ab0ff9fdda"
}

Example Responses

None

Status Codes

Status Code

Description

200

Request succeeded.

Error Codes

See Error Codes.