AwsEncryptionSdk.Client (AWS Encryption SDK v0.7.0)
View SourceClient configuration for AWS Encryption SDK operations.
The Client holds configuration that controls encryption and decryption behavior, including the commitment policy and maximum number of encrypted data keys.
Commitment Policy
The commitment policy controls which algorithm suites can be used:
:forbid_encrypt_allow_decrypt- Legacy: encrypt with non-committed suites only:require_encrypt_allow_decrypt- Transitional: encrypt with committed suites, decrypt any:require_encrypt_require_decrypt- Strictest (default): encrypt and decrypt committed only
Example
# Create with default policy (strictest)
keyring = RawAes.new("namespace", "key", key_bytes, :aes_256_gcm)
cmm = Cmm.Default.new(keyring)
client = Client.new(cmm)
# Or specify policy explicitly
client = Client.new(cmm, commitment_policy: :require_encrypt_allow_decrypt)
# Limit encrypted data keys
client = Client.new(cmm, max_encrypted_data_keys: 3)For component selection guidance, see the Choosing Components guide. For security recommendations, see Security Best Practices.
Spec Reference
https://github.com/awslabs/aws-encryption-sdk-specification/blob/master/client-apis/client.md
Summary
Functions
Decrypts ciphertext using the client's CMM and commitment policy.
Decrypts ciphertext using a keyring directly.
Encrypts plaintext using the client's CMM and commitment policy.
Encrypts plaintext using a keyring directly.
Creates a new Client with the given CMM and options.
Types
@type commitment_policy() :: AwsEncryptionSdk.Cmm.Behaviour.commitment_policy()
Commitment policy for algorithm suite selection
@type encrypt_opts() :: [ encryption_context: %{required(String.t()) => String.t()}, algorithm_suite: AwsEncryptionSdk.AlgorithmSuite.t(), frame_length: pos_integer() ]
@type t() :: %AwsEncryptionSdk.Client{ cmm: AwsEncryptionSdk.Cmm.Behaviour.t(), commitment_policy: commitment_policy(), max_encrypted_data_keys: non_neg_integer() | nil }
Client configuration struct.
Fields
:cmm- Cryptographic Materials Manager for obtaining encryption/decryption materials:commitment_policy- Policy controlling algorithm suite usage (default::require_encrypt_require_decrypt):max_encrypted_data_keys- Maximum number of EDKs allowed (default:nilfor unlimited)
Functions
@spec decrypt(t(), binary(), decrypt_opts()) :: {:ok, AwsEncryptionSdk.Decrypt.decrypt_result()} | {:error, term()}
Decrypts ciphertext using the client's CMM and commitment policy.
This is the primary decryption API that enforces commitment policy and integrates with the CMM to obtain decryption materials.
Parameters
client- Client configuration with CMM and policyciphertext- Complete encrypted message (header + body + footer)opts- Options::encryption_context- Reproduced context to validate against (default:nil)
Returns
{:ok, result}- Decryption succeeded with%{plaintext: binary, encryption_context: map, algorithm_suite: AlgorithmSuite.t(), header: Header.t()}{:error, reason}- Decryption failed
Errors
:commitment_policy_requires_committed_suite- Non-committed suite with strict policy:too_many_encrypted_data_keys- EDK count exceeds limit:base64_encoded_message- Message appears to be Base64 encoded- Other errors from CMM, keyring, or decryption operations
Examples
# Decrypt with default strict policy
{:ok, result} = Client.decrypt(client, ciphertext)
# Decrypt with reproduced encryption context validation
{:ok, result} = Client.decrypt(client, ciphertext,
encryption_context: %{"purpose" => "example"}
)@spec decrypt_with_keyring( AwsEncryptionSdk.Cmm.Default.keyring(), binary(), decrypt_opts() ) :: {:ok, AwsEncryptionSdk.Decrypt.decrypt_result()} | {:error, term()}
Decrypts ciphertext using a keyring directly.
Convenience function that wraps the keyring in a Default CMM before decrypting.
Equivalent to creating a client with Cmm.Default.new(keyring).
Parameters
keyring- A keyring struct (RawAes, RawRsa, or Multi)ciphertext- Complete encrypted messageopts- Same options asdecrypt/3, plus::commitment_policy- Override default policy:max_encrypted_data_keys- Override default limit
Examples
keyring = RawAes.new("ns", "key", key_bytes, :aes_256_gcm)
{:ok, result} = Client.decrypt_with_keyring(keyring, ciphertext,
encryption_context: %{"purpose" => "test"},
commitment_policy: :require_encrypt_allow_decrypt
)@spec encrypt(t(), binary(), encrypt_opts()) :: {:ok, AwsEncryptionSdk.Encrypt.encrypt_result()} | {:error, term()}
Encrypts plaintext using the client's CMM and commitment policy.
This is the primary encryption API that enforces commitment policy and integrates with the CMM to obtain encryption materials.
Parameters
client- Client configuration with CMM and policyplaintext- Binary data to encryptopts- Options::encryption_context- Key-value pairs for AAD (default:%{}):algorithm_suite- Override default suite (validated against policy):frame_length- Frame size in bytes (default: 4096)
Returns
{:ok, result}- Encryption succeeded{:error, reason}- Encryption failed
Errors
:commitment_policy_requires_committed_suite- Non-committed suite with require policy:commitment_policy_forbids_committed_suite- Committed suite with forbid policy:max_encrypted_data_keys_exceeded- Too many EDKs generated- Other errors from CMM or encryption operations
Examples
# Encrypt with default committed suite
{:ok, result} = Client.encrypt(client, "secret data",
encryption_context: %{"purpose" => "example"}
)
# Encrypt with specific algorithm suite (must match policy)
suite = AlgorithmSuite.aes_256_gcm_hkdf_sha512_commit_key()
{:ok, result} = Client.encrypt(client, "data",
algorithm_suite: suite
)@spec encrypt_with_keyring( AwsEncryptionSdk.Cmm.Default.keyring(), binary(), encrypt_opts() ) :: {:ok, AwsEncryptionSdk.Encrypt.encrypt_result()} | {:error, term()}
Encrypts plaintext using a keyring directly.
Convenience function that wraps the keyring in a Default CMM before encrypting.
Equivalent to creating a client with Cmm.Default.new(keyring).
Parameters
keyring- A keyring struct (RawAes, RawRsa, or Multi)plaintext- Binary data to encryptopts- Same options asencrypt/3, plus::commitment_policy- Override default policy:max_encrypted_data_keys- Override default limit
Examples
keyring = RawAes.new("ns", "key", key_bytes, :aes_256_gcm)
{:ok, result} = Client.encrypt_with_keyring(keyring, "secret",
encryption_context: %{"purpose" => "test"},
commitment_policy: :require_encrypt_allow_decrypt
)@spec new( AwsEncryptionSdk.Cmm.Behaviour.t(), keyword() ) :: t()
Creates a new Client with the given CMM and options.
Parameters
cmm- A Cryptographic Materials Manager (required)opts- Options (optional)::commitment_policy- One of:forbid_encrypt_allow_decrypt,:require_encrypt_allow_decrypt,:require_encrypt_require_decrypt(default::require_encrypt_require_decrypt):max_encrypted_data_keys- Maximum number of EDKs allowed (default:nilfor unlimited)
Examples
iex> key = :crypto.strong_rand_bytes(32)
iex> {:ok, keyring} = AwsEncryptionSdk.Keyring.RawAes.new("test-ns", "test-key", key, :aes_256_gcm)
iex> cmm = AwsEncryptionSdk.Cmm.Default.new(keyring)
iex> client = AwsEncryptionSdk.Client.new(cmm)
iex> client.commitment_policy
:require_encrypt_require_decrypt
iex> key = :crypto.strong_rand_bytes(32)
iex> {:ok, keyring} = AwsEncryptionSdk.Keyring.RawAes.new("test-ns", "test-key", key, :aes_256_gcm)
iex> cmm = AwsEncryptionSdk.Cmm.Default.new(keyring)
iex> client = AwsEncryptionSdk.Client.new(cmm, commitment_policy: :forbid_encrypt_allow_decrypt)
iex> client.commitment_policy
:forbid_encrypt_allow_decrypt
iex> key = :crypto.strong_rand_bytes(32)
iex> {:ok, keyring} = AwsEncryptionSdk.Keyring.RawAes.new("test-ns", "test-key", key, :aes_256_gcm)
iex> cmm = AwsEncryptionSdk.Cmm.Default.new(keyring)
iex> client = AwsEncryptionSdk.Client.new(cmm, max_encrypted_data_keys: 5)
iex> client.max_encrypted_data_keys
5