AwsEncryptionSdk.Decrypt (AWS Encryption SDK v0.7.0)

View Source

Message decryption operations.

Decrypts AWS Encryption SDK messages using provided decryption materials. This is a non-streaming implementation that requires the entire ciphertext in memory.

Security

This module NEVER releases unauthenticated plaintext. All authentication checks (header auth tag, frame auth tags, key commitment, signature) must pass before any plaintext is returned.

Summary

Types

decrypt_result()

Functions

decrypt(ciphertext, materials)

Decrypts an AWS Encryption SDK message.

Types

decrypt_result()

@type decrypt_result() :: %{
  plaintext: binary(),
  header: AwsEncryptionSdk.Format.Header.t(),
  encryption_context: map()
}

Functions

decrypt(ciphertext, materials)

@spec decrypt(binary(), AwsEncryptionSdk.Materials.DecryptionMaterials.t()) ::
  {:ok, decrypt_result()} | {:error, term()}

Decrypts an AWS Encryption SDK message.

Parameters

  • ciphertext - Complete encrypted message (header + body + optional footer)
  • materials - Decryption materials containing the plaintext data key

Returns

  • {:ok, result} - Decryption succeeded; result contains plaintext, header, and encryption context
  • {:error, reason} - Decryption failed

Errors

  • :base64_encoded_message - Message appears to be Base64 encoded
  • :header_authentication_failed - Header auth tag verification failed
  • :commitment_mismatch - Key commitment verification failed
  • :body_authentication_failed - Frame auth tag verification failed
  • :signature_verification_failed - Footer signature verification failed