def decrypt(self, bytes_to_decrypt):
"""
Decrypts and returns bytes that were encrypted under this master key.
:param bytes bytes_to_decrypt: (required)
The bytes to decrypt using this MasterKey.
:rtype: bytes
"""
decrypt_data_details = DecryptDataDetails()
# KMS API expects the key base64 encoded
decrypt_data_details.ciphertext = convert_to_str(
base64.b64encode(bytes_to_decrypt))
decrypt_data_details.key_id = self.master_key_id
try:
decrypted_data = self.kms_crypto_client.decrypt(
decrypt_data_details).data
except ServiceError as service_error:
message = "Failed to decrypt data encryption key using masterKeyId: {master_key_id} while targeting vault: {vault_id}.".format(
master_key_id=self.master_key_id, vault_id=self.vault_id)
raise_runtime_error_from(message, service_error)
verify_crc32_checksum(
base64.b64decode(decrypted_data.plaintext),
decrypted_data.plaintext_checksum,
)
return decrypted_data.plaintext
def __init__(
self, plaintext_key_bytes, encrypted_key_bytes, plaintext_key_checksum=None
):
"""
:param bytes plaintext_key_bytes:
The bytes of the data encryption key in plaintext
:param bytes encrypted_key_bytes:
The bytes of the data encrypted key encrypted under a master key
:param str plaintext_key_checksum:
The crc32 checsum of the plaintext data encryption key
"""
self.plaintext_key_bytes = plaintext_key_bytes
self.encrypted_key_bytes = encrypted_key_bytes
self.plaintext_key_checksum = plaintext_key_checksum
if self.plaintext_key_checksum:
verify_crc32_checksum(plaintext_key_bytes, plaintext_key_checksum)