GenerateDataKey
Last updated: 2025-12-04 15:44:15
1. API Description
Domain name for API request: kms.intl.tencentcloudapi.com.
This API generates a data key, which you can use to encrypt local data.
A maximum of 150 requests can be initiated per second for this API.
We recommend you to use API Explorer
Try it
API Explorer provides a range of capabilities, including online call, signature authentication, SDK code generation, and API quick search. It enables you to view the request, response, and auto-generated examples.
2. Input Parameters
The following request parameter list only provides API request parameters and some common parameters. For the complete common parameter list, see Common Request Parameters.
| Parameter Name | Required | Type | Description |
|---|---|---|---|
| Action | Yes | String | Common Params. The value used for this API: GenerateDataKey. |
| Version | Yes | String | Common Params. The value used for this API: 2019-01-18. |
| Region | Yes | String | Common Params. For more information, please see the list of regions supported by the product. |
| KeyId | Yes | String | Globally unique CMK ID |
| KeySpec | No | String | Specifies the encryption algorithm and size of the DataKey. Valid values: AES_128, AES_256. Either KeySpec or NumberOfBytes must be specified. |
| NumberOfBytes | No | Integer | Length of the DataKey. If both NumberOfBytes and KeySpec are specified, NumberOfBytes will prevail. Minimum value: 1; maximum value: 1024. Either KeySpec or NumberOfBytes must be specified. |
| EncryptionContext | No | String | JSON string of key-value pair. If this field is used, the same string should be entered when the returned DataKey is decrypted. |
| EncryptionPublicKey | No | String | PEM-encoded public key (2048-bit RSA/SM2 key), which can be used to encrypt the Plaintext returned. If this field is left empty, the Plaintext will not be encrypted. |
| EncryptionAlgorithm | No | String | Asymmetric encryption algorithm. Valid values: SM2 (C1C3C2 ciphertext is returned),SM2_C1C3C2_ASN1(C1C3C2 ASN1 ciphertext is returned),RSAES_PKCS1_V1_5,RSAES_OAEP_SHA_1, andRSAES_OAEP_SHA_256. This field is used in combination withEncryptionPublicKey` for encryption. If it is left empty, an SM2 public key will be used by default. |
| IsHostedByKms | No | Integer | Indicates whether the data generated key is managed by KMS. 1 means the key is managed and saved by KMS. 0 means the key is not managed by KMS. |
| DataKeyName | No | String | Name of the data key. required when IsHostedByKms is 1. optional when IsHostedByKms is 0 as KMS does not manage it. |
| Description | No | String | Describes the data key. maximum 100 bytes. |
| HsmClusterId | No | String | HSM cluster ID corresponding to the KMS exclusive edition. if HsmClusterId is specified, it indicates the root key is in this cluster and verifies whether KeyId corresponds to HsmClusterId. |
| Tags.N | No | Array of Tag | Tag list. valid at that time when parameter IsHostedByKms=1 and the data key is hosted by kms. |
3. Output Parameters
| Parameter Name | Type | Description |
|---|---|---|
| KeyId | String | Globally unique CMK ID |
| Plaintext | String | If EncryptionPublicKey is left empty, a Base64-encoded ciphertext will be returned. To get the plaintext, you need to decode the ciphertext first.If EncryptionPublicKey is specified, this field will return the Base64-encoded ciphertext encrypted with the specified public key. To get the plaintext, you need to decode the ciphertext and upload the corresponding private key. |
| CiphertextBlob | String | Ciphertext of the data key, which should be kept by yourself. KMS does not host user data keys. You can call the Decrypt API to get the plaintext of the data key from CiphertextBlob. |
| DataKeyId | String | Globally unique id of the data key, returned when KMS hosting is enabled. |
| TagCode | Integer | Response code of the Tag operation. 0: success; 1: internal error; 2: business processing error. |
| TagMsg | String | Response of the Tag operation. |
| RequestId | String | The unique request ID, generated by the server, will be returned for every request (if the request fails to reach the server for other reasons, the request will not obtain a RequestId). RequestId is required for locating a problem. |
4. Example
Example1 Generate Data Keys Example
Use the specified CMK to generate a data key.
Input Example
POST / HTTP/1.1
Host: kms.intl.tencentcloudapi.com
Content-Type: application/json
X-TC-Action: GenerateDataKey
<Common request parameters>
{
"KeyId": "93866e69-9755-11ef-8e65-52540089bc41",
"KeySpec": "AES_256",
"NumberOfBytes": 32,
"EncryptionContext": "{\"key1\":\"value1\"}",
"EncryptionPublicKey": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoEcz****srLVydfJiHQuh2Jr9lMspgK58UVMJTvQCAU+Hztyhd6Aw==\n-----END PUBLIC KEY-----",
"EncryptionAlgorithm": "SM2"
}Output Example
{
"Response": {
"CiphertextBlob": "GPJUsGlmPcSjHKIktXGyzn33yestz+7NteW36M6FuL8hPfJ1xVfdO6Akr8sF69x3yBXMwto4njumJMIsi9WKow==-k-XqqalxTyNKIC1rITRePFGQ==-k-xAL9z9eXIHV/p+WT1RsHP3dm6f43bkomXjwmvWdMXH+JQoFORTThfXgcRh1f9lPNLENK4+fCOiQVG1VvLdA0RvcuRvU=",
"KeyId": "93866e69-9755-11ef-8e65-52540089bc41",
"Plaintext": "q+EouJ/tGeiZIo9/tIl2baxQOBFxcN0PNn7F6EIEvpDR6kvQmHohD5PTbUCKPkct6K8jOiYpbuaWZthxco0phMRSE4+HpB17rX4jmlW8pw3eHWOZo8yRyq/c7RVVo0+DtZofszwhMirQyjcBTJWhLt7xywtE5zqhDjngeEktAEw=",
"RequestId": "044e823a-7a0c-4603-b03c-e99be5df998d"
}
}5. Developer Resources
SDK
TencentCloud API 3.0 integrates SDKs that support various programming languages to make it easier for you to call APIs.
- Tencent Cloud SDK 3.0 for Python
- Tencent Cloud SDK 3.0 for Java
- Tencent Cloud SDK 3.0 for PHP
- Tencent Cloud SDK 3.0 for Go
- Tencent Cloud SDK 3.0 for Node.js
- Tencent Cloud SDK 3.0 for .NET
- Tencent Cloud SDK 3.0 for C++
Command Line Interface
6. Error Code
The following only lists the error codes related to the API business logic. For other error codes, see Common Error Codes.
| Error Code | Description |
|---|---|
| FailedOperation.EncryptionError | Encryption failed. |
| FailedOperation.TaggingError | Tagging error. |
| InternalError | Internal error. |
| InvalidParameter | Invalid parameter. |
| InvalidParameterValue.DataKeyNameAlreadyExists | The data key name already exists. |
| InvalidParameterValue.InvalidDataKeyName | Invalid data key name. |
| InvalidParameterValue.InvalidHsmClusterId | Invalid HSM cluster ID. |
| InvalidParameterValue.InvalidKeyId | Invalid KeyId. |
| InvalidParameterValue.InvalidKeyUsage | Incorrect KeyUsage parameter. |
| InvalidParameterValue.InvalidType | Incorrect Type parameter. |
| InvalidParameterValue.TagKeysDuplicated | Duplicate tag key. |
| InvalidParameterValue.TagsNotExisted | The tag key or tag value does not exist. |
| LimitExceeded.CmkLimitExceeded | The number of CMKs has reached the upper limit. |
| LimitExceeded.DataKeyLimitExceeded | DataKey exceeds the upper limit. |
| ResourceUnavailable.CmkDisabled | The CMK has been disabled. |
| ResourceUnavailable.CmkNotFound | The CMK does not exist. |
| ResourceUnavailable.KeyPendingDelete | The key is not available as it’s pending deleted. |
| UnauthorizedOperation | Unauthorized operation. |
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback