Skip to content
Branch: master
Clone or download
johnwalker Merge pull request #98 from johnwalker/java8
Update README to state that Java 8 or higher is required
Latest commit 0dbf1d5 Feb 9, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github Add pull request template. Aug 21, 2018
src Use the BouncyCastleProvider class directly (#84) Nov 29, 2018
.travis.yml Update Mockito and add CI for JDK9/10/11 (#87) Dec 3, 2018
pom.xml Merge pull request #94 from sullis/bouncycastle-1.60 Jan 18, 2019

AWS Encryption SDK for Java

The AWS Encryption SDK enables secure client-side encryption. It uses cryptography best practices to protect your data and the encryption keys used to protect that data. Each data object is protected with a unique data encryption key (DEK), and the DEK is protected with a key encryption key (KEK) called a master key. The encrypted DEK is combined with the encrypted data into a single encrypted message, so you don't need to keep track of the DEKs for your data. The SDK supports master keys in AWS Key Management Service (KMS), and it also provides APIs to define and use other master key providers. The SDK provides methods for encrypting and decrypting strings, byte arrays, and byte streams. For details, see the example code and the Javadoc.

For more details about the design and architecture of the SDK, see the official documentation.

Getting Started

Required Prerequisites

To use this SDK you must have:

  • A Java 8 development environment

    If you do not have one, go to Java SE Downloads on the Oracle website, then download and install the Java SE Development Kit (JDK). Java 8 or higher is required.

    Note: If you use the Oracle JDK, you must also download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.

  • Bouncy Castle

    Bouncy Castle provides a cryptography API for Java. If you do not have Bouncy Castle, go to, then download the provider file that corresponds to your JDK. Or, you can pick it up from Maven:


Optional Prerequisites

You don't need an Amazon Web Services (AWS) account to use this SDK, but some of the example code requires an AWS account, a customer master key (CMK) in AWS KMS, and the AWS SDK for Java.

  • To create an AWS account, go to Sign In or Create an AWS Account and then choose I am a new user. Follow the instructions to create an AWS account.

  • To create a CMK in AWS KMS, go to Creating Keys in the KMS documentation and then follow the instructions on that page.

  • To download and install the AWS SDK for Java, go to Installing the AWS SDK for Java in the AWS SDK for Java documentation and then follow the instructions on that page.


You can get the latest release from Maven:


Don't forget to enable the download of snapshot jars from Maven:


Get Started

The following code sample demonstrates how to get started:

  1. Instantiate the SDK.
  2. Define the master key provider.
  3. Encrypt and decrypt data.
// This sample code encrypts and then decrypts a string using a KMS CMK.
// You provide the KMS key ARN and plaintext string as arguments.
package com.amazonaws.crypto.examples;

import java.util.Collections;
import java.util.Map;

import com.amazonaws.encryptionsdk.AwsCrypto;
import com.amazonaws.encryptionsdk.CryptoResult;
import com.amazonaws.encryptionsdk.kms.KmsMasterKey;
import com.amazonaws.encryptionsdk.kms.KmsMasterKeyProvider;

public class StringExample {
    private static String keyArn;
    private static String data;

    public static void main(final String[] args) {
        keyArn = args[0];
        data = args[1];

        // Instantiate the SDK
        final AwsCrypto crypto = new AwsCrypto();

        // Set up the master key provider
        final KmsMasterKeyProvider prov = new KmsMasterKeyProvider(keyArn);

        // Encrypt the data
        // NOTE: Encrypted data should have associated encryption context
        // to protect integrity. For this example, just use a placeholder
        // value. For more information about encryption context, see
        // (
        final Map<String, String> context = Collections.singletonMap("Example", "String");

        final String ciphertext = crypto.encryptString(prov, data, context).getResult();
        System.out.println("Ciphertext: " + ciphertext);

        // Decrypt the data
        final CryptoResult<String, KmsMasterKey> decryptResult = crypto.decryptString(prov, ciphertext);
        // Check the encryption context (and ideally the master key) to
        // ensure this is the expected ciphertext
        if (!decryptResult.getMasterKeyIds().get(0).equals(keyArn)) {
            throw new IllegalStateException("Wrong key id!");

        // The SDK may add information to the encryption context, so check to
        // ensure all of the values are present
        for (final Map.Entry<String, String> e : context.entrySet()) {
            if (!e.getValue().equals(decryptResult.getEncryptionContext().get(e.getKey()))) {
                throw new IllegalStateException("Wrong Encryption Context!");

        // The data is correct, so output it.
        System.out.println("Decrypted: " + decryptResult.getResult());

You can find more examples in the examples directory.


See the Frequently Asked Questions page in the official documentation.

You can’t perform that action at this time.