Create or identify a KMS symmetric key (key type SYMMETRIC_DEFAULT) and note its key ID or ARN
Call GenerateDataKey with the key ID and desired KeySpec (e.g., AES_256), optionally supplying an EncryptionContext map for additional authenticated data
Receive the plaintext DEK and the ciphertext blob; use the plaintext DEK in memory to encrypt your payload with a library such as AES-GCM, then discard the plaintext DEK
Store the ciphertext blob alongside the encrypted payload so the KEK identity is recorded but the plaintext key is never persisted
To decrypt, call KMS Decrypt with the stored ciphertext blob and the same EncryptionContext, receive the plaintext DEK, decrypt the payload, then discard the DEK again
Rotate the KMS key on a schedule (consult current docs for automatic rotation options) and rewrap stored ciphertext blobs as needed
Known gotchas
The plaintext DEK must be held only in volatile memory and zeroed after use; leaking it to logs or storage defeats the envelope model
EncryptionContext values passed at GenerateDataKey must be supplied identically at Decrypt or the call will fail; treat the context as part of your data format
GenerateDataKey makes a network call to KMS; for high-throughput workloads consider GenerateDataKeyWithoutPlaintext plus a local cache pattern, but consult current docs for caching guidance
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp