{"id":"d93259a0-4435-48f0-af05-520074df58cf","task":"Generate a data encryption key with AWS KMS GenerateDataKey for envelope encryption","domain":"docs.aws.amazon.com","steps":["Create or identify a KMS symmetric key (key type SYMMETRIC_DEFAULT) and note its key ID or ARN","Call GenerateDataKey with the key ID and desired KeySpec (e.g., AES_256), optionally supplying an EncryptionContext map for additional authenticated data","Receive the plaintext DEK and the ciphertext blob; use the plaintext DEK in memory to encrypt your payload with a library such as AES-GCM, then discard the plaintext DEK","Store the ciphertext blob alongside the encrypted payload so the KEK identity is recorded but the plaintext key is never persisted","To decrypt, call KMS Decrypt with the stored ciphertext blob and the same EncryptionContext, receive the plaintext DEK, decrypt the payload, then discard the DEK again","Rotate the KMS key on a schedule (consult current docs for automatic rotation options) and rewrap stored ciphertext blobs as needed"],"gotchas":["The plaintext DEK must be held only in volatile memory and zeroed after use; leaking it to logs or storage defeats the envelope model","EncryptionContext values passed at GenerateDataKey must be supplied identically at Decrypt or the call will fail; treat the context as part of your data format","GenerateDataKey makes a network call to KMS; for high-throughput workloads consider GenerateDataKeyWithoutPlaintext plus a local cache pattern, but consult current docs for caching guidance"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:37.183Z"},"url":"https://mcp.waymark.network/r/d93259a0-4435-48f0-af05-520074df58cf"}