Flow: Decryption

The decryption node converts the cipher-text into plain text using AWS - Key Management Service (KMS).
Figure below shows the decryption node. The node specific configuration is accessed by double-clicking on the node.

75

Figure 1: Node

SETTINGS


The key values to be extracted / translated from the input data set and the corresponding output is configured using these settings.

725

Figure 2: Settings

The table below describes the configuration settings.

Field

Description

Decryption method

Specifies the decryption method, which is the AWS - Key management service.

Access key

User identity generated at client-side, enables the client to have their own Access key.
This can be done by creating a new Identity and Access Management (IAM) user identity for each client requiring encryption, with permission to manage their own password.

Secret key

It is generated along with the Access key - for each user account a secret key is generated.

AWS Region

User's must set the region to the one where the master key is/was generated.

Ciphertext blob

Ciphertext to be decrypted.
The blob includes metadata of type Base64-encoded binary data object.
Length Constraints: Minimum length of 1. Maximum length of 6144.

Encryption context

If the following values were specified in the encrypt function, it must be specified here or the decryption operation will fail:

  • key
  • value

Grant tokens

Contains information about who the grant is for and, who can use it. It is a list of grant tokens as name value pairs (maximum of 10).
Length Constraints: Minimum length of 1. Maximum length of 8192.

  • Add token: Adds a grant to a key to specify who can use the key and under what conditions.

Store response

Response variables that include the following values that are received in response:

  • Plaintext
  • KeyId
  • x-amzn-RequestId

SESSION DATA


For information on session data, click here.

CUSTOM LOGS


For information on custom logs, click here.

NODE EVENTS


Node events lists all outcomes of this node. You can add custom labels or terminate (end) an event by setting the termination reason.

736

Figure 3: Node Events

Configuration Settings.

Exit Events

Description

ondependencytimeout

The system timed out while trying to fulfill the request. The request can be retried.

onsuccess

Input data is successfully decrypted with the value stored in the set parameter.

onerror

The following errors may have occured:

  • DisabledException: The request was rejected because the specified customer master keys (CMK) is not enabled.
  • InvalidCiphertextException: The request was rejected because the specified cipher text has been corrupted or is otherwise invalid.
  • InvalidGrantTokenException: The request was rejected because the specified grant token is not valid.
  • KMSInternalException: The request was rejected because an internal exception occurred. The request can be retried.
  • KMSInvalidStateException: The request was rejected because the state of the specified resource is not valid for this request.
  • NotFoundException: The request was rejected because the specified entity or resource could not be found.
onkeyunavailableThe request was rejected because the specified CMK was not available. The request can be retried.