KMS keyring generator key id

aws / aws-encryption-sdk-c

AWS Encryption SDK for C

Apache License 2.0

58 stars 56 forks source link

KMS keyring generator key id #373

Open mattsb42-aws opened 5 years ago

mattsb42-aws commented 5 years ago

If I am reading this correctly, the KMS keyring builder requires that generator_key_id is set. This should not be required.

The core use case for this is that we need to allow the caller to explicitly control what keyring generates the data key. Requiring that the generator keyring is set removes this control.

david-koenig commented 5 years ago

The non-API-breaking way to make this change is to allow NULL to be passed in for the generator key ID. We could additionally allow an empty string to be passed in and treat it the same way.

mattsb42-aws commented 5 years ago

@david-koenig Agreed. This should have a similar pattern as creating a multikeyring with no generator.

robin-aws commented 4 years ago