protected final SecuredCEK secureCEK( SecretKey toBeEncrypted, EncryptionMaterials materials, Provider cryptoProvider) { Key kek; if (materials.getKeyPair() != null) { // Do envelope encryption with public key from key pair kek = materials.getKeyPair().getPublic(); } else { // Do envelope encryption with symmetric key kek = materials.getSymmetricKey(); } S3KeyWrapScheme kwScheme = cryptoScheme.getKeyWrapScheme(); String keyWrapAlgo = kwScheme.getKeyWrapAlgorithm(kek); try { if (keyWrapAlgo != null) { Cipher cipher = cryptoProvider == null ? Cipher.getInstance(keyWrapAlgo) : Cipher.getInstance(keyWrapAlgo, cryptoProvider); cipher.init(Cipher.WRAP_MODE, kek, cryptoScheme.getSecureRandom()); return new SecuredCEK(cipher.wrap(toBeEncrypted), keyWrapAlgo); } // fall back to the Encryption Only (EO) key encrypting method Cipher cipher; byte[] toBeEncryptedBytes = toBeEncrypted.getEncoded(); String algo = kek.getAlgorithm(); if (cryptoProvider != null) { cipher = Cipher.getInstance(algo, cryptoProvider); } else { cipher = Cipher.getInstance(algo); // Use default JCE Provider } cipher.init(Cipher.ENCRYPT_MODE, kek); return new SecuredCEK(cipher.doFinal(toBeEncryptedBytes), null); } catch (Exception e) { throw new AmazonClientException("Unable to encrypt symmetric key: " + e.getMessage(), e); } }