package google.cloud.kms.v1
Get desktop application:
View/edit binary Protocol Buffers messages
Google Cloud Key Management Service Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects: * [KeyRing][google.cloud.kms.v1.KeyRing] * [CryptoKey][google.cloud.kms.v1.CryptoKey] * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] If you are using manual gRPC libraries, see [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc).
rpc ListKeyRings (, )
service.proto:51Lists [KeyRings][google.cloud.kms.v1.KeyRing].
message
service.proto:277Request message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
string parent = 1
Required. The resource name of the location associated with the [KeyRings][google.cloud.kms.v1.KeyRing], in the format `projects/*/locations/*`.
int32 page_size = 2
Optional limit on the number of [KeyRings][google.cloud.kms.v1.KeyRing] to include in the response. Further [KeyRings][google.cloud.kms.v1.KeyRing] can subsequently be obtained by including the [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.
string page_token = 3
Optional pagination token, returned earlier via [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token].
string filter = 4
Optional. Only include resources that match the filter in the response.
string order_by = 5
Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order.
message
service.proto:380Response message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
repeated key_rings = 1
The list of [KeyRings][google.cloud.kms.v1.KeyRing].
string next_page_token = 2
A token to retrieve next page of results. Pass this value in [ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRingsRequest.page_token] to retrieve the next page of results.
int32 total_size = 3
The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched the query.
rpc ListCryptoKeys (, )
service.proto:58Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].
message
service.proto:301Request message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
string parent = 1
Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format `projects/*/locations/*/keyRings/*`.
int32 page_size = 2
Optional limit on the number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the response. Further [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be obtained by including the [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.
string page_token = 3
Optional pagination token, returned earlier via [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token].
CryptoKeyVersion.CryptoKeyVersionView version_view = 4
The fields of the primary version to include in the response.
string filter = 5
Optional. Only include resources that match the filter in the response.
string order_by = 6
Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order.
message
service.proto:393Response message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
repeated crypto_keys = 1
The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
string next_page_token = 2
A token to retrieve next page of results. Pass this value in [ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCryptoKeysRequest.page_token] to retrieve the next page of results.
int32 total_size = 3
The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that matched the query.
Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
message
service.proto:328Request message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
string parent = 1
Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
int32 page_size = 2
Optional limit on the number of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to include in the response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can subsequently be obtained by including the [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.
string page_token = 3
Optional pagination token, returned earlier via [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token].
CryptoKeyVersion.CryptoKeyVersionView view = 4
The fields to include in the response.
string filter = 5
Optional. Only include resources that match the filter in the response.
string order_by = 6
Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order.
message
service.proto:406Response message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
repeated crypto_key_versions = 1
The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
string next_page_token = 2
A token to retrieve next page of results. Pass this value in [ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token] to retrieve the next page of results.
int32 total_size = 3
The total number of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the query.
rpc ListImportJobs (, )
service.proto:72Lists [ImportJobs][google.cloud.kms.v1.ImportJob].
message
service.proto:356Request message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
string parent = 1
Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format `projects/*/locations/*/keyRings/*`.
int32 page_size = 2
Optional limit on the number of [ImportJobs][google.cloud.kms.v1.ImportJob] to include in the response. Further [ImportJobs][google.cloud.kms.v1.ImportJob] can subsequently be obtained by including the [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.
string page_token = 3
Optional pagination token, returned earlier via [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token].
string filter = 4
Optional. Only include resources that match the filter in the response.
string order_by = 5
Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order.
message
service.proto:421Response message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
repeated import_jobs = 1
The list of [ImportJobs][google.cloud.kms.v1.ImportJob].
string next_page_token = 2
A token to retrieve next page of results. Pass this value in [ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImportJobsRequest.page_token] to retrieve the next page of results.
int32 total_size = 3
The total number of [ImportJobs][google.cloud.kms.v1.ImportJob] that matched the query.
rpc GetKeyRing (, )
service.proto:79Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing].
message
service.proto:434Request message for [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].
string name = 1
The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] to get.
rpc GetCryptoKey (, )
service.proto:87Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as well as its [primary][google.cloud.kms.v1.CryptoKey.primary] [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
message
service.proto:440Request message for [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].
string name = 1
The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.
rpc GetCryptoKeyVersion (, )
service.proto:94Returns metadata for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
message
service.proto:446Request message for [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].
string name = 1
The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get.
rpc GetPublicKey (, )
service.proto:104Returns the public key for the given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN] or [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
message
service.proto:452Request message for [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
string name = 1
The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get.
message
resources.proto:380The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
string pem = 1
The public key, encoded in PEM format. For more information, see the [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and [Textual Encoding of Subject Public Key Info] (https://tools.ietf.org/html/rfc7468#section-13).
CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2
The [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] associated with this key.
rpc GetImportJob (, )
service.proto:111Returns metadata for a given [ImportJob][google.cloud.kms.v1.ImportJob].
message
service.proto:459Request message for [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].
string name = 1
The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] to get.
rpc CreateKeyRing (, )
service.proto:118Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and Location.
message
service.proto:465Request message for [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].
string parent = 1
Required. The resource name of the location associated with the [KeyRings][google.cloud.kms.v1.KeyRing], in the format `projects/*/locations/*`.
string key_ring_id = 2
Required. It must be unique within a location and match the regular expression `[a-zA-Z0-9_-]{1,63}`
optional key_ring = 3
A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field values.
rpc CreateCryptoKey (, )
service.proto:130Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a [KeyRing][google.cloud.kms.v1.KeyRing]. [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm] are required.
message
service.proto:479Request message for [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].
string parent = 1
Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey].
string crypto_key_id = 2
Required. It must be unique within a KeyRing and match the regular expression `[a-zA-Z0-9_-]{1,63}`
optional crypto_key = 3
A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field values.
bool skip_initial_version_creation = 5
If set to true, the request will create a [CryptoKey][google.cloud.kms.v1.CryptoKey] without any [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. You must manually call [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion] before you can use this [CryptoKey][google.cloud.kms.v1.CryptoKey].
Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a [CryptoKey][google.cloud.kms.v1.CryptoKey]. The server will assign the next sequential id. If unset, [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
message
service.proto:500Request message for [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].
string parent = 1
Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
optional crypto_key_version = 2
A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with initial field values.
Imports a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the wrapped key material provided in the request. The version ID will be assigned the next sequential id within the [CryptoKey][google.cloud.kms.v1.CryptoKey].
message
service.proto:510Request message for [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
string parent = 1
Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to be imported into.
CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2
Required. The [algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] of the key being imported. This does not need to match the [version_template][google.cloud.kms.v1.CryptoKey.version_template] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] this version imports into.
string import_job = 4
Required. The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] that was used to wrap this key material.
oneof wrapped_key_material
Required. The incoming wrapped key material that is to be imported.
bytes rsa_aes_wrapped_key = 5
Wrapped key material produced with [RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256] or [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256]. This field contains the concatenation of two wrapped keys: <ol> <li>An ephemeral AES-256 wrapping key wrapped with the [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP with SHA-1, MGF1 with SHA-1, and an empty label. </li> <li>The key to be imported, wrapped with the ephemeral AES-256 key using AES-KWP (RFC 5649). </li> </ol> This format is the same as the format produced by PKCS#11 mechanism CKM_RSA_AES_KEY_WRAP.
rpc CreateImportJob (, )
service.proto:164Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a [KeyRing][google.cloud.kms.v1.KeyRing]. [ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method] is required.
message
service.proto:550Request message for [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].
string parent = 1
Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] associated with the [ImportJobs][google.cloud.kms.v1.ImportJob].
string import_job_id = 2
Required. It must be unique within a KeyRing and match the regular expression `[a-zA-Z0-9_-]{1,63}`
optional import_job = 3
Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field values.
rpc UpdateCryptoKey (, )
service.proto:172Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].
message
service.proto:564Request message for [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].
optional crypto_key = 1
[CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.
optional update_mask = 2
Required list of fields to be updated in this request.
Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s metadata. [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] and [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] using this method. See [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion] and [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] to move between other states.
message
service.proto:573Request message for [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].
optional crypto_key_version = 1
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with updated values.
optional update_mask = 2
Required list of fields to be updated in this request.
rpc Encrypt (, )
service.proto:196Encrypts data, so that it can only be recovered by a call to [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
message
service.proto:582Request message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
string name = 1
Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] or [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for encryption. If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].
bytes plaintext = 2
Required. The data to encrypt. Must be no larger than 64KiB. The maximum size depends on the key version's [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the plaintext must be no larger than 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.
bytes additional_authenticated_data = 3
Optional data that, if specified, must also be provided during decryption through [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]. The maximum size depends on the key version's [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the AAD must be no larger than 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.
message
service.proto:656Response message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
string name = 1
The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in encryption.
bytes ciphertext = 2
The encrypted data.
rpc Decrypt (, )
service.proto:205Decrypts data that was protected by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
message
service.proto:613Request message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
string name = 1
Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The server will choose the appropriate version.
bytes ciphertext = 2
Required. The encrypted data originally returned in [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
bytes additional_authenticated_data = 3
Optional data that must match the data originally supplied in [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
message
service.proto:650Response message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
bytes plaintext = 1
The decrypted data originally supplied in [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
rpc AsymmetricSign (, )
service.proto:215Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
message
service.proto:628Request message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
string name = 1
Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for signing.
optional digest = 3
Required. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version's [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
message
service.proto:665Response message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
bytes signature = 1
The created signature.
rpc AsymmetricDecrypt (, )
service.proto:225Decrypts data that was encrypted with a public key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_DECRYPT.
message
service.proto:639Request message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
string name = 1
Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for decryption.
bytes ciphertext = 3
Required. The data encrypted with the named [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public key using OAEP.
message
service.proto:671Response message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
bytes plaintext = 1
The decrypted data originally encrypted with the matching public key.
Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. Returns an error if called on an asymmetric key.
message
service.proto:677Request message for [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
string name = 1
The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
string crypto_key_version_id = 2
The id of the child [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.
Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for destruction. Upon calling this method, [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be set to a time 24 hours in the future, at which point the [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be changed to [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], and the key material will be irrevocably destroyed. Before the [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is reached, [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] may be called to reverse the process.
message
service.proto:686Request message for [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].
string name = 1
The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy.
Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] state. Upon restoration of the CryptoKeyVersion, [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be cleared.
message
service.proto:692Request message for [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].
string name = 1
The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore.
message
resources.proto:47A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic operations. A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of one or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.
Used as response type in: KeyManagementService.CreateCryptoKey, KeyManagementService.GetCryptoKey, KeyManagementService.UpdateCryptoKey, KeyManagementService.UpdateCryptoKeyPrimaryVersion
Used as field type in: , ,
string name = 1
Output only. The resource name for this [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
optional primary = 2
Output only. A copy of the "primary" [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this [CryptoKey][google.cloud.kms.v1.CryptoKey] is given in [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name]. The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary version can be updated via [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. All keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] have a primary. For other keys, this field will be omitted.
CryptoKey.CryptoKeyPurpose purpose = 3
The immutable purpose of this [CryptoKey][google.cloud.kms.v1.CryptoKey].
optional create_time = 5
Output only. The time at which this [CryptoKey][google.cloud.kms.v1.CryptoKey] was created.
optional next_rotation_time = 7
At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time], the Key Management Service will automatically: 1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey]. 2. Mark the new version as primary. Key rotations performed manually via [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] and [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion] do not affect [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]. Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support automatic rotation. For other keys, this field must be omitted.
oneof rotation_schedule
Controls the rate of automatic rotation.
rotation_period = 8
[next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] will be advanced by this period when the service automatically rotates a key. Must be at least one day. If [rotation_period][google.cloud.kms.v1.CryptoKey.rotation_period] is set, [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] must also be set. Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support automatic rotation. For other keys, this field must be omitted.
optional version_template = 11
A template describing settings for new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances. The properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances created by either [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or auto-rotation are controlled by this template.
map<string, string> labels = 10
Labels with user-defined metadata. For more information, see [Labeling Keys](/kms/docs/labeling-keys).
[CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] describes the cryptographic capabilities of a [CryptoKey][google.cloud.kms.v1.CryptoKey]. A given key can only be used for the operations allowed by its purpose. For more information, see [Key purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes).
Used in:
CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0
Not specified.
ENCRYPT_DECRYPT = 1
[CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] and [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
ASYMMETRIC_SIGN = 5
[CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with [AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign] and [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
ASYMMETRIC_DECRYPT = 6
[CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with [AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt] and [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
message
resources.proto:187A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the associated key material. An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.
Used as response type in: KeyManagementService.CreateCryptoKeyVersion, KeyManagementService.DestroyCryptoKeyVersion, KeyManagementService.GetCryptoKeyVersion, KeyManagementService.ImportCryptoKeyVersion, KeyManagementService.RestoreCryptoKeyVersion, KeyManagementService.UpdateCryptoKeyVersion
Used as field type in: , , ,
string name = 1
Output only. The resource name for this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
CryptoKeyVersion.CryptoKeyVersionState state = 3
The current state of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
ProtectionLevel protection_level = 7
Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] describing how crypto operations are performed with this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 10
Output only. The [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] supports.
optional attestation = 8
Output only. Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with [protection_level][google.cloud.kms.v1.CryptoKeyVersion.protection_level] [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
optional create_time = 4
Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created.
optional generate_time = 11
Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was generated.
optional destroy_time = 5
Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material is scheduled for destruction. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED].
optional destroy_event_time = 6
Output only. The time this CryptoKeyVersion's key material was destroyed. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED].
string import_job = 14
Output only. The name of the [ImportJob][google.cloud.kms.v1.ImportJob] used to import this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only present if the underlying key material was imported.
optional import_time = 15
Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was imported.
string import_failure_reason = 16
Output only. The root cause of an import failure. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED].
The algorithm of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating what parameters must be used for each cryptographic operation. The [GOOGLE_SYMMETRIC_ENCRYPTION][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION] algorithm is usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. Algorithms beginning with "RSA_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. The fields in the name after "RSA_SIGN_" correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm. For PSS, the salt length used is equal to the length of digest algorithm. For example, [RSA_SIGN_PSS_2048_SHA256][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256] will use PSS with a salt length of 256 bits or 32 bytes. Algorithms beginning with "RSA_DECRYPT_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT]. The fields in the name after "RSA_DECRYPT_" correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm. Algorithms beginning with "EC_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. The fields in the name after "EC_SIGN_" correspond to the following parameters: elliptic curve, digest algorithm. For more information, see [Key purposes and algorithms] (https://cloud.google.com/kms/docs/algorithms).
Used in: , , ,
CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0
Not specified.
GOOGLE_SYMMETRIC_ENCRYPTION = 1
Creates symmetric encryption keys.
RSA_SIGN_PSS_2048_SHA256 = 2
RSASSA-PSS 2048 bit key with a SHA256 digest.
RSA_SIGN_PSS_3072_SHA256 = 3
RSASSA-PSS 3072 bit key with a SHA256 digest.
RSA_SIGN_PSS_4096_SHA256 = 4
RSASSA-PSS 4096 bit key with a SHA256 digest.
RSA_SIGN_PSS_4096_SHA512 = 15
RSASSA-PSS 4096 bit key with a SHA512 digest.
RSA_SIGN_PKCS1_2048_SHA256 = 5
RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
RSA_SIGN_PKCS1_3072_SHA256 = 6
RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
RSA_SIGN_PKCS1_4096_SHA256 = 7
RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
RSA_SIGN_PKCS1_4096_SHA512 = 16
RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
RSA_DECRYPT_OAEP_2048_SHA256 = 8
RSAES-OAEP 2048 bit key with a SHA256 digest.
RSA_DECRYPT_OAEP_3072_SHA256 = 9
RSAES-OAEP 3072 bit key with a SHA256 digest.
RSA_DECRYPT_OAEP_4096_SHA256 = 10
RSAES-OAEP 4096 bit key with a SHA256 digest.
RSA_DECRYPT_OAEP_4096_SHA512 = 17
RSAES-OAEP 4096 bit key with a SHA512 digest.
EC_SIGN_P256_SHA256 = 12
ECDSA on the NIST P-256 curve with a SHA256 digest.
EC_SIGN_P384_SHA384 = 13
ECDSA on the NIST P-384 curve with a SHA384 digest.
The state of a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating if it can be used.
Used in:
CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0
Not specified.
PENDING_GENERATION = 5
This version is still being generated. It may not be used, enabled, disabled, or destroyed yet. Cloud KMS will automatically mark this version [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] as soon as the version is ready.
ENABLED = 1
This version may be used for cryptographic operations.
DISABLED = 2
This version may not be used, but the key material is still available, and the version can be placed back into the [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] state.
DESTROYED = 3
This version is destroyed, and the key material is no longer stored. A version may not leave this state once entered.
DESTROY_SCHEDULED = 4
This version is scheduled for destruction, and will be destroyed soon. Call [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] to put it back into the [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] state.
PENDING_IMPORT = 6
This version is still being imported. It may not be used, enabled, disabled, or destroyed yet. Cloud KMS will automatically mark this version [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] as soon as the version is ready.
IMPORT_FAILED = 7
This version was not imported successfully. It may not be used, enabled, disabled, or destroyed. The submitted key material has been discarded. Additional details can be found in [CryptoKeyVersion.import_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.import_failure_reason].
A view for [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]s. Controls the level of detail returned for [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] in [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions] and [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
Used in: ,
CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0
Default view for each [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Does not include the [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation] field.
FULL = 1
Provides all fields in each [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], including the [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation].
message
resources.proto:137A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate] specifies the properties to use when creating a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either manually with [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or automatically as a result of auto-rotation.
Used in:
ProtectionLevel protection_level = 1
[ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this template. Immutable. Defaults to [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE].
CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 3
Required. [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] to use when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
message
service.proto:698A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message digest.
Used in:
oneof digest
Required. The message digest.
bytes sha256 = 1
A message digest produced with the SHA-256 algorithm.
bytes sha384 = 2
A message digest produced with the SHA-384 algorithm.
bytes sha512 = 3
A message digest produced with the SHA-512 algorithm.
message
resources.proto:434An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material, generated outside of Cloud KMS. When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a "wrapping key", which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The fetched public key can then be used to wrap your pre-existing key material. Once the key material is wrapped, it can be imported into a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key. An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the [ImportJob][google.cloud.kms.v1.ImportJob]'s public key. For more information, see [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).
Used as response type in: KeyManagementService.CreateImportJob, KeyManagementService.GetImportJob
Used as field type in: ,
string name = 1
Output only. The resource name for this [ImportJob][google.cloud.kms.v1.ImportJob] in the format `projects/*/locations/*/keyRings/*/importJobs/*`.
ImportJob.ImportMethod import_method = 2
Required and immutable. The wrapping method to be used for incoming key material.
ProtectionLevel protection_level = 9
Required and immutable. The protection level of the [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] of the [version_template][google.cloud.kms.v1.CryptoKey.version_template] on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you attempt to import into.
optional create_time = 3
Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] was created.
optional generate_time = 4
Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]'s key material was generated.
optional expire_time = 5
Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for expiration and can no longer be used to import key material.
optional expire_event_time = 10
Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob] expired. Only present if [state][google.cloud.kms.v1.ImportJob.state] is [EXPIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED].
ImportJob.ImportJobState state = 6
Output only. The current state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used.
optional public_key = 7
Output only. The public key with which to wrap key material prior to import. Only returned if [state][google.cloud.kms.v1.ImportJob.state] is [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE].
optional attestation = 8
Output only. Statement that was generated and signed by the key creator (for example, an HSM) at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only present if the chosen [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is one with a protection level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
The state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used.
Used in:
IMPORT_JOB_STATE_UNSPECIFIED = 0
Not specified.
PENDING_GENERATION = 1
The wrapping key for this job is still being generated. It may not be used. Cloud KMS will automatically mark this job as [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] as soon as the wrapping key is generated.
ACTIVE = 2
This job may be used in [CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey] and [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] requests.
EXPIRED = 3
This job can no longer be used and may not leave this state once entered.
[ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] describes the key wrapping method chosen for this [ImportJob][google.cloud.kms.v1.ImportJob].
Used in:
IMPORT_METHOD_UNSPECIFIED = 0
Not specified.
RSA_OAEP_3072_SHA1_AES_256 = 1
This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping scheme defined in the PKCS #11 standard. In summary, this involves wrapping the raw key with an ephemeral AES key, and wrapping the ephemeral AES key with a 3072 bit RSA key. For more details, see [RSA AES key wrap mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
RSA_OAEP_4096_SHA1_AES_256 = 2
This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping scheme defined in the PKCS #11 standard. In summary, this involves wrapping the raw key with an ephemeral AES key, and wrapping the ephemeral AES key with a 4096 bit RSA key. For more details, see [RSA AES key wrap mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
message
resources.proto:437The public key component of the wrapping key. For details of the type of key this public key corresponds to, see the [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod].
Used in:
string pem = 1
The public key, encoded in PEM format. For more information, see the [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and [Textual Encoding of Subject Public Key Info] (https://tools.ietf.org/html/rfc7468#section-13).
message
resources.proto:154Contains an HSM-generated attestation about a key operation. For more information, see [Verifying attestations] (https://cloud.google.com/kms/docs/attest-key).
Used in: ,
KeyOperationAttestation.AttestationFormat format = 4
Output only. The format of the attestation data.
bytes content = 5
Output only. The attestation data provided by the HSM when the key operation was performed.
Attestation formats provided by the HSM.
Used in:
ATTESTATION_FORMAT_UNSPECIFIED = 0
Not specified.
CAVIUM_V1_COMPRESSED = 3
Cavium HSM attestation compressed with gzip. Note that this format is defined by Cavium and subject to change at any time.
CAVIUM_V2_COMPRESSED = 4
Cavium HSM attestation V2 compressed with gzip. This is a new format introduced in Cavium's version 3.2-08.
message
resources.proto:33A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
Used as response type in: KeyManagementService.CreateKeyRing, KeyManagementService.GetKeyRing
Used as field type in: ,
string name = 1
Output only. The resource name for the [KeyRing][google.cloud.kms.v1.KeyRing] in the format `projects/*/locations/*/keyRings/*`.
optional create_time = 2
Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing] was created.
message
service.proto:713Cloud KMS metadata for the given [google.cloud.location.Location][google.cloud.location.Location].
bool hsm_available = 1
Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this location.
[ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] specifies how cryptographic operations are performed. For more information, see [Protection levels] (https://cloud.google.com/kms/docs/algorithms#protection_levels).
Used in: , ,
PROTECTION_LEVEL_UNSPECIFIED = 0
Not specified.
SOFTWARE = 1
Crypto operations are performed in software.
HSM = 2
Crypto operations are performed in a Hardware Security Module.