package google.cloud.kms.v1
Get desktop application:
View/edit binary Protocol Buffers messages
Google Cloud Key Management Service Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects: * [KeyRing][google.cloud.kms.v1.KeyRing] * [CryptoKey][google.cloud.kms.v1.CryptoKey] * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] If you are using manual gRPC libraries, see [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc).
rpc AsymmetricDecrypt (, )
service.proto:186Decrypts data that was encrypted with a public key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_DECRYPT.
message
service.proto:475Request message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
string name = 1
Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for decryption.
bytes ciphertext = 3
Required. The data encrypted with the named [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public key using OAEP.
message
service.proto:507Response message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
bytes plaintext = 1
The decrypted data originally encrypted with the matching public key.
rpc AsymmetricSign (, )
service.proto:176Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
message
service.proto:464Request message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
string name = 1
Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for signing.
optional digest = 3
Required. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version's [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
message
service.proto:501Response message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
bytes signature = 1
The created signature.
rpc CreateCryptoKey (, )
service.proto:113Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a [KeyRing][google.cloud.kms.v1.KeyRing]. [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm] are required.
message
service.proto:376Request message for [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].
string parent = 1
Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey].
string crypto_key_id = 2
Required. It must be unique within a KeyRing and match the regular expression `[a-zA-Z0-9_-]{1,63}`
optional crypto_key = 3
A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field values.
Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a [CryptoKey][google.cloud.kms.v1.CryptoKey]. The server will assign the next sequential id. If unset, [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
message
service.proto:390Request message for [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].
string parent = 1
Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
optional crypto_key_version = 2
A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with initial field values.
rpc CreateKeyRing (, )
service.proto:101Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and Location.
message
service.proto:362Request message for [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].
string parent = 1
Required. The resource name of the location associated with the [KeyRings][google.cloud.kms.v1.KeyRing], in the format `projects/*/locations/*`.
string key_ring_id = 2
Required. It must be unique within a location and match the regular expression `[a-zA-Z0-9_-]{1,63}`
optional key_ring = 3
A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field values.
rpc Decrypt (, )
service.proto:166Decrypts data that was protected by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
message
service.proto:449Request message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
string name = 1
Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The server will choose the appropriate version.
bytes ciphertext = 2
Required. The encrypted data originally returned in [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
bytes additional_authenticated_data = 3
Optional data that must match the data originally supplied in [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
message
service.proto:486Response message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
bytes plaintext = 1
The decrypted data originally supplied in [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for destruction. Upon calling this method, [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be set to a time 24 hours in the future, at which point the [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be changed to [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], and the key material will be irrevocably destroyed. Before the [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is reached, [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] may be called to reverse the process.
message
service.proto:522Request message for [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].
string name = 1
The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy.
rpc Encrypt (, )
service.proto:157Encrypts data, so that it can only be recovered by a call to [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
message
service.proto:418Request message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
string name = 1
Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] or [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for encryption. If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].
bytes plaintext = 2
Required. The data to encrypt. Must be no larger than 64KiB. The maximum size depends on the key version's [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the plaintext must be no larger than 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.
bytes additional_authenticated_data = 3
Optional data that, if specified, must also be provided during decryption through [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]. The maximum size depends on the key version's [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the AAD must be no larger than 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.
message
service.proto:492Response message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
string name = 1
The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in encryption.
bytes ciphertext = 2
The encrypted data.
rpc GetCryptoKey (, )
service.proto:77Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as well as its [primary][google.cloud.kms.v1.CryptoKey.primary] [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
message
service.proto:343Request message for [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].
string name = 1
The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.
rpc GetCryptoKeyVersion (, )
service.proto:84Returns metadata for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
message
service.proto:349Request message for [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].
string name = 1
The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get.
rpc GetKeyRing (, )
service.proto:69Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing].
message
service.proto:337Request message for [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].
string name = 1
The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] to get.
rpc GetPublicKey (, )
service.proto:94Returns the public key for the given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN] or [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
message
service.proto:355Request message for [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
string name = 1
The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get.
message
resources.proto:336The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
string pem = 1
The public key, encoded in PEM format. For more information, see the [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and [Textual Encoding of Subject Public Key Info] (https://tools.ietf.org/html/rfc7468#section-13).
CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2
The [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] associated with this key.
Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
message
service.proto:275Request message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
string parent = 1
Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
int32 page_size = 2
Optional limit on the number of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to include in the response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can subsequently be obtained by including the [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.
string page_token = 3
Optional pagination token, returned earlier via [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token].
CryptoKeyVersion.CryptoKeyVersionView view = 4
The fields to include in the response.
message
service.proto:322Response message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
repeated crypto_key_versions = 1
The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
string next_page_token = 2
A token to retrieve next page of results. Pass this value in [ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token] to retrieve the next page of results.
int32 total_size = 3
The total number of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the query.
rpc ListCryptoKeys (, )
service.proto:55Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].
message
service.proto:255Request message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
string parent = 1
Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format `projects/*/locations/*/keyRings/*`.
int32 page_size = 2
Optional limit on the number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the response. Further [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be obtained by including the [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.
string page_token = 3
Optional pagination token, returned earlier via [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token].
CryptoKeyVersion.CryptoKeyVersionView version_view = 4
The fields of the primary version to include in the response.
message
service.proto:309Response message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
repeated crypto_keys = 1
The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
string next_page_token = 2
A token to retrieve next page of results. Pass this value in [ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCryptoKeysRequest.page_token] to retrieve the next page of results.
int32 total_size = 3
The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that matched the query.
rpc ListKeyRings (, )
service.proto:48Lists [KeyRings][google.cloud.kms.v1.KeyRing].
message
service.proto:238Request message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
string parent = 1
Required. The resource name of the location associated with the [KeyRings][google.cloud.kms.v1.KeyRing], in the format `projects/*/locations/*`.
int32 page_size = 2
Optional limit on the number of [KeyRings][google.cloud.kms.v1.KeyRing] to include in the response. Further [KeyRings][google.cloud.kms.v1.KeyRing] can subsequently be obtained by including the [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token] in a subsequent request. If unspecified, the server will pick an appropriate default.
string page_token = 3
Optional pagination token, returned earlier via [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token].
message
service.proto:296Response message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
repeated key_rings = 1
The list of [KeyRings][google.cloud.kms.v1.KeyRing].
string next_page_token = 2
A token to retrieve next page of results. Pass this value in [ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRingsRequest.page_token] to retrieve the next page of results.
int32 total_size = 3
The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched the query.
Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] state. Upon restoration of the CryptoKeyVersion, [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be cleared.
message
service.proto:528Request message for [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].
string name = 1
The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore.
rpc UpdateCryptoKey (, )
service.proto:133Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].
message
service.proto:400Request message for [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].
optional crypto_key = 1
[CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.
optional update_mask = 2
Required list of fields to be updated in this request.
Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. Returns an error if called on an asymmetric key.
message
service.proto:513Request message for [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
string name = 1
The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
string crypto_key_version_id = 2
The id of the child [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.
Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s metadata. [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] and [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] using this method. See [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion] and [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] to move between other states.
message
service.proto:409Request message for [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].
optional crypto_key_version = 1
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with updated values.
optional update_mask = 2
Required list of fields to be updated in this request.
message
resources.proto:48A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic operations. A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of one or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.
Used as response type in: KeyManagementService.CreateCryptoKey, KeyManagementService.GetCryptoKey, KeyManagementService.UpdateCryptoKey, KeyManagementService.UpdateCryptoKeyPrimaryVersion
Used as field type in: , ,
string name = 1
Output only. The resource name for this [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
optional primary = 2
Output only. A copy of the "primary" [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this [CryptoKey][google.cloud.kms.v1.CryptoKey] is given in [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name]. The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary version can be updated via [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. All keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] have a primary. For other keys, this field will be omitted.
CryptoKey.CryptoKeyPurpose purpose = 3
The immutable purpose of this [CryptoKey][google.cloud.kms.v1.CryptoKey].
optional create_time = 5
Output only. The time at which this [CryptoKey][google.cloud.kms.v1.CryptoKey] was created.
optional next_rotation_time = 7
At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time], the Key Management Service will automatically: 1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey]. 2. Mark the new version as primary. Key rotations performed manually via [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] and [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion] do not affect [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]. Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support automatic rotation. For other keys, this field must be omitted.
oneof rotation_schedule
Controls the rate of automatic rotation.
rotation_period = 8
[next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] will be advanced by this period when the service automatically rotates a key. Must be at least one day. If [rotation_period][google.cloud.kms.v1.CryptoKey.rotation_period] is set, [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] must also be set. Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support automatic rotation. For other keys, this field must be omitted.
optional version_template = 11
A template describing settings for new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances. The properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances created by either [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or auto-rotation are controlled by this template.
map<string, string> labels = 10
Labels with user-defined metadata. For more information, see [Labeling Keys](/kms/docs/labeling-keys).
[CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] describes the cryptographic capabilities of a [CryptoKey][google.cloud.kms.v1.CryptoKey]. A given key can only be used for the operations allowed by its purpose.
Used in:
CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0
Not specified.
ENCRYPT_DECRYPT = 1
[CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] and [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
ASYMMETRIC_SIGN = 5
[CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with [AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign] and [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
ASYMMETRIC_DECRYPT = 6
[CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with [AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt] and [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
message
resources.proto:180A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the associated key material. An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.
Used as response type in: KeyManagementService.CreateCryptoKeyVersion, KeyManagementService.DestroyCryptoKeyVersion, KeyManagementService.GetCryptoKeyVersion, KeyManagementService.RestoreCryptoKeyVersion, KeyManagementService.UpdateCryptoKeyVersion
Used as field type in: , , ,
string name = 1
Output only. The resource name for this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
CryptoKeyVersion.CryptoKeyVersionState state = 3
The current state of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
ProtectionLevel protection_level = 7
Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] describing how crypto operations are performed with this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 10
Output only. The [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] supports.
optional attestation = 8
Output only. Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with [protection_level][google.cloud.kms.v1.CryptoKeyVersion.protection_level] [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
optional create_time = 4
Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created.
optional generate_time = 11
Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was generated.
optional destroy_time = 5
Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material is scheduled for destruction. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED].
optional destroy_event_time = 6
Output only. The time this CryptoKeyVersion's key material was destroyed. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED].
The algorithm of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating what parameters must be used for each cryptographic operation. The [GOOGLE_SYMMETRIC_ENCRYPTION][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION] algorithm is usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. Algorithms beginning with "RSA_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. The fields in the name after "RSA_SIGN_" correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm. For PSS, the salt length used is equal to the length of digest algorithm. For example, [RSA_SIGN_PSS_2048_SHA256][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256] will use PSS with a salt length of 256 bits or 32 bytes. Algorithms beginning with "RSA_DECRYPT_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT]. The fields in the name after "RSA_DECRYPT_" correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm. Algorithms beginning with "EC_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. The fields in the name after "EC_SIGN_" correspond to the following parameters: elliptic curve, digest algorithm.
Used in: , ,
CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0
Not specified.
GOOGLE_SYMMETRIC_ENCRYPTION = 1
Creates symmetric encryption keys.
RSA_SIGN_PSS_2048_SHA256 = 2
RSASSA-PSS 2048 bit key with a SHA256 digest.
RSA_SIGN_PSS_3072_SHA256 = 3
RSASSA-PSS 3072 bit key with a SHA256 digest.
RSA_SIGN_PSS_4096_SHA256 = 4
RSASSA-PSS 4096 bit key with a SHA256 digest.
RSA_SIGN_PKCS1_2048_SHA256 = 5
RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
RSA_SIGN_PKCS1_3072_SHA256 = 6
RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
RSA_SIGN_PKCS1_4096_SHA256 = 7
RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
RSA_DECRYPT_OAEP_2048_SHA256 = 8
RSAES-OAEP 2048 bit key with a SHA256 digest.
RSA_DECRYPT_OAEP_3072_SHA256 = 9
RSAES-OAEP 3072 bit key with a SHA256 digest.
RSA_DECRYPT_OAEP_4096_SHA256 = 10
RSAES-OAEP 4096 bit key with a SHA256 digest.
EC_SIGN_P256_SHA256 = 12
ECDSA on the NIST P-256 curve with a SHA256 digest.
EC_SIGN_P384_SHA384 = 13
ECDSA on the NIST P-384 curve with a SHA384 digest.
The state of a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating if it can be used.
Used in:
CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0
Not specified.
PENDING_GENERATION = 5
This version is still being generated. It may not be used, enabled, disabled, or destroyed yet. Cloud KMS will automatically mark this version [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] as soon as the version is ready.
ENABLED = 1
This version may be used for cryptographic operations.
DISABLED = 2
This version may not be used, but the key material is still available, and the version can be placed back into the [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] state.
DESTROYED = 3
This version is destroyed, and the key material is no longer stored. A version may not leave this state once entered.
DESTROY_SCHEDULED = 4
This version is scheduled for destruction, and will be destroyed soon. Call [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] to put it back into the [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] state.
A view for [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]s. Controls the level of detail returned for [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] in [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions] and [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
Used in: ,
CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0
Default view for each [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Does not include the [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation] field.
FULL = 1
Provides all fields in each [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], including the [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation].
message
resources.proto:137A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate] specifies the properties to use when creating a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either manually with [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or automatically as a result of auto-rotation.
Used in:
ProtectionLevel protection_level = 1
[ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this template. Immutable. Defaults to [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE].
CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 3
Required. [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] to use when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
message
service.proto:534A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message digest.
Used in:
oneof digest
Required. The message digest.
bytes sha256 = 1
A message digest produced with the SHA-256 algorithm.
bytes sha384 = 2
A message digest produced with the SHA-384 algorithm.
bytes sha512 = 3
A message digest produced with the SHA-512 algorithm.
message
resources.proto:152Contains an HSM-generated attestation about a key operation.
Used in:
KeyOperationAttestation.AttestationFormat format = 4
Output only. The format of the attestation data.
bytes content = 5
Output only. The attestation data provided by the HSM when the key operation was performed.
Attestion formats provided by the HSM.
Used in:
ATTESTATION_FORMAT_UNSPECIFIED = 0
CAVIUM_V1_COMPRESSED = 3
Cavium HSM attestation compressed with gzip. Note that this format is defined by Cavium and subject to change at any time.
message
resources.proto:34A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
Used as response type in: KeyManagementService.CreateKeyRing, KeyManagementService.GetKeyRing
Used as field type in: ,
string name = 1
Output only. The resource name for the [KeyRing][google.cloud.kms.v1.KeyRing] in the format `projects/*/locations/*/keyRings/*`.
optional create_time = 2
Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing] was created.
message
service.proto:549Cloud KMS metadata for the given [google.cloud.location.Location][google.cloud.location.Location].
bool hsm_available = 1
Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this location.
[ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] specifies how cryptographic operations are performed.
Used in: ,
PROTECTION_LEVEL_UNSPECIFIED = 0
Not specified.
SOFTWARE = 1
Crypto operations are performed in software.
HSM = 2
Crypto operations are performed in a Hardware Security Module.