Google Cloud Key Management Service v1 API - Namespace Google.Cloud.Kms.V1 (3.2.0)

Classes

AsymmetricDecryptRequest

Request message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].

AsymmetricDecryptResponse

Response message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].

AsymmetricSignRequest

Request message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].

AsymmetricSignResponse

Response message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].

Certificate

A [Certificate][google.cloud.kms.v1.Certificate] represents an X.509 certificate used to authenticate HTTPS connections to EKM replicas.

CreateCryptoKeyRequest

Request message for [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].

CreateCryptoKeyVersionRequest

Request message for [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].

CreateEkmConnectionRequest

Request message for [EkmService.CreateEkmConnection][google.cloud.kms.v1.EkmService.CreateEkmConnection].

CreateImportJobRequest

Request message for [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].

CreateKeyRingRequest

Request message for [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].

CryptoKey

A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic operations.

A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual key material used in cryptographic operations.

CryptoKey.Types

Container for nested types declared in the CryptoKey message type.

CryptoKeyName

Resource name for the CryptoKey resource.

CryptoKeyVersion

A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the associated key material.

An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

CryptoKeyVersion.Types

Container for nested types declared in the CryptoKeyVersion message type.

CryptoKeyVersionName

Resource name for the CryptoKeyVersion resource.

CryptoKeyVersionTemplate

A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate] specifies the properties to use when creating a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either manually with [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or automatically as a result of auto-rotation.

DecryptRequest

Request message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].

DecryptResponse

Response message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].

DestroyCryptoKeyVersionRequest

Request message for [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].

Digest

A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message digest.

EkmConnection

An [EkmConnection][google.cloud.kms.v1.EkmConnection] represents an individual EKM connection. It can be used for creating [CryptoKeys][google.cloud.kms.v1.CryptoKey] and [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] with a [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], as well as performing cryptographic operations using keys created within the [EkmConnection][google.cloud.kms.v1.EkmConnection].

EkmConnection.Types

Container for nested types declared in the EkmConnection message type.

EkmConnection.Types.ServiceResolver

A [ServiceResolver][google.cloud.kms.v1.EkmConnection.ServiceResolver] represents an EKM replica that can be reached within an [EkmConnection][google.cloud.kms.v1.EkmConnection].

EkmConnectionName

Resource name for the EkmConnection resource.

EkmService

Google Cloud Key Management EKM Service

Manages external cryptographic keys and operations using those keys. Implements a REST model with the following objects:

  • [EkmConnection][google.cloud.kms.v1.EkmConnection]

EkmService.EkmServiceBase

Base class for server-side implementations of EkmService

EkmService.EkmServiceClient

Client for EkmService

EkmServiceClient

EkmService client wrapper, for convenient use.

EkmServiceClientBuilder

Builder class for EkmServiceClient to provide simple configuration of credentials, endpoint etc.

EkmServiceClientImpl

EkmService client wrapper implementation, for convenient use.

EkmServiceSettings

Settings for EkmServiceClient instances.

EncryptRequest

Request message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].

EncryptResponse

Response message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].

ExternalProtectionLevelOptions

ExternalProtectionLevelOptions stores a group of additional fields for configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that are specific to the [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level and [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] protection levels.

GenerateRandomBytesRequest

Request message for [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].

GenerateRandomBytesResponse

Response message for [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].

GetCryptoKeyRequest

Request message for [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].

GetCryptoKeyVersionRequest

Request message for [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].

GetEkmConnectionRequest

Request message for [EkmService.GetEkmConnection][google.cloud.kms.v1.EkmService.GetEkmConnection].

GetImportJobRequest

Request message for [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].

GetKeyRingRequest

Request message for [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].

GetPublicKeyRequest

Request message for [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].

ImportCryptoKeyVersionRequest

Request message for [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].

ImportJob

An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material, generated outside of Cloud KMS.

When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a "wrapping key", which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The fetched public key can then be used to wrap your pre-existing key material.

Once the key material is wrapped, it can be imported into a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key.

An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the [ImportJob][google.cloud.kms.v1.ImportJob]'s public key.

For more information, see Importing a key.

ImportJob.Types

Container for nested types declared in the ImportJob message type.

ImportJob.Types.WrappingPublicKey

The public key component of the wrapping key. For details of the type of key this public key corresponds to, see the [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod].

ImportJobName

Resource name for the ImportJob resource.

KeyManagementService

Google Cloud Key Management Service

Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects:

  • [KeyRing][google.cloud.kms.v1.KeyRing]
  • [CryptoKey][google.cloud.kms.v1.CryptoKey]
  • [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
  • [ImportJob][google.cloud.kms.v1.ImportJob]

If you are using manual gRPC libraries, see Using gRPC with Cloud KMS.

KeyManagementService.KeyManagementServiceBase

Base class for server-side implementations of KeyManagementService

KeyManagementService.KeyManagementServiceClient

Client for KeyManagementService

KeyManagementServiceClient

KeyManagementService client wrapper, for convenient use.

KeyManagementServiceClientBuilder

Builder class for KeyManagementServiceClient to provide simple configuration of credentials, endpoint etc.

KeyManagementServiceClientImpl

KeyManagementService client wrapper implementation, for convenient use.

KeyManagementServiceSettings

Settings for KeyManagementServiceClient instances.

KeyOperationAttestation

Contains an HSM-generated attestation about a key operation. For more information, see Verifying attestations.

KeyOperationAttestation.Types

Container for nested types declared in the KeyOperationAttestation message type.

KeyOperationAttestation.Types.CertificateChains

Certificate chains needed to verify the attestation. Certificates in chains are PEM-encoded and are ordered based on https://tools.ietf.org/html/rfc5246#section-7.4.2.

KeyRing

A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey].

KeyRingName

Resource name for the KeyRing resource.

ListCryptoKeysRequest

Request message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].

ListCryptoKeysResponse

Response message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].

ListCryptoKeyVersionsRequest

Request message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].

ListCryptoKeyVersionsResponse

Response message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].

ListEkmConnectionsRequest

Request message for [EkmService.ListEkmConnections][google.cloud.kms.v1.EkmService.ListEkmConnections].

ListEkmConnectionsResponse

Response message for [EkmService.ListEkmConnections][google.cloud.kms.v1.EkmService.ListEkmConnections].

ListImportJobsRequest

Request message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].

ListImportJobsResponse

Response message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].

ListKeyRingsRequest

Request message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].

ListKeyRingsResponse

Response message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].

LocationMetadata

Cloud KMS metadata for the given [google.cloud.location.Location][google.cloud.location.Location].

MacSignRequest

Request message for [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].

MacSignResponse

Response message for [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].

MacVerifyRequest

Request message for [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].

MacVerifyResponse

Response message for [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].

PublicKey

The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].

PublicKeyName

Resource name for the PublicKey resource.

RestoreCryptoKeyVersionRequest

Request message for [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].

ServiceName

Resource name for the Service resource.

UpdateCryptoKeyPrimaryVersionRequest

Request message for [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].

UpdateCryptoKeyRequest

Request message for [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].

UpdateCryptoKeyVersionRequest

Request message for [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].

UpdateEkmConnectionRequest

Request message for [EkmService.UpdateEkmConnection][google.cloud.kms.v1.EkmService.UpdateEkmConnection].

Enums

CryptoKey.RotationScheduleOneofCase

Enum of possible cases for the "rotation_schedule" oneof.

CryptoKey.Types.CryptoKeyPurpose

[CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] describes the cryptographic capabilities of a [CryptoKey][google.cloud.kms.v1.CryptoKey]. A given key can only be used for the operations allowed by its purpose. For more information, see Key purposes.

CryptoKeyName.ResourceNameType

The possible contents of CryptoKeyName.

CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm

The algorithm of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating what parameters must be used for each cryptographic operation.

The [GOOGLE_SYMMETRIC_ENCRYPTION][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION] algorithm is usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].

Algorithms beginning with "RSA_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN].

The fields in the name after "RSA_SIGN_" correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm.

For PSS, the salt length used is equal to the length of digest algorithm. For example, [RSA_SIGN_PSS_2048_SHA256][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256] will use PSS with a salt length of 256 bits or 32 bytes.

Algorithms beginning with "RSA_DECRYPT_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].

The fields in the name after "RSA_DECRYPT_" correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm.

Algorithms beginning with "EC_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN].

The fields in the name after "EC_SIGN_" correspond to the following parameters: elliptic curve, digest algorithm.

Algorithms beginning with "HMAC_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] [MAC][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.MAC].

The suffix following "HMAC_" corresponds to the hash algorithm being used (eg. SHA256).

For more information, see Key purposes and algorithms.

CryptoKeyVersion.Types.CryptoKeyVersionState

The state of a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating if it can be used.

CryptoKeyVersion.Types.CryptoKeyVersionView

A view for [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]s. Controls the level of detail returned for [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] in [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions] and [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].

CryptoKeyVersionName.ResourceNameType

The possible contents of CryptoKeyVersionName.

Digest.DigestOneofCase

Enum of possible cases for the "digest" oneof.

EkmConnectionName.ResourceNameType

The possible contents of EkmConnectionName.

ImportCryptoKeyVersionRequest.WrappedKeyMaterialOneofCase

Enum of possible cases for the "wrapped_key_material" oneof.

ImportJob.Types.ImportJobState

The state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used.

ImportJob.Types.ImportMethod

[ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] describes the key wrapping method chosen for this [ImportJob][google.cloud.kms.v1.ImportJob].

ImportJobName.ResourceNameType

The possible contents of ImportJobName.

KeyOperationAttestation.Types.AttestationFormat

Attestation formats provided by the HSM.

KeyRingName.ResourceNameType

The possible contents of KeyRingName.

ProtectionLevel

[ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] specifies how cryptographic operations are performed. For more information, see Protection levels.

PublicKeyName.ResourceNameType

The possible contents of PublicKeyName.

ServiceName.ResourceNameType

The possible contents of ServiceName.