Reference documentation and code samples for the Google Cloud Key Management Service v1 API enum EkmConnection.Types.KeyManagementMode.
[KeyManagementMode][google.cloud.kms.v1.EkmConnection.KeyManagementMode]
describes who can perform control plane cryptographic operations using this
[EkmConnection][google.cloud.kms.v1.EkmConnection].
All [CryptoKeys][google.cloud.kms.v1.CryptoKey] created with this
[EkmConnection][google.cloud.kms.v1.EkmConnection] use EKM-side key
management operations initiated from Cloud KMS. This means that:
When a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
associated with this [EkmConnection][google.cloud.kms.v1.EkmConnection]
is
created, the EKM automatically generates new key material and a new
key path. The caller cannot supply the key path of pre-existing
external key material.
Destruction of external key material associated with this
[EkmConnection][google.cloud.kms.v1.EkmConnection] can be requested by
calling [DestroyCryptoKeyVersion][EkmService.DestroyCryptoKeyVersion].
Automatic rotation of key material is supported.
Manual
EKM-side key management operations on
[CryptoKeys][google.cloud.kms.v1.CryptoKey] created with this
[EkmConnection][google.cloud.kms.v1.EkmConnection] must be initiated from
the EKM directly and cannot be performed from Cloud KMS. This means that:
When creating a
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] associated with
this
[EkmConnection][google.cloud.kms.v1.EkmConnection], the caller must
supply the key path of pre-existing external key material that will be
linked to the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
Destruction of external key material cannot be requested via the
Cloud KMS API and must be performed directly in the EKM.
Automatic rotation of key material is not supported.
