销毁和恢复密钥版本

密钥版本具有状态,用于确定其密钥材料是否存在。

使用 DestroyCryptoKeyVersion、映射到 DestroyCryptoKeyVersion 的客户端库方法、gcloud kms keys versions destroy 命令或 Google Cloud Platform Console,已启用或已停用的密钥版本可以更改为已安排销毁状态。使用 RestoreCryptoKeyVersion、映射到 RestoreCryptoKeyVersion 的客户端库方法、gcloud kms keys versions restore 命令以及 Google Cloud Platform Console,处于已安排销毁状态的密钥版本可以更改为已停用状态。

如需修改密钥版本的状态,用户需要相应的 Cloud Identity and Access Management 角色或权限。

  • 预定义角色 roles/cloudkms.adminroles/owner 可以安排销毁密钥版本,并可以恢复处于已安排销毁状态的密钥版本。

  • 包含 cloudkms.cryptoKeyVersions.destroy 权限的自定义角色可以安排销毁密钥版本。

  • 包含 cloudkms.cryptoKeyVersions.restore 权限的自定义角色可以恢复处于已安排销毁状态的密钥版本。

安排销毁密钥版本(销毁密钥版本)

只有处于已启用或已停用状态的密钥版本可以安排进行销毁。

为了防止发生意外和不怀好意的个人造成的损害,使用 DestroyCryptoKeyVersion 时,密钥材料不会立即被销毁。相反,密钥版本将更改为已安排销毁状态并保持 24 小时,之后会被自动销毁。这一安全备用方案不可替换。

销毁是指删除密钥材料,但版本的记录仍然存在(例如,版本号无法重复使用)。这一过程不可逆:使用此版本加密的任何数据都不可恢复。

控制台

  1. 转到 GCP Console 中的加密密钥页面。
    转到“加密密钥”页面

  2. 点击密钥环的名称,该密钥环包含您要安排销毁其密钥版本的密钥。

  3. 点击您要安排销毁其密钥版本的密钥。

  4. 点击您要安排销毁的密钥版本。

  5. 点击销毁

  6. 当系统提示您确认安排销毁密钥版本时,输入相应密钥名称,然后点击安排销毁

命令行

销毁 global 位置的密钥环 answers 中密钥 answer 的版本 42

gcloud kms keys versions destroy 42 --location global \
  --keyring answers --key answer

C#

      public static void DestroyCryptoKeyVersion(string projectId, string locationId, string keyRingId, string cryptoKeyId, string versionId)
      {
          KeyManagementServiceClient client = KeyManagementServiceClient.Create();

          // The CryptoKeyVersion to destroy.
          CryptoKeyVersionName versionName =
              new CryptoKeyVersionName(projectId, locationId, keyRingId, cryptoKeyId, versionId);

          CryptoKeyVersion result = client.DestroyCryptoKeyVersion(versionName);

          Console.Write($"Destroyed Crypto Key Version: {result.Name}");
      }

Go

import (
	"context"
	"fmt"
	"io"

	cloudkms "cloud.google.com/go/kms/apiv1"
	kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1"
)

// destroyCryptoKeyVersion marks a specified key version for deletion.
// The key can be restored if requested within 24 hours.
func destroyCryptoKeyVersion(w io.Writer, name string) error {
	// name := "projects/PROJECT_ID/locations/global/keyRings/RING_ID/cryptoKeys/KEY_ID/cryptoKeyVersions/1"
	ctx := context.Background()
	client, err := cloudkms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("cloudkms.NewKeyManagementClient: %v", err)
	}
	// Build the request.
	req := &kmspb.DestroyCryptoKeyVersionRequest{
		Name: name,
	}
	// Call the API.
	result, err := client.DestroyCryptoKeyVersion(ctx, req)
	if err != nil {
		return fmt.Errorf("DestroyCryptoKeyVersion: %v", err)
	}
	fmt.Fprintf(w, "Destroyed crypto key version: %s", result)
	return nil
}

Java


/**
 * Marks the given version of a crypto key to be destroyed at a scheduled future point.
 */
public static CryptoKeyVersion destroyCryptoKeyVersion(
    String projectId, String locationId, String keyRingId, String cryptoKeyId, String version)
    throws IOException {

  // Create the Cloud KMS client.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {

    // The resource name of the cryptoKey version
    String versionName = CryptoKeyVersionName.format(
        projectId, locationId, keyRingId, cryptoKeyId, version);

    // Destroy the cryptoKey version
    CryptoKeyVersion destroyed = client.destroyCryptoKeyVersion(versionName);

    return destroyed;
  }
}

Node.js

async function destroyCryptoKeyVersion(
  projectId = 'your-project-id', // Your GCP projectId
  keyRingId = 'my-key-ring', // Name of the crypto key version's key ring
  cryptoKeyId = 'my-key', // Name of the version's crypto key
  version = 1234 // The version's id
) {
  // Import the library and create a client
  const kms = require('@google-cloud/kms');
  const client = new kms.KeyManagementServiceClient();

  // The location of the crypto key versions's key ring, e.g. "global"
  const locationId = 'global';

  // Get the full path to the crypto key version
  const name = client.cryptoKeyVersionPath(
    projectId,
    locationId,
    keyRingId,
    cryptoKeyId,
    version
  );

  // destroys a crypto key version
  const [result] = await client.destroyCryptoKeyVersion({name});
  console.log(`Crypto key version ${result.name} destroyed.`);
}

PHP

use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/** Uncomment and populate these variables in your code */
// $projectId = 'The Google project ID';
// $locationId = 'The location ID of the crypto key. Can be "global", "us-west1", etc.';
// $keyRingId = 'The KMS key ring ID';
// $cryptoKeyId = 'The KMS key ID';
// $version = 'The KMS key version number';

$kms = new KeyManagementServiceClient();

// The resource name of the Crypto Key version.
$cryptoKeyVersionName = $kms->cryptoKeyVersionName($projectId, $locationId, $keyRingId, $cryptoKeyId, $version);

// Get the CryptoKey.
$cryptoKeyVersion = $kms->destroyCryptoKeyVersion($cryptoKeyVersionName);

printf('Destroyed version %s for cryptoKey %s in keyRing %s' . PHP_EOL, $version, $cryptoKeyId, $keyRingId);

Python

def destroy_crypto_key_version(
        project_id, location_id, key_ring_id, crypto_key_id, version_id):
    """Schedules a CryptoKeyVersion associated with a given CryptoKey and
    KeyRing for destruction 24 hours in the future."""

    from google.cloud import kms_v1

    # Creates an API client for the KMS API.
    client = kms_v1.KeyManagementServiceClient()

    # Construct the resource name of the CryptoKeyVersion.
    name = client.crypto_key_version_path(project_id, location_id, key_ring_id,
                                          crypto_key_id, version_id)

    # Use the KMS API to mark the CryptoKeyVersion for destruction.
    response = client.destroy_crypto_key_version(name)

    # Print results
    print('CryptoKeyVersion {}\'s state has been set to {}.'.format(
        name, response.state))

Ruby

# project_id    = "Your Google Cloud project ID"
# location_id   = "The location of the key ring"
# key_ring_id   = "The ID of the key ring"
# crypto_key_id = "The ID of the crypto key"
# version_id    = "Version of the crypto key"

require "google/cloud/kms/v1"
CloudKMS = Google::Cloud::Kms::V1

# Initialize the client
client = CloudKMS::KeyManagementServiceClient.new

# The crypto key version to destroy
version = CloudKMS::KeyManagementServiceClient.crypto_key_version_path(
  project_id, location_id, key_ring_id, crypto_key_id, version_id
)

# Destroy the crypto key version
destroyed = client.destroy_crypto_key_version version

puts "Destroyed version #{version_id} of #{crypto_key_id}"

如需查看安排销毁密钥版本后如何接收提醒的示例,请参阅将 Stackdriver Monitoring 与 Cloud KMS 搭配使用

恢复密钥版本

您可以恢复处于计划销毁状态的密钥版本,如此系统便不会自动将其销毁。这将使密钥版本的状态从已安排销毁更改为已停用。

控制台

  1. 转到 GCP Console 中的加密密钥页面。
    转到“加密密钥”页面

  2. 点击密钥环的名称,该密钥环包含您要恢复其密钥版本的密钥。

  3. 点击您要恢复其密钥版本的密钥。

  4. 点击您要恢复的密钥版本。

  5. 点击恢复

  6. 系统提示您确认恢复密钥版本时,点击恢复

命令行

恢复 global 位置的密钥环 answers 中密钥 answer 的版本 42

gcloud kms keys versions restore 42 --location global \
  --keyring answers --key answer

C#

      public static void RestoreCryptoKeyVersion(string projectId, string locationId, string keyRingId, string cryptoKeyId, string versionId)
      {
          KeyManagementServiceClient client = KeyManagementServiceClient.Create();

          // The CryptoKeyVersion to restore.
          CryptoKeyVersionName versionName =
              new CryptoKeyVersionName(projectId, locationId, keyRingId, cryptoKeyId, versionId);

          CryptoKeyVersion result = client.RestoreCryptoKeyVersion(versionName);

          Console.Write($"Restored Crypto Key Version: {result.Name}");
      }

Go

import (
	"context"
	"fmt"
	"io"

	cloudkms "cloud.google.com/go/kms/apiv1"
	kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1"
)

// restoreCryptoKeyVersion attempts to recover a key that has been marked for destruction within the last 24 hours.
func restoreCryptoKeyVersion(w io.Writer, keyVersionName string) error {
	// keyVersionName := "projects/PROJECT_ID/locations/global/keyRings/RING_ID/cryptoKeys/KEY_ID/cryptoKeyVersions/1"
	ctx := context.Background()
	client, err := cloudkms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("cloudkms.NewKeyManagementClient: %v", err)
	}
	// Build the request.
	req := &kmspb.RestoreCryptoKeyVersionRequest{
		Name: keyVersionName,
	}
	// Call the API.
	result, err := client.RestoreCryptoKeyVersion(ctx, req)
	if err != nil {
		return fmt.Errorf("RestoreCryptoKeyVersion: %v", err)
	}
	fmt.Fprintf(w, "Restored crypto key version: %s", result)
	return nil
}

Java


/**
 * Restores the given version of a crypto key that is currently scheduled for destruction.
 */
public static CryptoKeyVersion restoreCryptoKeyVersion(
    String projectId, String locationId, String keyRingId, String cryptoKeyId, String version)
    throws IOException {

  // Create the Cloud KMS client.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {

    // The resource name of the cryptoKey version
    String versionName = CryptoKeyVersionName.format(
        projectId, locationId, keyRingId, cryptoKeyId, version);

    CryptoKeyVersion restored = client.restoreCryptoKeyVersion(versionName);

    return restored;
  }
}

Node.js

async function restoreCryptoKeyVersion(
  projectId = 'your-project-id', // Your GCP projectId
  keyRingId = 'my-key-ring', // Name of the crypto key version's key ring
  cryptoKeyId = 'my-key', // Name of the version's crypto key
  version = 1234 // The version's id
) {
  // Import the library and create a client
  const kms = require('@google-cloud/kms');
  const client = new kms.KeyManagementServiceClient();

  // The location of the crypto key versions's key ring, e.g. "global"
  const locationId = 'global';

  // Get the full path to the crypto key version
  const name = client.cryptoKeyVersionPath(
    projectId,
    locationId,
    keyRingId,
    cryptoKeyId,
    version
  );

  // restores a crypto key version
  const [result] = await client.restoreCryptoKeyVersion({name});
  console.log(`Crypto key version ${result.name} restored.`);
}

PHP

use Google\Cloud\Kms\V1\KeyManagementServiceClient;

/** Uncomment and populate these variables in your code */
// $projectId = 'The Google project ID';
// $locationId = 'The location ID of the crypto key. Can be "global", "us-west1", etc.';
// $keyRingId = 'The KMS key ring ID';
// $cryptoKeyId = 'The KMS key ID';
// $version = 'The KMS key version number';

$kms = new KeyManagementServiceClient();

// The resource name of the Crypto Key version.
$cryptoKeyVersionName = $kms->cryptoKeyVersionName($projectId, $locationId, $keyRingId, $cryptoKeyId, $version);

// Get the CryptoKey.
$cryptoKeyVersion = $kms->restoreCryptoKeyVersion($cryptoKeyVersionName);

printf('Restored version %s for cryptoKey %s in keyRing %s' . PHP_EOL, $version, $cryptoKeyId, $keyRingId);

Python

def restore_crypto_key_version(
        project_id, location_id, key_ring_id, crypto_key_id, version_id):
    """Restores a CryptoKeyVersion that is scheduled for destruction."""

    from google.cloud import kms_v1

    # Creates an API client for the KMS API.
    client = kms_v1.KeyManagementServiceClient()

    # Construct the resource name of the CryptoKeyVersion.
    name = client.crypto_key_version_path(project_id, location_id, key_ring_id,
                                          crypto_key_id, version_id)

    # Use the KMS API to restore the CryptoKeyVersion.
    response = client.restore_crypto_key_version(name)

    # Print results
    print('CryptoKeyVersion {}\'s state has been set to {}.'.format(
        name, response.state))

Ruby

# project_id    = "Your Google Cloud project ID"
# location_id   = "The location of the key ring"
# key_ring_id   = "The ID of the key ring"
# crypto_key_id = "The ID of the crypto key"
# version_id    = "Version of the crypto key"

require "google/cloud/kms/v1"
CloudKMS = Google::Cloud::Kms::V1

# Initialize the client
client = CloudKMS::KeyManagementServiceClient.new

# The crypto key version to restore
version = CloudKMS::KeyManagementServiceClient.crypto_key_version_path(
  project_id, location_id, key_ring_id, crypto_key_id, version_id
)

# Restore the crypto key version
restored = client.restore_crypto_key_version version

puts "Restored version #{version_id} of #{crypto_key_id}"