销毁和恢复密钥版本

本页面介绍如何安排 Cloud Key Management Service 密钥版本永久销毁。销毁密钥版本后，系统会删除密钥材料，但不会删除密钥名称和版本号等其他详细信息。密钥销毁后，使用该密钥加密的数据无法解密。

当您提交销毁密钥版本的请求时，系统会默认在 24 小时后销毁密钥。您可以通过恢复密钥版本来取消销毁请求。

该密钥会在已安排销毁状态保留 24 小时。您可以在创建密钥时更改此默认时长。

您还可以使用 Identity and Access Management (IAM) 管理对密钥的访问权限。IAM 操作会在数秒内达成一致。如需了解详情，请参阅使用 IAM。

您还可以暂时停用密钥版本。

在本主题的其余部分，将安排销毁密钥的操作称为销毁密钥，即使销毁不会立即销毁。

销毁密钥版本

您可以销毁已启用或已停用的密钥版本。

控制台

在 Google Cloud 控制台中，转到密钥管理页面。

前往 Key Management
选中要安排销毁的密钥版本旁边的复选框。
点击标头中的销毁。
在确认提示中输入密钥名称，然后点击安排销毁。

gcloud

如需在命令行上使用 Cloud KMS，请先安装或升级到最新版本的 Google Cloud CLI。

gcloud kms keys versions destroy KEY_VERSION \
    --key KEY_NAME \
    --keyring KEY_RING \
    --location LOCATION

请替换以下内容：

KEY_VERSION：要销毁的密钥版本的版本号。
KEY_NAME：您要销毁其密钥版本的密钥的名称。
KEY_RING：包含密钥的密钥环的名称。
LOCATION：密钥环的 Cloud KMS 位置。

如需了解所有标志和可能值，请使用 --help 标志运行命令。

C#

要运行此代码，请先设置 C# 开发环境并安装 Cloud KMS C# SDK。

在 GitHub 上查看反馈


using Google.Cloud.Kms.V1;

public class DestroyKeyVersionSample
{
    public CryptoKeyVersion DestroyKeyVersion(
      string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring", string keyId = "my-key", string keyVersionId = "123")
    {
        // Create the client.
        KeyManagementServiceClient client = KeyManagementServiceClient.Create();

        // Build the key version name.
        CryptoKeyVersionName keyVersionName = new CryptoKeyVersionName(projectId, locationId, keyRingId, keyId, keyVersionId);

        // Call the API.
        CryptoKeyVersion result = client.DestroyCryptoKeyVersion(keyVersionName);

        // Return the result.
        return result;
    }
}

Go

要运行此代码，请先设置 Go 开发环境并安装 Cloud KMS Go SDK。

在 GitHub 上查看反馈

import (
	"context"
	"fmt"
	"io"

	kms "cloud.google.com/go/kms/apiv1"
	"cloud.google.com/go/kms/apiv1/kmspb"
)

// destroyKeyVersion marks a specified key version for deletion. The key can be
// restored if requested within 24 hours.
func destroyKeyVersion(w io.Writer, name string) error {
	// name := "projects/my-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key/cryptoKeyVersions/123"

	// Create the client.
	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create kms client: %w", err)
	}
	defer client.Close()

	// Build the request.
	req := &kmspb.DestroyCryptoKeyVersionRequest{
		Name: name,
	}

	// Call the API.
	result, err := client.DestroyCryptoKeyVersion(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to destroy key version: %w", err)
	}
	fmt.Fprintf(w, "Destroyed key version: %s\n", result)
	return nil
}

Java

要运行此代码，请先设置 Java 开发环境并安装 Cloud KMS Java SDK。

在 GitHub 上查看反馈

import com.google.cloud.kms.v1.CryptoKeyVersion;
import com.google.cloud.kms.v1.CryptoKeyVersionName;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import java.io.IOException;

public class DestroyKeyVersion {

  public void destroyKeyVersion() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    String keyRingId = "my-key-ring";
    String keyId = "my-key";
    String keyVersionId = "123";
    destroyKeyVersion(projectId, locationId, keyRingId, keyId, keyVersionId);
  }

  // Schedule destruction of the given key version.
  public void destroyKeyVersion(
      String projectId, String locationId, String keyRingId, String keyId, String keyVersionId)
      throws IOException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the key version name from the project, location, key ring, key,
      // and key version.
      CryptoKeyVersionName keyVersionName =
          CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);

      // Destroy the key version.
      CryptoKeyVersion response = client.destroyCryptoKeyVersion(keyVersionName);
      System.out.printf("Destroyed key version: %s%n", response.getName());
    }
  }
}

Node.js

要运行此代码，请先设置 Node.js 开发环境并安装 Cloud KMS Node.js SDK。

在 GitHub 上查看反馈

//
// TODO(developer): Uncomment these variables before running the sample.
//
// const projectId = 'my-project';
// const locationId = 'us-east1';
// const keyRingId = 'my-key-ring';
// const keyId = 'my-key';
// const versionId = '123';

// Imports the Cloud KMS library
const {KeyManagementServiceClient} = require('@google-cloud/kms');

// Instantiates a client
const client = new KeyManagementServiceClient();

// Build the key version name
const versionName = client.cryptoKeyVersionPath(
  projectId,
  locationId,
  keyRingId,
  keyId,
  versionId
);

async function destroyKeyVersion() {
  const [version] = await client.destroyCryptoKeyVersion({
    name: versionName,
  });

  console.log(`Destroyed key version: ${version.name}`);
  return version;
}

return destroyKeyVersion();

PHP

要运行此代码，请先了解如何在 Google Cloud 上使用 PHP 并安装 Cloud KMS PHP SDK。

在 GitHub 上查看反馈

use Google\Cloud\Kms\V1\KeyManagementServiceClient;

function destroy_key_version(
    string $projectId = 'my-project',
    string $locationId = 'us-east1',
    string $keyRingId = 'my-key-ring',
    string $keyId = 'my-key',
    string $versionId = '123'
) {
    // Create the Cloud KMS client.
    $client = new KeyManagementServiceClient();

    // Build the key version name.
    $keyVersionName = $client->cryptoKeyVersionName($projectId, $locationId, $keyRingId, $keyId, $versionId);

    // Call the API.
    $destroyedVersion = $client->destroyCryptoKeyVersion($keyVersionName);
    printf('Destroyed key version: %s' . PHP_EOL, $destroyedVersion->getName());

    return $destroyedVersion;
}

Python

要运行此代码，请先设置 Python 开发环境并安装 Cloud KMS Python SDK。

在 GitHub 上查看反馈

from google.cloud import kms

def destroy_key_version(
    project_id: str, location_id: str, key_ring_id: str, key_id: str, version_id: str
) -> kms.CryptoKeyVersion:
    """
    Schedule destruction of the given key version.

    Args:
        project_id (string): Google Cloud project ID (e.g. 'my-project').
        location_id (string): Cloud KMS location (e.g. 'us-east1').
        key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring').
        key_id (string): ID of the key to use (e.g. 'my-key').
        version_id (string): ID of the key version to destroy (e.g. '1').

    Returns:
        CryptoKeyVersion: The version.

    """

    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the key version name.
    key_version_name = client.crypto_key_version_path(
        project_id, location_id, key_ring_id, key_id, version_id
    )

    # Call the API.
    destroyed_version = client.destroy_crypto_key_version(
        request={"name": key_version_name}
    )
    print(f"Destroyed key version: {destroyed_version.name}")
    return destroyed_version

Ruby

要运行此代码，请先设置 Ruby 开发环境并安装 Cloud KMS Ruby SDK。

在 GitHub 上查看反馈

# TODO(developer): uncomment these values before running the sample.
# project_id  = "my-project"
# location_id = "us-east1"
# key_ring_id = "my-key-ring"
# key_id      = "my-key"
# version_id  = "123"

# Require the library.
require "google/cloud/kms"

# Create the client.
client = Google::Cloud::Kms.key_management_service

# Build the key version name.
key_version_name = client.crypto_key_version_path project:            project_id,
                                                  location:           location_id,
                                                  key_ring:           key_ring_id,
                                                  crypto_key:         key_id,
                                                  crypto_key_version: version_id

# Call the API.
destroyed_version = client.destroy_crypto_key_version name: key_version_name
puts "Destroyed key version: #{destroyed_version.name}"

API

这些示例使用 curl 作为 HTTP 客户端来演示如何使用 API。如需详细了解访问权限控制，请参阅访问 Cloud KMS API。

通过调用 CryptoKeys.destroy 方法销毁密钥版本。

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME/cryptoKeyVersions/KEY_VERSION:destroy" \
    --request "POST" \
    --header "authorization: Bearer TOKEN"

当您提交销毁请求时，密钥版本的状态将变为已安排销毁。密钥的已配置销毁销毁时长过后，密钥版本的状态会变为已销毁，这意味着从活跃系统中删除密钥材料的操作已开始，客户无法恢复相应密钥材料。密钥材料在安排的销毁时间后最长可能会在 Google 系统中保留 45 天。

如需在密钥版本安排销毁后接收提醒，请参阅将 Cloud Monitoring 与 Cloud KMS 搭配使用。

已销毁的密钥版本不是计费资源。

销毁外部密钥

如需永久移除 Cloud EKM 密钥和外部密钥之间的关联，您可以销毁密钥版本。安排的“销毁”期结束后，密钥将销毁。密钥版本被销毁后，您无法再加密或使用 Cloud EKM 密钥版本加密的数据。

销毁 Cloud KMS 中的手动管理的密钥版本不会修改外部密钥管理器中的密钥。我们建议您先销毁 Google Cloud 中的密钥或密钥版本。销毁 Cloud EKM 密钥版本后，您可以在外部密钥管理器中销毁密钥材料。

销毁 Cloud KMS 中的协调外部密钥版本会先销毁 Google Cloud 中的密钥版本，然后向 EKM 发送销毁请求以销毁外部密钥材料。

恢复密钥版本

在密钥版本的状态为“已安排销毁”期间，您可以通过提交恢复请求来恢复密钥版本。

控制台

转到 Google Cloud 控制台中的密钥管理页面。

前往“密钥管理”页面
点击您将恢复其密钥版本的密钥所在密钥环的名称。
点击您要恢复其密钥版本的密钥。
选中要恢复的密钥版本旁边的复选框。
点击标头中的恢复。
在确认提示中，点击恢复。

gcloud

如需在命令行上使用 Cloud KMS，请先安装或升级到最新版本的 Google Cloud CLI。

gcloud kms keys versions restore key-version \
    --key key \
    --keyring key-ring \
    --location location

将 key-version 替换为要恢复的密钥的版本。将 key 替换为密钥的名称。将 key-ring 替换为密钥所在的密钥环的名称。将 location 替换为密钥环的 Cloud KMS 位置。

如需了解所有标志和可能值，请使用 --help 标志运行命令。

C#

要运行此代码，请先设置 C# 开发环境并安装 Cloud KMS C# SDK。

在 GitHub 上查看反馈


using Google.Cloud.Kms.V1;

public class RestoreKeyVersionSample
{
    public CryptoKeyVersion RestoreKeyVersion(string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring", string keyId = "my-key", string keyVersionId = "123")
    {
        // Create the client.
        KeyManagementServiceClient client = KeyManagementServiceClient.Create();

        // Build the key version name.
        CryptoKeyVersionName cryptoKeyVersionName = new CryptoKeyVersionName(projectId, locationId, keyRingId, keyId, keyVersionId);

        // Call the API.
        CryptoKeyVersion result = client.RestoreCryptoKeyVersion(cryptoKeyVersionName);

        // Return the result.
        return result;
    }
}

Go

要运行此代码，请先设置 Go 开发环境并安装 Cloud KMS Go SDK。

在 GitHub 上查看反馈

import (
	"context"
	"fmt"
	"io"

	kms "cloud.google.com/go/kms/apiv1"
	"cloud.google.com/go/kms/apiv1/kmspb"
)

// restoreKeyVersion attempts to recover a key that has been marked for
// destruction in the past 24h.
func restoreKeyVersion(w io.Writer, name string) error {
	// name := "projects/my-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key/cryptoKeyVersions/123"

	// Create the client.
	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create kms client: %w", err)
	}
	defer client.Close()

	// Build the request.
	req := &kmspb.RestoreCryptoKeyVersionRequest{
		Name: name,
	}

	// Call the API.
	result, err := client.RestoreCryptoKeyVersion(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to restore key version: %w", err)
	}
	fmt.Fprintf(w, "Restored key version: %s\n", result)
	return nil
}

Java

要运行此代码，请先设置 Java 开发环境并安装 Cloud KMS Java SDK。

在 GitHub 上查看反馈

import com.google.cloud.kms.v1.CryptoKeyVersion;
import com.google.cloud.kms.v1.CryptoKeyVersionName;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import java.io.IOException;

public class RestoreKeyVersion {

  public void restoreKeyVersion() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    String keyRingId = "my-key-ring";
    String keyId = "my-key";
    String keyVersionId = "123";
    restoreKeyVersion(projectId, locationId, keyRingId, keyId, keyVersionId);
  }

  // Schedule destruction of the given key version.
  public void restoreKeyVersion(
      String projectId, String locationId, String keyRingId, String keyId, String keyVersionId)
      throws IOException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the key version name from the project, location, key ring, key,
      // and key version.
      CryptoKeyVersionName keyVersionName =
          CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);

      // Restore the key version.
      CryptoKeyVersion response = client.restoreCryptoKeyVersion(keyVersionName);
      System.out.printf("Restored key version: %s%n", response.getName());
    }
  }
}

Node.js

要运行此代码，请先设置 Node.js 开发环境并安装 Cloud KMS Node.js SDK。

在 GitHub 上查看反馈

//
// TODO(developer): Uncomment these variables before running the sample.
//
// const projectId = 'my-project';
// const locationId = 'us-east1';
// const keyRingId = 'my-key-ring';
// const keyId = 'my-key';
// const versionId = '123';

// Imports the Cloud KMS library
const {KeyManagementServiceClient} = require('@google-cloud/kms');

// Instantiates a client
const client = new KeyManagementServiceClient();

// Build the key version name
const versionName = client.cryptoKeyVersionPath(
  projectId,
  locationId,
  keyRingId,
  keyId,
  versionId
);

async function restoreKeyVersion() {
  const [version] = await client.restoreCryptoKeyVersion({
    name: versionName,
  });

  console.log(`Restored key version: ${version.name}`);
  return version;
}

return restoreKeyVersion();

PHP

要运行此代码，请先了解如何在 Google Cloud 上使用 PHP 并安装 Cloud KMS PHP SDK。

在 GitHub 上查看反馈

use Google\Cloud\Kms\V1\KeyManagementServiceClient;

function restore_key_version(
    string $projectId = 'my-project',
    string $locationId = 'us-east1',
    string $keyRingId = 'my-key-ring',
    string $keyId = 'my-key',
    string $versionId = '123'
) {
    // Create the Cloud KMS client.
    $client = new KeyManagementServiceClient();

    // Build the key version name.
    $keyVersionName = $client->cryptoKeyVersionName($projectId, $locationId, $keyRingId, $keyId, $versionId);

    // Call the API.
    $restoredVersion = $client->restoreCryptoKeyVersion($keyVersionName);
    printf('Restored key version: %s' . PHP_EOL, $restoredVersion->getName());

    return $restoredVersion;
}

Python

要运行此代码，请先设置 Python 开发环境并安装 Cloud KMS Python SDK。

在 GitHub 上查看反馈

from google.cloud import kms

def restore_key_version(
    project_id: str, location_id: str, key_ring_id: str, key_id: str, version_id: str
) -> kms.CryptoKeyVersion:
    """
    Restore a key version scheduled for destruction.

    Args:
        project_id (string): Google Cloud project ID (e.g. 'my-project').
        location_id (string): Cloud KMS location (e.g. 'us-east1').
        key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring').
        key_id (string): ID of the key to use (e.g. 'my-key').
        version_id (string): ID of the version to use (e.g. '1').

    Returns:
        CryptoKeyVersion: Restored Cloud KMS key version.

    """

    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the key version name.
    key_version_name = client.crypto_key_version_path(
        project_id, location_id, key_ring_id, key_id, version_id
    )

    # Call the API.
    restored_version = client.restore_crypto_key_version(
        request={"name": key_version_name}
    )
    print(f"Restored key version: {restored_version.name}")
    return restored_version

Ruby

要运行此代码，请先设置 Ruby 开发环境并安装 Cloud KMS Ruby SDK。

在 GitHub 上查看反馈

# TODO(developer): uncomment these values before running the sample.
# project_id  = "my-project"
# location_id = "us-east1"
# key_ring_id = "my-key-ring"
# key_id      = "my-key"
# version_id  = "123"

# Require the library.
require "google/cloud/kms"

# Create the client.
client = Google::Cloud::Kms.key_management_service

# Build the key version name.
key_version_name = client.crypto_key_version_path project:            project_id,
                                                  location:           location_id,
                                                  key_ring:           key_ring_id,
                                                  crypto_key:         key_id,
                                                  crypto_key_version: version_id

# Call the API.
restored_version = client.restore_crypto_key_version name: key_version_name
puts "Restored key version: #{restored_version.name}"

API

这些示例使用 curl 作为 HTTP 客户端来演示如何使用 API。如需详细了解访问权限控制，请参阅访问 Cloud KMS API。

通过调用 CryptoKeys.restore 方法恢复密钥版本。

curl "https://cloudkms.googleapis.com/v1/projects/project-id/locations/location-id/keyRings/key-ring-id/cryptoKeys/crypto-key-id/cryptoKeyVersions/version-id:restore" \
    --request "POST" \
    --header "authorization: Bearer token"

恢复请求完成后，密钥版本的状态将变为“已停用”。您必须先启用密钥，然后才能使用它。

必需的 IAM 权限

要销毁密钥版本，调用方需要对密钥、密钥环或项目、文件夹或组织拥有 cloudkms.cryptoKeyVersions.destroy IAM 权限。

要恢复密钥版本，调用者需要 cloudkms.cryptoKeyVersions.restore 权限。

这两种权限都授予了 Cloud KMS Admin 角色 (roles/cloudkms.admin)。

删除时间轴

Cloud KMS 承诺在安排的销毁时间后的 45 天内从所有 Google 基础架构中删除客户密钥材料。这包括从活跃系统和数据中心备份中移除数据。其他客户数据则遵循 180 天的标准 Google Cloud 删除时间表。