A key version has a state which determines if it can be used for encryption and decryption.
To enable or disable a key version, a user needs the appropriate Cloud Identity and Access Management role or permission.
-
The pre-defined roles
roles/cloudkms.admin
,roles/owner
, orroles/editor
can enable or disable a key version. -
A custom role that contains the
cloudkms.cryptoKeyVersions.update
permission can enable or disable a key version.
Disable an enabled key version
Only a key version which is enabled can be disabled. This is done with the
method UpdateCryptoKeyVersion
using the state
field, client library methods that map to
UpdateCryptoKeyVersion
,
gcloud kms keys versions disable
,
or the Google Cloud Platform Console.
Console
-
Go to the Cryptographic keys page in the GCP Console.
Go to the Cryptographic keys page -
Click the name of the key ring that contains the key whose key version you will disable.
-
Click the key whose key version you want to disable.
-
Click the key version that you want to disable.
-
Click Disable.
-
When prompted to confirm the disabling of the key version, click Disable.
Command-line
To disable version "42" of key "answer" in key ring "answers"gcloud kms keys versions disable 42 --location global --keyring answers --key answer
C#
For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.
Go
For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.
Java
For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.
Node.js
For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.
PHP
For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.
Python
For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.
Ruby
For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.
Enable a disabled key version
Only a key version which is disabled can be enabled. This is done with the
method UpdateCryptoKeyVersion
using the state
field, client library methods that map to UpdateCryptoKeyVersion
,
gcloud kms keys versions enable
,
or the Google Cloud Platform Console.
Console
-
Go to the Cryptographic keys page in the GCP Console.
Go to the Cryptographic keys page -
Click the name of the key ring that contains the key whose key version you will enable.
-
Click the key whose key version you want to enable.
-
Click the key version that you want to enable.
-
Click Enable.
-
When prompted to confirm the enabling of the key version, click Enable.
Command-line
To enable version "42" of key "answer" in key ring "answers"gcloud kms keys versions enable 42 --location global --keyring answers --key answer
C#
For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.
Go
For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.
Java
For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.
Node.js
For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.
PHP
For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.
Python
For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.
Ruby
For more on installing and creating a Cloud KMS client, refer to Cloud KMS Client Libraries.