Key version state
A key version has a state:
DISABLED): This version may not be used, but the key material is still available, and the version can be placed back into the enabled state.
Scheduled for destruction (
DESTROY_SCHEDULED): This version is scheduled for destruction, and will be destroyed soon. It can be placed back into the disabled state.
DESTROYED): This version is destroyed, and the key material is no longer stored in Cloud Key Management Service. Any ciphertext encrypted with this version is not recoverable. A version may not leave this state once entered.
Changing states of a key version
The following describes how a key version can change states:
A key version can move from enabled to disabled and from disabled to enabled using
UpdateCryptoKeyVersion, client library methods that map to
gcloud kms keys versions disableand
gcloud kms keys versions enable, or the Google Cloud Platform Console.
A key version which is enabled or disabled can move to scheduled for destruction using
DestroyCryptoKeyVersion, client library methods that map to
gcloud kms keys versions destroy, or the Google Cloud Platform Console.
A key version which is scheduled for destruction can move to disabled using
RestoreCryptoKeyVersion, client library methods that map to
gcloud kms keys versions restore, and the Google Cloud Platform Console.
To learn how to enable or disable a key version, see Enabling and disabling key versions. To learn how to schedule a key version for destruction, or restore a key version that is scheduled for destruction, see Destroying and restoring key versions.
Primary key version
Each key has a designated primary version which is used at that point in time to encrypt data.
When a key is used to encrypt plaintext, its primary key version is used to encrypt that data. The information as to which version was used to encrypt data is stored in the ciphertext of the data. Only one version of a key can be primary at any given point in time.
If the primary key version is disabled, the key cannot be used to encrypt data. Note that an enabled primary key version can be disabled, scheduled for destruction or destroyed, and a version which is not enabled can be made the primary version.
Which key version is primary does not impact the ability to decrypt data. A key version can be used to decrypt data as long as it is enabled.
Keys and key version states
Keys do not have states, only key versions have states.
In order for a key to be available for use to encrypt data, it needs to have a primary key version which is enabled.
In order for a key to be available for use to decrypt data, the key version which was originally used to encrypt the data must be enabled. That key version need not be the primary version at decrypt time.