Key states

Key version state

A key version has a state:

  • Enabled (ENABLED): This version may be used in cryptoKeys.encrypt and cryptoKeys.decrypt requests, client library encrypt and decrypt methods, gcloud kms encrypt, and gcloud kms decrypt.

  • Disabled (DISABLED): This version may not be used, but the key material is still available, and the version can be placed back into the enabled state.

  • Scheduled for destruction (DESTROY_SCHEDULED): This version is scheduled for destruction, and will be destroyed soon. It can be placed back into the disabled state.

  • Destroyed (DESTROYED): This version is destroyed, and the key material is no longer stored in Cloud Key Management Service. Any ciphertext encrypted with this version is not recoverable. A version may not leave this state once entered.


Changing states of a key version

The following describes how a key version can change states:

To learn how to enable or disable a key version, see Enabling and disabling key versions. To learn how to schedule a key version for destruction, or restore a key version that is scheduled for destruction, see Destroying and restoring key versions.

Primary key version

Each key has a designated primary version which is used at that point in time to encrypt data.

When a key is used to encrypt plaintext, its primary key version is used to encrypt that data. The information as to which version was used to encrypt data is stored in the ciphertext of the data. Only one version of a key can be primary at any given point in time.

If the primary key version is disabled, the key cannot be used to encrypt data. Note that an enabled primary key version can be disabled, scheduled for destruction or destroyed, and a version which is not enabled can be made the primary version.

Which key version is primary does not impact the ability to decrypt data. A key version can be used to decrypt data as long as it is enabled.

Keys and key version states

Keys do not have states, only key versions have states.

In order for a key to be available for use to encrypt data, it needs to have a primary key version which is enabled.

In order for a key to be available for use to decrypt data, the key version which was originally used to encrypt the data must be enabled. That key version need not be the primary version at decrypt time.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud KMS Documentation