Key states

CryptoKeyVersion state

A CryptoKeyVersion has a state:

  • Enabled (ENABLED): This version may be used in cryptoKeys.encrypt and cryptoKeys.decrypt requests.

  • Disabled (DISABLED): This version may not be used, but the key material is still available, and the version can be placed back into the ENABLED state.

  • Scheduled for destruction (DESTROY_SCHEDULED): This version is scheduled for destruction, and will be destroyed soon. Call cryptoKeyVersions.restore to put it back into the DISABLED state.

  • Destroyed (DESTROYED): This version is destroyed, and the key material is no longer stored in Cloud KMS. Any ciphertext encrypted with this version is not recoverable. A version may not leave this state once entered.


A CryptoKeyVersion can move from Enabled to Disabled and from Disabled to Enabled using UpdateCryptoKeyVersion. A CryptoKeyVersion which is Enabled or Disabled can move to Scheduled for destruction using DestroyCryptoKeyVersion, and it can be moved from Scheduled for destruction to Disabled using RestoreCryptoKeyVersion.

Primary CryptoKeyVersion

Each CryptoKey has a designated primary version which is used at that point in time to encrypt data.

When a CryptoKey is used to Encrypt plaintext, its primary CryptoKeyVersion is used to encrypt that data. The information as to which version was used to encrypt data is stored in the ciphertext of the data. Only one version of a CryptoKey can be primary at any given point in time.

If the primary CryptoKeyVersion is disabled, the CryptoKey cannot be used to encrypt data. Note that an enabled primary CryptoKeyVersion can be disabled, scheduled for destruction or destroyed, and a version which is not enabled can be made the primary version.

Which CryptoKeyVersion is primary does not impact the ability to decrypt data. A CryptoKeyVersion can be used to decrypt data as long as it is enabled.

CryptoKey and CryptoKeyVersion states

CryptoKeys do not have states, only CryptoKeyVersions have states.

In order for a CryptoKey to be available for use to encrypt data, it needs to be have a primary CryptoKeyVersion which is enabled.

In order for a CryptoKey to be available for use to decrypt data, the CryptoKeyVersion which was originally used to encrypt the data must be enabled. That CryptoKeyVersion need not be the primary version at decrypt time.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Cloud KMS Documentation