REST Resource: projects.locations.keyRings.cryptoKeys.cryptoKeyVersions

Resource: CryptoKeyVersion
Methods

Resource: CryptoKeyVersion

A CryptoKeyVersion represents an individual cryptographic key, and the associated key material.

An ENABLED version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

JSON representation

JSON representation
{ "name": string, "state": enum (`CryptoKeyVersionState`), "protectionLevel": enum (`ProtectionLevel`), "algorithm": enum (`CryptoKeyVersionAlgorithm`), "attestation": { object (`KeyOperationAttestation`) }, "createTime": string, "generateTime": string, "destroyTime": string, "destroyEventTime": string, "importJob": string, "importTime": string, "importFailureReason": string, "generationFailureReason": string, "externalDestructionFailureReason": string, "externalProtectionLevelOptions": { object (`ExternalProtectionLevelOptions`) }, "reimportEligible": boolean }

{
  "name": string,
  "state": enum (CryptoKeyVersionState),
  "protectionLevel": enum (ProtectionLevel),
  "algorithm": enum (CryptoKeyVersionAlgorithm),
  "attestation": {
    object (KeyOperationAttestation)
  },
  "createTime": string,
  "generateTime": string,
  "destroyTime": string,
  "destroyEventTime": string,
  "importJob": string,
  "importTime": string,
  "importFailureReason": string,
  "generationFailureReason": string,
  "externalDestructionFailureReason": string,
  "externalProtectionLevelOptions": {
    object (ExternalProtectionLevelOptions)
  },
  "reimportEligible": boolean
}

Fields
`name`	`string` Output only. The resource name for this `CryptoKeyVersion` in the format `projects//locations//keyRings//cryptoKeys//cryptoKeyVersions/*`.
`state`	`enum (CryptoKeyVersionState)` The current state of the `CryptoKeyVersion`.
`protectionLevel`	`enum (ProtectionLevel)` Output only. The `ProtectionLevel` describing how crypto operations are performed with this `CryptoKeyVersion`.
`algorithm`	`enum (CryptoKeyVersionAlgorithm)` Output only. The `CryptoKeyVersionAlgorithm` that this `CryptoKeyVersion` supports.
`attestation`	`object (KeyOperationAttestation)` Output only. Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with `protectionLevel` `HSM`.
`createTime`	`string (Timestamp format)` Output only. The time at which this `CryptoKeyVersion` was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`generateTime`	`string (Timestamp format)` Output only. The time this `CryptoKeyVersion`'s key material was generated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`destroyTime`	`string (Timestamp format)` Output only. The time this `CryptoKeyVersion`'s key material is scheduled for destruction. Only present if `state` is `DESTROY_SCHEDULED`. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`destroyEventTime`	`string (Timestamp format)` Output only. The time this CryptoKeyVersion's key material was destroyed. Only present if `state` is `DESTROYED`. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`importJob`	`string` Output only. The name of the `ImportJob` used in the most recent import of this `CryptoKeyVersion`. Only present if the underlying key material was imported.
`importTime`	`string (Timestamp format)` Output only. The time at which this `CryptoKeyVersion`'s key material was most recently imported. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`importFailureReason`	`string` Output only. The root cause of the most recent import failure. Only present if `state` is `IMPORT_FAILED`.
`generationFailureReason`	`string` Output only. The root cause of the most recent generation failure. Only present if `state` is `GENERATION_FAILED`.
`externalDestructionFailureReason`	`string` Output only. The root cause of the most recent external destruction failure. Only present if `state` is `EXTERNAL_DESTRUCTION_FAILED`.
`externalProtectionLevelOptions`	`object (ExternalProtectionLevelOptions)` ExternalProtectionLevelOptions stores a group of additional fields for configuring a `CryptoKeyVersion` that are specific to the `EXTERNAL` protection level and `EXTERNAL_VPC` protection levels.
`reimportEligible`	`boolean` Output only. Whether or not this key version is eligible for reimport, by being specified as a target in `ImportCryptoKeyVersionRequest.crypto_key_version`.

CryptoKeyVersionState

The state of a CryptoKeyVersion, indicating if it can be used.

Enums
`CRYPTO_KEY_VERSION_STATE_UNSPECIFIED`	Not specified.
`PENDING_GENERATION`	This version is still being generated. It may not be used, enabled, disabled, or destroyed yet. Cloud KMS will automatically mark this version `ENABLED` as soon as the version is ready.
`ENABLED`	This version may be used for cryptographic operations.
`DISABLED`	This version may not be used, but the key material is still available, and the version can be placed back into the `ENABLED` state.
`DESTROYED`	This version is destroyed, and the key material is no longer stored. This version may only become `ENABLED` again if this version is `reimportEligible` and the original key material is reimported with a call to `KeyManagementService.ImportCryptoKeyVersion`.
`DESTROY_SCHEDULED`	This version is scheduled for destruction, and will be destroyed soon. Call `cryptoKeyVersions.restore` to put it back into the `DISABLED` state.
`PENDING_IMPORT`	This version is still being imported. It may not be used, enabled, disabled, or destroyed yet. Cloud KMS will automatically mark this version `ENABLED` as soon as the version is ready.
`IMPORT_FAILED`	This version was not imported successfully. It may not be used, enabled, disabled, or destroyed. The submitted key material has been discarded. Additional details can be found in `CryptoKeyVersion.import_failure_reason`.
`GENERATION_FAILED`	This version was not generated successfully. It may not be used, enabled, disabled, or destroyed. Additional details can be found in `CryptoKeyVersion.generation_failure_reason`.
`PENDING_EXTERNAL_DESTRUCTION`	This version was destroyed, and it may not be used or enabled again. Cloud KMS is waiting for the corresponding key material residing in an external key manager to be destroyed.
`EXTERNAL_DESTRUCTION_FAILED`	This version was destroyed, and it may not be used or enabled again. However, Cloud KMS could not confirm that the corresponding key material residing in an external key manager was destroyed. Additional details can be found in `CryptoKeyVersion.external_destruction_failure_reason`.

ExternalProtectionLevelOptions

ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.

JSON representation
{ "externalKeyUri": string, "ekmConnectionKeyPath": string }

Fields

Fields
`externalKeyUri`	`string` The URI for an external resource that this `CryptoKeyVersion` represents.
`ekmConnectionKeyPath`	`string` The path to the external key material on the EKM when using `EkmConnection` e.g., "v0/my/key". Set this field instead of externalKeyUri when using an `EkmConnection`.

externalKeyUri

string

The URI for an external resource that this CryptoKeyVersion represents.

ekmConnectionKeyPath

string

The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.

Methods
`asymmetricDecrypt`	Decrypts data that was encrypted with a public key retrieved from `GetPublicKey` corresponding to a `CryptoKeyVersion` with `CryptoKey.purpose` ASYMMETRIC_DECRYPT.
`asymmetricSign`	Signs data using a `CryptoKeyVersion` with `CryptoKey.purpose` ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved from `GetPublicKey`.
`create`	Create a new `CryptoKeyVersion` in a `CryptoKey`.
`destroy`	Schedule a `CryptoKeyVersion` for destruction.
`get`	Returns metadata for a given `CryptoKeyVersion`.
`getPublicKey`	Returns the public key for the given `CryptoKeyVersion`.
`import`	Import wrapped key material into a `CryptoKeyVersion`.
`list`	Lists `CryptoKeyVersions`.
`macSign`	Signs data using a `CryptoKeyVersion` with `CryptoKey.purpose` MAC, producing a tag that can be verified by another source with the same key.
`macVerify`	Verifies MAC tag using a `CryptoKeyVersion` with `CryptoKey.purpose` MAC, and returns a response that indicates whether or not the verification was successful.
`patch`	Update a `CryptoKeyVersion`'s metadata.
`rawDecrypt`	Decrypts data that was originally encrypted using a raw cryptographic mechanism.
`rawEncrypt`	Encrypts data using portable cryptographic primitives.
`restore`	Restore a `CryptoKeyVersion` in the `DESTROY_SCHEDULED` state.

REST Resource: projects.locations.keyRings.cryptoKeys.cryptoKeyVersions

Resource: CryptoKeyVersion

CryptoKeyVersionState

ExternalProtectionLevelOptions

Methods

`asymmetricDecrypt`

`asymmetricSign`

`create`

`destroy`

`get`

`getPublicKey`

`import`

`list`

`macSign`

`macVerify`

`patch`

`rawDecrypt`

`rawEncrypt`

`restore`