This topic discusses each type of resource in Cloud KMS. You can learn more about the hierarchy of resources.
You can allow and deny access to keys using Identity and Access Management (IAM) permissions and roles. It's not possible to manage access to a key version.
Disabling or destroying a key also disables or destroys each key version.
The following sections discuss the properties of a key.
Depending on the context, a key's properties are shown in a different format.
- When using the Google Cloud CLI or the Cloud Key Management Service API, the property is shown as
a string of capital letters, like
- When using the Google Cloud console, the property is shown as a string with initial capitalization, like Software.
In the sections below, each format is shown where it is appropriate.
A key's type determines whether the key is used for symmetric or asymmetric cryptographic operations.
In symmetric encryption, the entire key is required to encrypt or decrypt data. Symmetric keys cannot be used for signing.
In asymmetric encryption or signing, the key consists of a public and private key.
- The private key is considered sensitive data, and is required to decrypt data or for signing, depending on the key's configured purpose.
The public key is not considered sensitive, and is required to encrypt data or to verify a signature, depending on the key's configured purpose.
A key's type can't be changed after the key is created.
A key's type is one component of its purpose.
A key's purpose determines whether the key can be used for encryption or for signing. You choose the purpose when creating the key, and all versions have the same purpose.
The purpose of a symmetric key is always Symmetric encrypt/decrypt.
The purpose of an asymmetric key is either Asymmetric encrypt/decrypt or Asymmetric signing.
A key's purpose can't be changed after the key is created.
A key has multiple versions, but a symmetric key can have at most one primary key version. The primary key version is used to encrypt data if you do not specify a key version.
Asymmetric keys do not have primary versions; you must specify the version when using the key.
For both symmetric and asymmetric keys, you can use any enabled key version to encrypt or decrypt data, whether it is the primary version or not.
Each version of a key contains key material used for encryption or signing. A
key's version is represented by an integer, starting at
1. To decrypt data or
verify a signature, you must use the same key version that was used to encrypt
or sign the data. To find and reference a key version's resource ID, see
Retrieving a key's resource ID.
You can disable or destroy a key version without affecting other versions. Rotating a key creates a new version. You can learn more about rotating keys.
Disabling or destroying a key also disables or destroys all versions of that key. You can selectively disable a key version without affecting other key versions.
It's not possible to manage access to a key version. Granting access to a key also grants access to all of its enabled versions.
For security reasons, no Google Cloud principal can view or export the raw cryptographic key material represented by a key version. Instead, Cloud KMS accesses the key material on your behalf.
The following sections discuss the properties of a key version.
A key version's state is always one of the following:
- Scheduled for destruction
A key version can only be used when it is enabled. Key versions in any state other than destroyed incur costs.
A key version's protection level determines the key's storage environment at rest. The protection level is one of the following:
- Software (
SOFTWAREin the Google Cloud CLI and Cloud Key Management Service API)
- External (
EXTERNALin the Google Cloud CLI and Cloud Key Management Service API)
- External_VPC (
EXTERNAL_VPCin the Google Cloud CLI and Cloud Key Management Service API)
Although the protection level is a property of a key version, it cannot be changed after the key is created.
A key version's algorithm determines how the key material is created and the parameters required for cryptographic operations. Symmetric and asymmetric keys support different algorithms.
If you do not specify an algorithm when creating a new key version, the algorithm from the previous version is used.
Regardless of the algorithm, Cloud KMS uses probabilistic encryption, so that the same plaintext encrypted with the same key version twice does not encrypt to the same ciphertext.
A key ring organizes keys in a specific Google Cloud location and allows you to manage access control on groups of keys. A key ring's name does not need to be unique across a Google Cloud project, but must be unique within a given location. After creation, a key ring cannot be deleted. Key rings do not incur storage costs.
An EKM connection is a Cloud KMS resource that organizes VPC connections to your on-premises EKMs in a specific Google Cloud location. An EKM connection allows you to connect to and use keys from an external key manager over a VPC network. After creation, an EKM connection cannot be deleted. EKM connections do not incur storage costs.
Retrieving a resource's ID
Some API calls and gcloud CLI might require you to refer to a key ring,
key, or key version by its resource ID, which is a string representing
name. Resource IDs are hierarchical, similar to a filesystem path. A key's
resource ID also contains information about the key ring and location.
|Object||Resource Id format|
To learn more, see Getting a Cloud KMS resource ID.
When you are planning how to organize the resources in your Google Cloud project, consider your business rules and how you plan to manage access. You can grant access to a single key, all keys on a keyring, or all keys in a project. The following organization patterns are common:
- By environment, such as
- By work area, such as
- By data sensitivity or characteristics, such as
Resource life cycles
Key rings, keys, and key versions cannot be deleted. This ensures that a key version's resource identifier is unique and always points to the original key material for that key version unless it has been destroyed. You can store an unlimited number of key rings, enabled or disabled keys, and enabled, disabled, or destroyed key versions. For more information, see Pricing and Quotas.
To learn how to destroy or restore a key version, see Destroying and restoring key versions.
If you schedule the shutdown of a Google Cloud project, you will not be able to access the project's resources, including Cloud KMS resources, unless you recover the project by following the steps to restore a project.