设置一个空密钥来导入您自己的加密密钥。
深入探索
如需查看包含此代码示例的详细文档,请参阅以下内容:
代码示例
Go
如需了解如何安装和使用 Cloud KMS 客户端库,请参阅 Cloud KMS 客户端库。
如需向 Cloud KMS 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import (
"context"
"fmt"
"io"
kms "cloud.google.com/go/kms/apiv1"
"cloud.google.com/go/kms/apiv1/kmspb"
)
// createKeyForImport creates a new asymmetric signing key in Cloud HSM.
func createKeyForImport(w io.Writer, parent, id string) error {
// parent := "projects/my-project/locations/us-east1/keyRings/my-key-ring"
// id := "my-imported-key"
// Create the client.
ctx := context.Background()
client, err := kms.NewKeyManagementClient(ctx)
if err != nil {
return fmt.Errorf("failed to create kms client: %w", err)
}
defer client.Close()
// Build the request.
req := &kmspb.CreateCryptoKeyRequest{
Parent: parent,
CryptoKeyId: id,
CryptoKey: &kmspb.CryptoKey{
Purpose: kmspb.CryptoKey_ASYMMETRIC_SIGN,
VersionTemplate: &kmspb.CryptoKeyVersionTemplate{
ProtectionLevel: kmspb.ProtectionLevel_HSM,
Algorithm: kmspb.CryptoKeyVersion_EC_SIGN_P256_SHA256,
},
// Ensure that only imported versions may be added to this key.
ImportOnly: true,
},
SkipInitialVersionCreation: true,
}
// Call the API.
result, err := client.CreateCryptoKey(ctx, req)
if err != nil {
return fmt.Errorf("failed to create key: %w", err)
}
fmt.Fprintf(w, "Created key: %s\n", result.Name)
return nil
}
Java
如需了解如何安装和使用 Cloud KMS 客户端库,请参阅 Cloud KMS 客户端库。
如需向 Cloud KMS 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import com.google.cloud.kms.v1.CreateCryptoKeyRequest;
import com.google.cloud.kms.v1.CryptoKey;
import com.google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose;
import com.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm;
import com.google.cloud.kms.v1.CryptoKeyVersionTemplate;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.KeyRingName;
import com.google.cloud.kms.v1.ProtectionLevel;
import java.io.IOException;
public class CreateKeyForImport {
public void createKeyForImport() throws IOException {
// TODO(developer): Replace these variables before running the sample.
String projectId = "your-project-id";
String locationId = "us-east1";
String keyRingId = "my-key-ring";
String id = "my-import-key";
createKeyForImport(projectId, locationId, keyRingId, id);
}
// Create a new crypto key to hold imported key versions.
public void createKeyForImport(String projectId, String locationId, String keyRingId, String id)
throws IOException {
// Initialize client that will be used to send requests. This client only
// needs to be created once, and can be reused for multiple requests. After
// completing all of your requests, call the "close" method on the client to
// safely clean up any remaining background resources.
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
// Build the parent name from the project, location, and key ring.
KeyRingName keyRingName = KeyRingName.of(projectId, locationId, keyRingId);
// Create the crypto key.
CryptoKey createdKey =
client.createCryptoKey(
CreateCryptoKeyRequest.newBuilder()
.setParent(keyRingName.toString())
.setCryptoKeyId(id)
.setCryptoKey(
CryptoKey.newBuilder()
.setPurpose(CryptoKeyPurpose.ASYMMETRIC_SIGN)
.setVersionTemplate(
CryptoKeyVersionTemplate.newBuilder()
.setProtectionLevel(ProtectionLevel.HSM)
.setAlgorithm(CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256))
// Ensure that only imported versions may be
// added to this key.
.setImportOnly(true))
.setSkipInitialVersionCreation(true)
.build());
System.out.printf("Created crypto key %s%n", createdKey.getName());
}
}
}
Node.js
如需了解如何安装和使用 Cloud KMS 客户端库,请参阅 Cloud KMS 客户端库。
如需向 Cloud KMS 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
//
// TODO(developer): Uncomment these variables before running the sample.
//
// const projectId = 'my-project';
// const locationId = 'us-east1';
// const keyRingId = 'my-key-ring';
// const id = 'my-imported-key';
// Imports the Cloud KMS library
const {KeyManagementServiceClient} = require('@google-cloud/kms');
// Instantiates a client
const client = new KeyManagementServiceClient();
// Build the parent key ring name
const keyRingName = client.keyRingPath(projectId, locationId, keyRingId);
async function createKeyForImport() {
const [key] = await client.createCryptoKey({
parent: keyRingName,
cryptoKeyId: id,
cryptoKey: {
purpose: 'ENCRYPT_DECRYPT',
versionTemplate: {
algorithm: 'GOOGLE_SYMMETRIC_ENCRYPTION',
protectionLevel: 'HSM',
},
// Optional: ensure that only imported versions may be added to this
// key.
importOnly: true,
},
// Do not allow KMS to generate an initial version of this key.
skipInitialVersionCreation: true,
});
console.log(`Created key for import: ${key.name}`);
return key;
}
return createKeyForImport();
Python
如需了解如何安装和使用 Cloud KMS 客户端库,请参阅 Cloud KMS 客户端库。
如需向 Cloud KMS 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
from google.cloud import kms
def create_key_for_import(
project_id: str, location_id: str, key_ring_id: str, crypto_key_id: str
) -> None:
"""
Sets up an empty CryptoKey within a KeyRing for import.
Args:
project_id (string): Google Cloud project ID (e.g. 'my-project').
location_id (string): Cloud KMS location (e.g. 'us-east1').
key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring').
crypto_key_id (string): ID of the key to import (e.g. 'my-asymmetric-signing-key').
"""
# Create the client.
client = kms.KeyManagementServiceClient()
# Build the key. For more information regarding allowed values of these fields, see:
# https://googleapis.dev/python/cloudkms/latest/_modules/google/cloud/kms_v1/types/resources.html
purpose = kms.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN
algorithm = kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
protection_level = kms.ProtectionLevel.HSM
key = {
"purpose": purpose,
"version_template": {
"algorithm": algorithm,
"protection_level": protection_level,
},
}
# Build the parent key ring name.
key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)
# Call the API.
created_key = client.create_crypto_key(
request={
"parent": key_ring_name,
"crypto_key_id": crypto_key_id,
"crypto_key": key,
}
)
print(f"Created hsm key: {created_key.name}")
后续步骤
如需搜索和过滤其他 Google Cloud 产品的代码示例,请参阅 Google Cloud 示例浏览器。