在指定密钥环和位置上创建 Cloud HSM 密钥。
深入探索
如需查看包含此代码示例的详细文档,请参阅以下内容:
代码示例
C#
如需了解如何安装和使用 Cloud KMS 客户端库,请参阅 Cloud KMS 客户端库。
如需向 Cloud KMS 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
using Google.Cloud.Kms.V1;
using Google.Protobuf.WellKnownTypes;
public class CreateKeyHsmSample
{
public CryptoKey CreateKeyHsm(
string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
string id = "my-hsm-encryption-key")
{
// Create the client.
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
// Build the parent key ring name.
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
// Build the key.
CryptoKey key = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt,
VersionTemplate = new CryptoKeyVersionTemplate
{
ProtectionLevel = ProtectionLevel.Hsm,
Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.GoogleSymmetricEncryption,
},
// Optional: customize how long key versions should be kept before destroying.
DestroyScheduledDuration = new Duration
{
Seconds = 24 * 60 * 60,
}
};
// Call the API.
CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);
// Return the result.
return result;
}
}
Go
如需了解如何安装和使用 Cloud KMS 客户端库,请参阅 Cloud KMS 客户端库。
如需向 Cloud KMS 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import (
"context"
"fmt"
"io"
"time"
kms "cloud.google.com/go/kms/apiv1"
"cloud.google.com/go/kms/apiv1/kmspb"
"google.golang.org/protobuf/types/known/durationpb"
)
// createKeyHSM creates a new symmetric encrypt/decrypt key on Cloud KMS.
func createKeyHSM(w io.Writer, parent, id string) error {
// parent := "projects/my-project/locations/us-east1/keyRings/my-key-ring"
// id := "my-hsm-encryption-key"
// Create the client.
ctx := context.Background()
client, err := kms.NewKeyManagementClient(ctx)
if err != nil {
return fmt.Errorf("failed to create kms client: %w", err)
}
defer client.Close()
// Build the request.
req := &kmspb.CreateCryptoKeyRequest{
Parent: parent,
CryptoKeyId: id,
CryptoKey: &kmspb.CryptoKey{
Purpose: kmspb.CryptoKey_ENCRYPT_DECRYPT,
VersionTemplate: &kmspb.CryptoKeyVersionTemplate{
ProtectionLevel: kmspb.ProtectionLevel_HSM,
Algorithm: kmspb.CryptoKeyVersion_GOOGLE_SYMMETRIC_ENCRYPTION,
},
// Optional: customize how long key versions should be kept before destroying.
DestroyScheduledDuration: durationpb.New(24 * time.Hour),
},
}
// Call the API.
result, err := client.CreateCryptoKey(ctx, req)
if err != nil {
return fmt.Errorf("failed to create key: %w", err)
}
fmt.Fprintf(w, "Created key: %s\n", result.Name)
return nil
}
Java
如需了解如何安装和使用 Cloud KMS 客户端库,请参阅 Cloud KMS 客户端库。
如需向 Cloud KMS 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import com.google.cloud.kms.v1.CryptoKey;
import com.google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose;
import com.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm;
import com.google.cloud.kms.v1.CryptoKeyVersionTemplate;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.KeyRingName;
import com.google.cloud.kms.v1.ProtectionLevel;
import com.google.protobuf.Duration;
import java.io.IOException;
public class CreateKeyHsm {
public void createKeyHsm() throws IOException {
// TODO(developer): Replace these variables before running the sample.
String projectId = "your-project-id";
String locationId = "us-east1";
String keyRingId = "my-key-ring";
String id = "my-hsm-key";
createKeyHsm(projectId, locationId, keyRingId, id);
}
// Create a new key that is stored in an HSM.
public void createKeyHsm(String projectId, String locationId, String keyRingId, String id)
throws IOException {
// Initialize client that will be used to send requests. This client only
// needs to be created once, and can be reused for multiple requests. After
// completing all of your requests, call the "close" method on the client to
// safely clean up any remaining background resources.
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
// Build the parent name from the project, location, and key ring.
KeyRingName keyRingName = KeyRingName.of(projectId, locationId, keyRingId);
// Build the hsm key to create.
CryptoKey key =
CryptoKey.newBuilder()
.setPurpose(CryptoKeyPurpose.ENCRYPT_DECRYPT)
.setVersionTemplate(
CryptoKeyVersionTemplate.newBuilder()
.setProtectionLevel(ProtectionLevel.HSM)
.setAlgorithm(CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION))
// Optional: customize how long key versions should be kept before destroying.
.setDestroyScheduledDuration(Duration.newBuilder().setSeconds(24 * 60 * 60))
.build();
// Create the key.
CryptoKey createdKey = client.createCryptoKey(keyRingName, id, key);
System.out.printf("Created hsm key %s%n", createdKey.getName());
}
}
}
Node.js
如需了解如何安装和使用 Cloud KMS 客户端库,请参阅 Cloud KMS 客户端库。
如需向 Cloud KMS 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
//
// TODO(developer): Uncomment these variables before running the sample.
//
// const projectId = 'my-project';
// const locationId = 'us-east1';
// const keyRingId = 'my-key-ring';
// const id = 'my-hsm-encryption-key';
// Imports the Cloud KMS library
const {KeyManagementServiceClient} = require('@google-cloud/kms');
// Instantiates a client
const client = new KeyManagementServiceClient();
// Build the parent key ring name
const keyRingName = client.keyRingPath(projectId, locationId, keyRingId);
async function createKeyHsm() {
const [key] = await client.createCryptoKey({
parent: keyRingName,
cryptoKeyId: id,
cryptoKey: {
purpose: 'ENCRYPT_DECRYPT',
versionTemplate: {
algorithm: 'GOOGLE_SYMMETRIC_ENCRYPTION',
protectionLevel: 'HSM',
},
// Optional: customize how long key versions should be kept before
// destroying.
destroyScheduledDuration: {seconds: 60 * 60 * 24},
},
});
console.log(`Created hsm key: ${key.name}`);
return key;
}
return createKeyHsm();
PHP
如需了解如何安装和使用 Cloud KMS 客户端库,请参阅 Cloud KMS 客户端库。
如需向 Cloud KMS 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
use Google\Cloud\Kms\V1\CreateCryptoKeyRequest;
use Google\Cloud\Kms\V1\CryptoKey;
use Google\Cloud\Kms\V1\CryptoKey\CryptoKeyPurpose;
use Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionAlgorithm;
use Google\Cloud\Kms\V1\CryptoKeyVersionTemplate;
use Google\Cloud\Kms\V1\ProtectionLevel;
use Google\Protobuf\Duration;
function create_key_hsm(
string $projectId = 'my-project',
string $locationId = 'us-east1',
string $keyRingId = 'my-key-ring',
string $id = 'my-hsm-key'
): CryptoKey {
// Create the Cloud KMS client.
$client = new KeyManagementServiceClient();
// Build the parent key ring name.
$keyRingName = $client->keyRingName($projectId, $locationId, $keyRingId);
// Build the key.
$key = (new CryptoKey())
->setPurpose(CryptoKeyPurpose::ENCRYPT_DECRYPT)
->setVersionTemplate((new CryptoKeyVersionTemplate())
->setAlgorithm(CryptoKeyVersionAlgorithm::GOOGLE_SYMMETRIC_ENCRYPTION)
->setProtectionLevel(ProtectionLevel::HSM)
)
// Optional: customize how long key versions should be kept before destroying.
->setDestroyScheduledDuration((new Duration())
->setSeconds(24 * 60 * 60)
);
// Call the API.
$createCryptoKeyRequest = (new CreateCryptoKeyRequest())
->setParent($keyRingName)
->setCryptoKeyId($id)
->setCryptoKey($key);
$createdKey = $client->createCryptoKey($createCryptoKeyRequest);
printf('Created hsm key: %s' . PHP_EOL, $createdKey->getName());
return $createdKey;
}
Python
如需了解如何安装和使用 Cloud KMS 客户端库,请参阅 Cloud KMS 客户端库。
如需向 Cloud KMS 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import datetime
from google.cloud import kms
from google.protobuf import duration_pb2 # type: ignore
def create_key_hsm(
project_id: str, location_id: str, key_ring_id: str, key_id: str
) -> kms.CryptoKey:
"""
Creates a new key in Cloud KMS backed by Cloud HSM.
Args:
project_id (string): Google Cloud project ID (e.g. 'my-project').
location_id (string): Cloud KMS location (e.g. 'us-east1').
key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring').
key_id (string): ID of the key to create (e.g. 'my-hsm-key').
Returns:
CryptoKey: Cloud KMS key.
"""
# Create the client.
client = kms.KeyManagementServiceClient()
# Build the parent key ring name.
key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)
# Build the key.
purpose = kms.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
algorithm = (
kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
)
protection_level = kms.ProtectionLevel.HSM
key = {
"purpose": purpose,
"version_template": {
"algorithm": algorithm,
"protection_level": protection_level,
},
# Optional: customize how long key versions should be kept before
# destroying.
"destroy_scheduled_duration": duration_pb2.Duration().FromTimedelta(
datetime.timedelta(days=1)
),
}
# Call the API.
created_key = client.create_crypto_key(
request={"parent": key_ring_name, "crypto_key_id": key_id, "crypto_key": key}
)
print(f"Created hsm key: {created_key.name}")
return created_key
Ruby
如需了解如何安装和使用 Cloud KMS 客户端库,请参阅 Cloud KMS 客户端库。
如需向 Cloud KMS 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
# TODO(developer): uncomment these values before running the sample.
# project_id = "my-project"
# location_id = "us-east1"
# key_ring_id = "my-key-ring"
# id = "my-hsm-key"
# Require the library.
require "google/cloud/kms"
# Create the client.
client = Google::Cloud::Kms.key_management_service
# Build the parent key ring name.
key_ring_name = client.key_ring_path project: project_id, location: location_id, key_ring: key_ring_id
# Build the key.
key = {
purpose: :ENCRYPT_DECRYPT,
version_template: {
algorithm: :GOOGLE_SYMMETRIC_ENCRYPTION,
protection_level: :HSM
},
# Optional: customize how long key versions should be kept before destroying.
destroy_scheduled_duration: {
seconds: 24 * 60 * 60
}
}
# Call the API.
created_key = client.create_crypto_key parent: key_ring_name, crypto_key_id: id, crypto_key: key
puts "Created hsm key: #{created_key.name}"
后续步骤
如需搜索和过滤其他 Google Cloud 产品的代码示例,请参阅 Google Cloud 示例浏览器。