Class KeyManagementMode (2.20.0)

KeyManagementMode(value)

KeyManagementMode describes who can perform control plane cryptographic operations using this EkmConnection.

Values: KEY_MANAGEMENT_MODE_UNSPECIFIED (0): Not specified. MANUAL (1): EKM-side key management operations on CryptoKeys created with this EkmConnection must be initiated from the EKM directly and cannot be performed from Cloud KMS. This means that:

    -  When creating a
       <xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>
       associated with this
       <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref>, the
       caller must supply the key path of pre-existing external
       key material that will be linked to the
       <xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>.
    -  Destruction of external key material cannot be requested
       via the Cloud KMS API and must be performed directly in
       the EKM.
    -  Automatic rotation of key material is not supported.
CLOUD_KMS (2):
    All <xref uid="google.cloud.kms.v1.CryptoKey">CryptoKeys</xref> created with
    this <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> use
    EKM-side key management operations initiated from Cloud KMS.
    This means that:

    -  When a
       <xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>
       associated with this
       <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> is
       created, the EKM automatically generates new key material
       and a new key path. The caller cannot supply the key path
       of pre-existing external key material.
    -  Destruction of external key material associated with this
       <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> can be
       requested by calling
       `DestroyCryptoKeyVersion][EkmService.DestroyCryptoKeyVersion]`.
    -  Automatic rotation of key material is supported.