Class KeyManagementMode (3.6.0)

KeyManagementMode(value)

KeyManagementMode describes who can perform control plane cryptographic operations using this EkmConnection.

    - When creating a
      <xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>
      associated with this
      <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref>, the
      caller must supply the key path of pre-existing external
      key material that will be linked to the
      <xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>.
    - Destruction of external key material cannot be requested
      via the Cloud KMS API and must be performed directly in
      the EKM.
    - Automatic rotation of key material is not supported.
CLOUD_KMS (2):
    All <xref uid="google.cloud.kms.v1.CryptoKey">CryptoKeys</xref> created with
    this <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> use
    EKM-side key management operations initiated from Cloud KMS.
    This means that:

    - When a
      <xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>
      associated with this
      <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> is
      created, the EKM automatically generates new key material
      and a new key path. The caller cannot supply the key path
      of pre-existing external key material.
    - Destruction of external key material associated with this
      <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> can be
      requested by calling
      <xref uid="google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion">DestroyCryptoKeyVersion</xref>.
    - Automatic rotation of key material is supported.

Enums

Name Description
KEY_MANAGEMENT_MODE_UNSPECIFIED Not specified.
MANUAL EKM-side key management operations on CryptoKeys created with this EkmConnection must be initiated from the EKM directly and cannot be performed from Cloud KMS. This means that: