google.cloud.kms.v1

ATTESTATION_FORMAT_UNSPECIFIED

Not specified.

CAVIUM_V1_COMPRESSED

Cavium HSM attestation compressed with gzip. Note that this format is defined by Cavium and subject to change at any time.

CAVIUM_V2_COMPRESSED

Cavium HSM attestation V2 compressed with gzip. This is a new format introduced in Cavium's version 3.2-08.

CRYPTO_KEY_PURPOSE_UNSPECIFIED

Not specified.

ENCRYPT_DECRYPT

CryptoKeys with this purpose may be used with Encrypt and Decrypt.

ASYMMETRIC_SIGN

CryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.

ASYMMETRIC_DECRYPT

CryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.

CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED

Not specified.

GOOGLE_SYMMETRIC_ENCRYPTION

Creates symmetric encryption keys.

RSA_SIGN_PSS_2048_SHA256

RSASSA-PSS 2048 bit key with a SHA256 digest.

RSA_SIGN_PSS_3072_SHA256

RSASSA-PSS 3072 bit key with a SHA256 digest.

RSA_SIGN_PSS_4096_SHA256

RSASSA-PSS 4096 bit key with a SHA256 digest.

RSA_SIGN_PSS_4096_SHA512

RSASSA-PSS 4096 bit key with a SHA512 digest.

RSA_SIGN_PKCS1_2048_SHA256

RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.

RSA_SIGN_PKCS1_3072_SHA256

RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.

RSA_SIGN_PKCS1_4096_SHA256

RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.

RSA_SIGN_PKCS1_4096_SHA512

RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.

RSA_DECRYPT_OAEP_2048_SHA256

RSAES-OAEP 2048 bit key with a SHA256 digest.

RSA_DECRYPT_OAEP_3072_SHA256

RSAES-OAEP 3072 bit key with a SHA256 digest.

RSA_DECRYPT_OAEP_4096_SHA256

RSAES-OAEP 4096 bit key with a SHA256 digest.

RSA_DECRYPT_OAEP_4096_SHA512

RSAES-OAEP 4096 bit key with a SHA512 digest.

EC_SIGN_P256_SHA256

ECDSA on the NIST P-256 curve with a SHA256 digest.

EC_SIGN_P384_SHA384

ECDSA on the NIST P-384 curve with a SHA384 digest.

CRYPTO_KEY_VERSION_STATE_UNSPECIFIED

Not specified.

PENDING_GENERATION

This version is still being generated. It may not be used, enabled, disabled, or destroyed yet. Cloud KMS will automatically mark this version ENABLED as soon as the version is ready.

ENABLED

This version may be used for cryptographic operations.

DISABLED

This version may not be used, but the key material is still available, and the version can be placed back into the ENABLED state.

DESTROYED

This version is destroyed, and the key material is no longer stored. A version may not leave this state once entered.

DESTROY_SCHEDULED

This version is scheduled for destruction, and will be destroyed soon. Call RestoreCryptoKeyVersion to put it back into the DISABLED state.

PENDING_IMPORT

This version is still being imported. It may not be used, enabled, disabled, or destroyed yet. Cloud KMS will automatically mark this version ENABLED as soon as the version is ready.

IMPORT_FAILED

This version was not imported successfully. It may not be used, enabled, disabled, or destroyed. The submitted key material has been discarded. Additional details can be found in CryptoKeyVersion.import_failure_reason.

CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED

Default view for each CryptoKeyVersion. Does not include the attestation field.

FULL

Provides all fields in each CryptoKeyVersion, including the attestation.

IMPORT_JOB_STATE_UNSPECIFIED

Not specified.

PENDING_GENERATION

The wrapping key for this job is still being generated. It may not be used. Cloud KMS will automatically mark this job as ACTIVE as soon as the wrapping key is generated.

ACTIVE

This job may be used in CreateCryptoKey and CreateCryptoKeyVersion requests.

EXPIRED

This job can no longer be used and may not leave this state once entered.

IMPORT_METHOD_UNSPECIFIED

Not specified.

RSA_OAEP_3072_SHA1_AES_256

This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping scheme defined in the PKCS #11 standard. In summary, this involves wrapping the raw key with an ephemeral AES key, and wrapping the ephemeral AES key with a 3072 bit RSA key. For more details, see RSA AES key wrap mechanism.

RSA_OAEP_4096_SHA1_AES_256

This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping scheme defined in the PKCS #11 standard. In summary, this involves wrapping the raw key with an ephemeral AES key, and wrapping the ephemeral AES key with a 4096 bit RSA key. For more details, see RSA AES key wrap mechanism.

PROTECTION_LEVEL_UNSPECIFIED

Not specified.

SOFTWARE

Crypto operations are performed in software.

HSM

Crypto operations are performed in a Hardware Security Module.

name

string

Required. The resource name of the CryptoKeyVersion to use for decryption.

ciphertext

Buffer

Required. The data encrypted with the named CryptoKeyVersion's public key using OAEP.

plaintext

Buffer

The decrypted data originally encrypted with the matching public key.

name

string

Required. The resource name of the CryptoKeyVersion to use for signing.

digest

Object

Required. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version's algorithm.

This object should have the same structure as Digest

signature

Buffer

The created signature.

parent

string

Required. The name of the KeyRing associated with the CryptoKeys.

cryptoKeyId

string

Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

cryptoKey

Object

A CryptoKey with initial field values.

This object should have the same structure as CryptoKey

skipInitialVersionCreation

boolean

If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.

parent

string

Required. The name of the CryptoKey associated with the CryptoKeyVersions.

cryptoKeyVersion

Object

A CryptoKeyVersion with initial field values.

This object should have the same structure as CryptoKeyVersion

parent

string

Required. The name of the KeyRing associated with the ImportJobs.

importJobId

string

Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

importJob

Object

Required. An ImportJob with initial field values.

This object should have the same structure as ImportJob

parent

string

Required. The resource name of the location associated with the KeyRings, in the format projects/* /locations/*.

keyRingId

string

Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}

keyRing

Object

A KeyRing with initial field values.

This object should have the same structure as KeyRing

name

string

Output only. The resource name for this CryptoKey in the format projects/* /locations/* /keyRings/* /cryptoKeys/*.

primary

Object

Output only. A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name.

The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion.

All keys with purpose ENCRYPT_DECRYPT have a primary. For other keys, this field will be omitted.

This object should have the same structure as CryptoKeyVersion

purpose

number

The immutable purpose of this CryptoKey.

The number should be among the values of CryptoKeyPurpose

createTime

Object

Output only. The time at which this CryptoKey was created.

This object should have the same structure as Timestamp

nextRotationTime

Object

At next_rotation_time, the Key Management Service will automatically:

1. Create a new version of this CryptoKey.
2. Mark the new version as primary.

Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time.

Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.

This object should have the same structure as Timestamp

rotationPeriod

Object

next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least one day.

If rotation_period is set, next_rotation_time must also be set.

Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.

This object should have the same structure as Duration

versionTemplate

Object

A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.

This object should have the same structure as CryptoKeyVersionTemplate

labels

Object with string properties

Labels with user-defined metadata. For more information, see Labeling Keys.

name

string

Output only. The resource name for this CryptoKeyVersion in the format projects/* /locations/* /keyRings/* /cryptoKeys/* /cryptoKeyVersions/*.

state

number

The current state of the CryptoKeyVersion.

The number should be among the values of CryptoKeyVersionState

protectionLevel

number

Output only. The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.

The number should be among the values of ProtectionLevel

algorithm

number

Output only. The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.

The number should be among the values of CryptoKeyVersionAlgorithm

attestation

Object

Output only. Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.

This object should have the same structure as KeyOperationAttestation

createTime

Object

Output only. The time at which this CryptoKeyVersion was created.

This object should have the same structure as Timestamp

generateTime

Object

Output only. The time this CryptoKeyVersion's key material was generated.

This object should have the same structure as Timestamp

destroyTime

Object

Output only. The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.

This object should have the same structure as Timestamp

destroyEventTime

Object

Output only. The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.

This object should have the same structure as Timestamp

importJob

string

Output only. The name of the ImportJob used to import this CryptoKeyVersion. Only present if the underlying key material was imported.

importTime

Object

Output only. The time at which this CryptoKeyVersion's key material was imported.

This object should have the same structure as Timestamp

importFailureReason

string

Output only. The root cause of an import failure. Only present if state is IMPORT_FAILED.

protectionLevel

number

ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.

The number should be among the values of ProtectionLevel

algorithm

number

Required. Algorithm to use when creating a CryptoKeyVersion based on this template.

For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.

The number should be among the values of CryptoKeyVersionAlgorithm

name

string

Required. The resource name of the CryptoKey to use for decryption. The server will choose the appropriate version.

ciphertext

Buffer

Required. The encrypted data originally returned in EncryptResponse.ciphertext.

additionalAuthenticatedData

Buffer

Optional data that must match the data originally supplied in EncryptRequest.additional_authenticated_data.

plaintext

Buffer

The decrypted data originally supplied in EncryptRequest.plaintext.

name

string

The resource name of the CryptoKeyVersion to destroy.

sha256

Buffer

A message digest produced with the SHA-256 algorithm.

sha384

Buffer

A message digest produced with the SHA-384 algorithm.

sha512

Buffer

A message digest produced with the SHA-512 algorithm.

name

string

Required. The resource name of the CryptoKey or CryptoKeyVersion to use for encryption.

If a CryptoKey is specified, the server will use its primary version.

plaintext

Buffer

Required. The data to encrypt. Must be no larger than 64KiB.

The maximum size depends on the key version's protection_level. For SOFTWARE keys, the plaintext must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.

additionalAuthenticatedData

Buffer

Optional data that, if specified, must also be provided during decryption through DecryptRequest.additional_authenticated_data.

The maximum size depends on the key version's protection_level. For SOFTWARE keys, the AAD must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.

name

string

The resource name of the CryptoKeyVersion used in encryption.

ciphertext

Buffer

The encrypted data.

name

string

The name of the CryptoKey to get.

name

string

The name of the CryptoKeyVersion to get.

name

string

The name of the ImportJob to get.

name

string

The name of the KeyRing to get.

name

string

The name of the CryptoKeyVersion public key to get.

parent

string

Required. The name of the CryptoKey to be imported into.

algorithm

number

Required. The algorithm of the key being imported. This does not need to match the version_template of the CryptoKey this version imports into.

The number should be among the values of CryptoKeyVersionAlgorithm

importJob

string

Required. The name of the ImportJob that was used to wrap this key material.

rsaAesWrappedKey

Buffer

Wrapped key material produced with RSA_OAEP_3072_SHA1_AES_256 or RSA_OAEP_4096_SHA1_AES_256.

This field contains the concatenation of two wrapped keys:

1. An ephemeral AES-256 wrapping key wrapped with the public_key using RSAES-OAEP with SHA-1, MGF1 with SHA-1, and an empty label.
2. The key to be imported, wrapped with the ephemeral AES-256 key using AES-KWP (RFC 5649).

This format is the same as the format produced by PKCS#11 mechanism CKM_RSA_AES_KEY_WRAP.

name

string

Output only. The resource name for this ImportJob in the format projects/* /locations/* /keyRings/* /importJobs/*.

importMethod

number

Required and immutable. The wrapping method to be used for incoming key material.

The number should be among the values of ImportMethod

protectionLevel

number

Required and immutable. The protection level of the ImportJob. This must match the protection_level of the version_template on the CryptoKey you attempt to import into.

The number should be among the values of ProtectionLevel

createTime

Object

Output only. The time at which this ImportJob was created.

This object should have the same structure as Timestamp

generateTime

Object

Output only. The time this ImportJob's key material was generated.

This object should have the same structure as Timestamp

expireTime

Object

Output only. The time at which this ImportJob is scheduled for expiration and can no longer be used to import key material.

This object should have the same structure as Timestamp

expireEventTime

Object

Output only. The time this ImportJob expired. Only present if state is EXPIRED.

This object should have the same structure as Timestamp

state

number

Output only. The current state of the ImportJob, indicating if it can be used.

The number should be among the values of ImportJobState

publicKey

Object

Output only. The public key with which to wrap key material prior to import. Only returned if state is ACTIVE.

This object should have the same structure as WrappingPublicKey

attestation

Object

Output only. Statement that was generated and signed by the key creator (for example, an HSM) at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only present if the chosen ImportMethod is one with a protection level of HSM.

This object should have the same structure as KeyOperationAttestation

format

number

Output only. The format of the attestation data.

The number should be among the values of AttestationFormat

content

Buffer

Output only. The attestation data provided by the HSM when the key operation was performed.

name

string

Output only. The resource name for the KeyRing in the format projects/* /locations/* /keyRings/*.

createTime

Object

Output only. The time at which this KeyRing was created.

This object should have the same structure as Timestamp

parent

string

Required. The resource name of the KeyRing to list, in the format projects/* /locations/* /keyRings/*.

pageSize

number

Optional limit on the number of CryptoKeys to include in the response. Further CryptoKeys can subsequently be obtained by including the ListCryptoKeysResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

pageToken

string

Optional pagination token, returned earlier via ListCryptoKeysResponse.next_page_token.

versionView

number

The fields of the primary version to include in the response.

The number should be among the values of CryptoKeyVersionView

filter

string

Optional. Only include resources that match the filter in the response.

orderBy

string

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order.

cryptoKeys

Array of Object

The list of CryptoKeys.

This object should have the same structure as CryptoKey

nextPageToken

string

A token to retrieve next page of results. Pass this value in ListCryptoKeysRequest.page_token to retrieve the next page of results.

totalSize

number

The total number of CryptoKeys that matched the query.

parent

string

Required. The resource name of the CryptoKey to list, in the format projects/* /locations/* /keyRings/* /cryptoKeys/*.

pageSize

number

Optional limit on the number of CryptoKeyVersions to include in the response. Further CryptoKeyVersions can subsequently be obtained by including the ListCryptoKeyVersionsResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

pageToken

string

Optional pagination token, returned earlier via ListCryptoKeyVersionsResponse.next_page_token.

view

number

The fields to include in the response.

The number should be among the values of CryptoKeyVersionView

filter

string

Optional. Only include resources that match the filter in the response.

orderBy

string

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order.

cryptoKeyVersions

Array of Object

The list of CryptoKeyVersions.

This object should have the same structure as CryptoKeyVersion

nextPageToken

string

A token to retrieve next page of results. Pass this value in ListCryptoKeyVersionsRequest.page_token to retrieve the next page of results.

totalSize

number

The total number of CryptoKeyVersions that matched the query.

parent

string

Required. The resource name of the KeyRing to list, in the format projects/* /locations/* /keyRings/*.

pageSize

number

Optional limit on the number of ImportJobs to include in the response. Further ImportJobs can subsequently be obtained by including the ListImportJobsResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

pageToken

string

Optional pagination token, returned earlier via ListImportJobsResponse.next_page_token.

filter

string

Optional. Only include resources that match the filter in the response.

orderBy

string

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order.

importJobs

Array of Object

The list of ImportJobs.

This object should have the same structure as ImportJob

nextPageToken

string

A token to retrieve next page of results. Pass this value in ListImportJobsRequest.page_token to retrieve the next page of results.

totalSize

number

The total number of ImportJobs that matched the query.

parent

string

Required. The resource name of the location associated with the KeyRings, in the format projects/* /locations/*.

pageSize

number

Optional limit on the number of KeyRings to include in the response. Further KeyRings can subsequently be obtained by including the ListKeyRingsResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

pageToken

string

Optional pagination token, returned earlier via ListKeyRingsResponse.next_page_token.

filter

string

Optional. Only include resources that match the filter in the response.

orderBy

string

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order.

keyRings

Array of Object

The list of KeyRings.

This object should have the same structure as KeyRing

nextPageToken

string

A token to retrieve next page of results. Pass this value in ListKeyRingsRequest.page_token to retrieve the next page of results.

totalSize

number

The total number of KeyRings that matched the query.

hsmAvailable

boolean

Indicates whether CryptoKeys with protection_level HSM can be created in this location.

pem

string

The public key, encoded in PEM format. For more information, see the RFC 7468 sections for General Considerations and [Textual Encoding of Subject Public Key Info] (https://tools.ietf.org/html/rfc7468#section-13).

algorithm

number

The Algorithm associated with this key.

The number should be among the values of CryptoKeyVersionAlgorithm

name

string

The resource name of the CryptoKeyVersion to restore.

name

string

The resource name of the CryptoKey to update.

cryptoKeyVersionId

string

The id of the child CryptoKeyVersion to use as primary.

cryptoKey

Object

CryptoKey with updated values.

This object should have the same structure as CryptoKey

updateMask

Object

Required list of fields to be updated in this request.

This object should have the same structure as FieldMask

cryptoKeyVersion

Object

CryptoKeyVersion with updated values.

This object should have the same structure as CryptoKeyVersion

updateMask

Object

Required list of fields to be updated in this request.

This object should have the same structure as FieldMask

pem

string

The public key, encoded in PEM format. For more information, see the RFC 7468 sections for General Considerations and [Textual Encoding of Subject Public Key Info] (https://tools.ietf.org/html/rfc7468#section-13).