v1

Not specified.

Cavium HSM attestation compressed with gzip. Note that this format is defined by Cavium and subject to change at any time.

Cavium HSM attestation V2 compressed with gzip. This is a new format introduced in Cavium's version 3.2-08.

Not specified.

CryptoKeys with this purpose may be used with Encrypt and Decrypt.

CryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.

CryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.

Not specified.

Creates symmetric encryption keys.

RSASSA-PSS 2048 bit key with a SHA256 digest.

RSASSA-PSS 3072 bit key with a SHA256 digest.

RSASSA-PSS 4096 bit key with a SHA256 digest.

RSASSA-PSS 4096 bit key with a SHA512 digest.

RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.

RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.

RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.

RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.

RSAES-OAEP 2048 bit key with a SHA256 digest.

RSAES-OAEP 3072 bit key with a SHA256 digest.

RSAES-OAEP 4096 bit key with a SHA256 digest.

RSAES-OAEP 4096 bit key with a SHA512 digest.

ECDSA on the NIST P-256 curve with a SHA256 digest.

ECDSA on the NIST P-384 curve with a SHA384 digest.

Not specified.

This version is still being generated. It may not be used, enabled, disabled, or destroyed yet. Cloud KMS will automatically mark this version ENABLED as soon as the version is ready.

This version may be used for cryptographic operations.

This version may not be used, but the key material is still available, and the version can be placed back into the ENABLED state.

This version is destroyed, and the key material is no longer stored. A version may not leave this state once entered.

This version is scheduled for destruction, and will be destroyed soon. Call RestoreCryptoKeyVersion to put it back into the DISABLED state.

This version is still being imported. It may not be used, enabled, disabled, or destroyed yet. Cloud KMS will automatically mark this version ENABLED as soon as the version is ready.

This version was not imported successfully. It may not be used, enabled, disabled, or destroyed. The submitted key material has been discarded. Additional details can be found in CryptoKeyVersion.import_failure_reason.

Default view for each CryptoKeyVersion. Does not include the attestation field.

Provides all fields in each CryptoKeyVersion, including the attestation.

Not specified.

The wrapping key for this job is still being generated. It may not be used. Cloud KMS will automatically mark this job as ACTIVE as soon as the wrapping key is generated.

This job may be used in CreateCryptoKey and CreateCryptoKeyVersion requests.

This job can no longer be used and may not leave this state once entered.

Not specified.

This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping scheme defined in the PKCS #11 standard. In summary, this involves wrapping the raw key with an ephemeral AES key, and wrapping the ephemeral AES key with a 3072 bit RSA key. For more details, see RSA AES key wrap mechanism.

This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping scheme defined in the PKCS #11 standard. In summary, this involves wrapping the raw key with an ephemeral AES key, and wrapping the ephemeral AES key with a 4096 bit RSA key. For more details, see RSA AES key wrap mechanism.

Not specified.

Crypto operations are performed in software.

Crypto operations are performed in a Hardware Security Module.

Crypto operations are performed by an external key manager.

Required. The resource name of the CryptoKeyVersion to use for decryption.

Required. The data encrypted with the named CryptoKeyVersion's public key using OAEP.

The decrypted data originally encrypted with the matching public key.

Required. The resource name of the CryptoKeyVersion to use for signing.

Required. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version's algorithm.

This object should have the same structure as Digest

The created signature.

Required. The name of the KeyRing associated with the CryptoKeys.

Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

Required. A CryptoKey with initial field values.

This object should have the same structure as CryptoKey

If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.

Required. The name of the CryptoKey associated with the CryptoKeyVersions.

Required. A CryptoKeyVersion with initial field values.

This object should have the same structure as CryptoKeyVersion

Required. The name of the KeyRing associated with the ImportJobs.

Required. It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

Required. An ImportJob with initial field values.

This object should have the same structure as ImportJob

Required. The resource name of the location associated with the KeyRings, in the format projects/* /locations/*.

Required. It must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}

Required. A KeyRing with initial field values.

This object should have the same structure as KeyRing

Output only. The resource name for this CryptoKey in the format projects/* /locations/* /keyRings/* /cryptoKeys/*.

Output only. A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name.

The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion.

Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.

This object should have the same structure as CryptoKeyVersion

Immutable. The immutable purpose of this CryptoKey.

The number should be among the values of CryptoKeyPurpose

Output only. The time at which this CryptoKey was created.

This object should have the same structure as Timestamp

At next_rotation_time, the Key Management Service will automatically:

1. Create a new version of this CryptoKey.
2. Mark the new version as primary.

Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time.

Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.

This object should have the same structure as Timestamp

next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours.

If rotation_period is set, next_rotation_time must also be set.

Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.

This object should have the same structure as Duration

A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.

This object should have the same structure as CryptoKeyVersionTemplate

Labels with user-defined metadata. For more information, see Labeling Keys.

Output only. The resource name for this CryptoKeyVersion in the format projects/* /locations/* /keyRings/* /cryptoKeys/* /cryptoKeyVersions/*.

The current state of the CryptoKeyVersion.

The number should be among the values of CryptoKeyVersionState

Output only. The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.

The number should be among the values of ProtectionLevel

Output only. The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.

The number should be among the values of CryptoKeyVersionAlgorithm

Output only. Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.

This object should have the same structure as KeyOperationAttestation

Output only. The time at which this CryptoKeyVersion was created.

This object should have the same structure as Timestamp

Output only. The time this CryptoKeyVersion's key material was generated.

This object should have the same structure as Timestamp

Output only. The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.

This object should have the same structure as Timestamp

Output only. The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.

This object should have the same structure as Timestamp

Output only. The name of the ImportJob used to import this CryptoKeyVersion. Only present if the underlying key material was imported.

Output only. The time at which this CryptoKeyVersion's key material was imported.

This object should have the same structure as Timestamp

Output only. The root cause of an import failure. Only present if state is IMPORT_FAILED.

ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.

The number should be among the values of ProtectionLevel

Required. Algorithm to use when creating a CryptoKeyVersion based on this template.

For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.

The number should be among the values of CryptoKeyVersionAlgorithm

Required. The resource name of the CryptoKey to use for decryption. The server will choose the appropriate version.

Required. The encrypted data originally returned in EncryptResponse.ciphertext.

Optional. Optional data that must match the data originally supplied in EncryptRequest.additional_authenticated_data.

The decrypted data originally supplied in EncryptRequest.plaintext.

Required. The resource name of the CryptoKeyVersion to destroy.

A message digest produced with the SHA-256 algorithm.

A message digest produced with the SHA-384 algorithm.

A message digest produced with the SHA-512 algorithm.

Required. The resource name of the CryptoKey or CryptoKeyVersion to use for encryption.

If a CryptoKey is specified, the server will use its primary version.

Required. The data to encrypt. Must be no larger than 64KiB.

The maximum size depends on the key version's protection_level. For SOFTWARE keys, the plaintext must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.

Optional. Optional data that, if specified, must also be provided during decryption through DecryptRequest.additional_authenticated_data.

The maximum size depends on the key version's protection_level. For SOFTWARE keys, the AAD must be no larger than 64KiB. For HSM keys, the combined length of the plaintext and additional_authenticated_data fields must be no larger than 8KiB.

The resource name of the CryptoKeyVersion used in encryption. Check this field to verify that the intended resource was used for encryption.

The encrypted data.

Required. The name of the CryptoKey to get.

Required. The name of the CryptoKeyVersion to get.

Required. The name of the ImportJob to get.

Required. The name of the KeyRing to get.

Required. The name of the CryptoKeyVersion public key to get.

Required. The name of the CryptoKey to be imported into.

Required. The algorithm of the key being imported. This does not need to match the version_template of the CryptoKey this version imports into.

The number should be among the values of CryptoKeyVersionAlgorithm

Required. The name of the ImportJob that was used to wrap this key material.

Wrapped key material produced with RSA_OAEP_3072_SHA1_AES_256 or RSA_OAEP_4096_SHA1_AES_256.

This field contains the concatenation of two wrapped keys:

1. An ephemeral AES-256 wrapping key wrapped with the public_key using RSAES-OAEP with SHA-1, MGF1 with SHA-1, and an empty label.
2. The key to be imported, wrapped with the ephemeral AES-256 key using AES-KWP (RFC 5649).

If importing symmetric key material, it is expected that the unwrapped key contains plain bytes. If importing asymmetric key material, it is expected that the unwrapped key is in PKCS#8-encoded DER format (the PrivateKeyInfo structure from RFC 5208).

This format is the same as the format produced by PKCS#11 mechanism CKM_RSA_AES_KEY_WRAP.

Output only. The resource name for this ImportJob in the format projects/* /locations/* /keyRings/* /importJobs/*.

Required. Immutable. The wrapping method to be used for incoming key material.

The number should be among the values of ImportMethod

Required. Immutable. The protection level of the ImportJob. This must match the protection_level of the version_template on the CryptoKey you attempt to import into.

The number should be among the values of ProtectionLevel

Output only. The time at which this ImportJob was created.

This object should have the same structure as Timestamp

Output only. The time this ImportJob's key material was generated.

This object should have the same structure as Timestamp

Output only. The time at which this ImportJob is scheduled for expiration and can no longer be used to import key material.

This object should have the same structure as Timestamp

Output only. The time this ImportJob expired. Only present if state is EXPIRED.

This object should have the same structure as Timestamp

Output only. The current state of the ImportJob, indicating if it can be used.

The number should be among the values of ImportJobState

Output only. The public key with which to wrap key material prior to import. Only returned if state is ACTIVE.

This object should have the same structure as WrappingPublicKey

Output only. Statement that was generated and signed by the key creator (for example, an HSM) at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only present if the chosen ImportMethod is one with a protection level of HSM.

This object should have the same structure as KeyOperationAttestation

Output only. The format of the attestation data.

The number should be among the values of AttestationFormat

Output only. The attestation data provided by the HSM when the key operation was performed.

Output only. The resource name for the KeyRing in the format projects/* /locations/* /keyRings/*.

Output only. The time at which this KeyRing was created.

This object should have the same structure as Timestamp

Required. The resource name of the KeyRing to list, in the format projects/* /locations/* /keyRings/*.

Optional. Optional limit on the number of CryptoKeys to include in the response. Further CryptoKeys can subsequently be obtained by including the ListCryptoKeysResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

Optional. Optional pagination token, returned earlier via ListCryptoKeysResponse.next_page_token.

The fields of the primary version to include in the response.

The number should be among the values of CryptoKeyVersionView

Optional. Only include resources that match the filter in the response. For more information, see Sorting and filtering list results.

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, see Sorting and filtering list results.

The list of CryptoKeys.

This object should have the same structure as CryptoKey

A token to retrieve next page of results. Pass this value in ListCryptoKeysRequest.page_token to retrieve the next page of results.

The total number of CryptoKeys that matched the query.

Required. The resource name of the CryptoKey to list, in the format projects/* /locations/* /keyRings/* /cryptoKeys/*.

Optional. Optional limit on the number of CryptoKeyVersions to include in the response. Further CryptoKeyVersions can subsequently be obtained by including the ListCryptoKeyVersionsResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

Optional. Optional pagination token, returned earlier via ListCryptoKeyVersionsResponse.next_page_token.

The fields to include in the response.

The number should be among the values of CryptoKeyVersionView

Optional. Only include resources that match the filter in the response. For more information, see Sorting and filtering list results.

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, see Sorting and filtering list results.

The list of CryptoKeyVersions.

This object should have the same structure as CryptoKeyVersion

A token to retrieve next page of results. Pass this value in ListCryptoKeyVersionsRequest.page_token to retrieve the next page of results.

The total number of CryptoKeyVersions that matched the query.

Required. The resource name of the KeyRing to list, in the format projects/* /locations/* /keyRings/*.

Optional. Optional limit on the number of ImportJobs to include in the response. Further ImportJobs can subsequently be obtained by including the ListImportJobsResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

Optional. Optional pagination token, returned earlier via ListImportJobsResponse.next_page_token.

Optional. Only include resources that match the filter in the response. For more information, see Sorting and filtering list results.

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, see Sorting and filtering list results.

The list of ImportJobs.

This object should have the same structure as ImportJob

A token to retrieve next page of results. Pass this value in ListImportJobsRequest.page_token to retrieve the next page of results.

The total number of ImportJobs that matched the query.

Required. The resource name of the location associated with the KeyRings, in the format projects/* /locations/*.

Optional. Optional limit on the number of KeyRings to include in the response. Further KeyRings can subsequently be obtained by including the ListKeyRingsResponse.next_page_token in a subsequent request. If unspecified, the server will pick an appropriate default.

Optional. Optional pagination token, returned earlier via ListKeyRingsResponse.next_page_token.

Optional. Only include resources that match the filter in the response. For more information, see Sorting and filtering list results.

Optional. Specify how the results should be sorted. If not specified, the results will be sorted in the default order. For more information, see Sorting and filtering list results.

The list of KeyRings.

This object should have the same structure as KeyRing

A token to retrieve next page of results. Pass this value in ListKeyRingsRequest.page_token to retrieve the next page of results.

The total number of KeyRings that matched the query.

Indicates whether CryptoKeys with protection_level HSM can be created in this location.

The public key, encoded in PEM format. For more information, see the RFC 7468 sections for General Considerations and [Textual Encoding of Subject Public Key Info] (https://tools.ietf.org/html/rfc7468#section-13).

The Algorithm associated with this key.

The number should be among the values of CryptoKeyVersionAlgorithm

Required. The resource name of the CryptoKeyVersion to restore.

Required. The resource name of the CryptoKey to update.

Required. The id of the child CryptoKeyVersion to use as primary.

Required. CryptoKey with updated values.

This object should have the same structure as CryptoKey

Required. List of fields to be updated in this request.

This object should have the same structure as FieldMask

Required. CryptoKeyVersion with updated values.

This object should have the same structure as CryptoKeyVersion

Required. List of fields to be updated in this request.

This object should have the same structure as FieldMask

The public key, encoded in PEM format. For more information, see the RFC 7468 sections for General Considerations and [Textual Encoding of Subject Public Key Info] (https://tools.ietf.org/html/rfc7468#section-13).