Console
    Contact Us Start free

    REST Resource: projects.locations.keyRings.cryptoKeys

    Resource: CryptoKey

    A CryptoKey represents a logical key that can be used for cryptographic operations.

    A CryptoKey is made up of zero or more versions , which represent the actual key material used in cryptographic operations.

    JSON representation 
     { 
 "name" 
 : 
 string 
 , 
 "primary" 
 : 
 { 
 object (  CryptoKeyVersion 
 
) 
 } 
 , 
 "purpose" 
 : 
 enum (  CryptoKeyPurpose 
 
) 
 , 
 "createTime" 
 : 
 string 
 , 
 "nextRotationTime" 
 : 
 string 
 , 
 "versionTemplate" 
 : 
 { 
 object (  CryptoKeyVersionTemplate 
 
) 
 } 
 , 
 "labels" 
 : 
 { 
 string 
 : 
 string 
 , 
 ... 
 } 
 , 
 "importOnly" 
 : 
 boolean 
 , 
 "destroyScheduledDuration" 
 : 
 string 
 , 
 "cryptoKeyBackend" 
 : 
 string 
 , 
 "keyAccessJustificationsPolicy" 
 : 
 { 
 object (  KeyAccessJustificationsPolicy 
 
) 
 } 
 , 
 // Union field rotation_schedule 
can be only one of the following: 
 "rotationPeriod" 
 : 
 string 
 // End of list of possible types for union field rotation_schedule 
. 
 }
    Fields
    name

    string

    Output only. The resource name for this CryptoKey in the format projects/*/locations/*/keyRings/*/cryptoKeys/* .

    primary

    object ( CryptoKeyVersion )

    Output only. A copy of the "primary" CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name .

    The CryptoKey 's primary version can be updated via cryptoKeys.updatePrimaryVersion .

    Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.

    purpose

    enum ( CryptoKeyPurpose )

    Immutable. The immutable purpose of this CryptoKey .

    createTime

    string ( Timestamp format)

    Output only. The time at which this CryptoKey was created.

    Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z" , "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30" .

    nextRotationTime

    string ( Timestamp format)

    At nextRotationTime , the Key Management Service will automatically:

    1. Create a new version of this CryptoKey .
    2. Mark the new version as primary.

    Key rotations performed manually via cryptoKeyVersions.create and cryptoKeys.updatePrimaryVersion do not affect nextRotationTime .

    Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.

    Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z" , "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30" .

    versionTemplate

    object ( CryptoKeyVersionTemplate )

    A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either cryptoKeyVersions.create or auto-rotation are controlled by this template.

    labels

    map (key: string, value: string)

    Labels with user-defined metadata. For more information, see Labeling Keys .

    importOnly

    boolean

    Immutable. Whether this key may contain imported versions only.

    destroyScheduledDuration

    string ( Duration format)

    Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED . If not specified at creation time, the default duration is 30 days.

    A duration in seconds with up to nine fractional digits, ending with ' s '. Example: "3.5s" .

    cryptoKeyBackend

    string

    Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC , with the resource name in the format projects/*/locations/*/ekmConnections/* . Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future.

    keyAccessJustificationsPolicy

    object ( KeyAccessJustificationsPolicy )

    Optional. The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed.

    Union field rotation_schedule . Controls the rate of automatic rotation. rotation_schedule can be only one of the following:
    rotationPeriod

    string ( Duration format)

    nextRotationTime will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours.

    If rotationPeriod is set, nextRotationTime must also be set.

    Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.

    A duration in seconds with up to nine fractional digits, ending with ' s '. Example: "3.5s" .

    CryptoKeyPurpose

    CryptoKeyPurpose describes the cryptographic capabilities of a CryptoKey . A given key can only be used for the operations allowed by its purpose. For more information, see Key purposes .

    Enums
    CRYPTO_KEY_PURPOSE_UNSPECIFIED Not specified.
    ENCRYPT_DECRYPT CryptoKeys with this purpose may be used with cryptoKeys.encrypt and cryptoKeys.decrypt .
    ASYMMETRIC_SIGN CryptoKeys with this purpose may be used with cryptoKeyVersions.asymmetricSign and cryptoKeyVersions.getPublicKey .
    ASYMMETRIC_DECRYPT CryptoKeys with this purpose may be used with cryptoKeyVersions.asymmetricDecrypt and cryptoKeyVersions.getPublicKey .
    RAW_ENCRYPT_DECRYPT CryptoKeys with this purpose may be used with cryptoKeyVersions.rawEncrypt and cryptoKeyVersions.rawDecrypt . This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
    MAC CryptoKeys with this purpose may be used with cryptoKeyVersions.macSign .

    CryptoKeyVersionTemplate

    A CryptoKeyVersionTemplate specifies the properties to use when creating a new CryptoKeyVersion , either manually with cryptoKeyVersions.create or automatically as a result of auto-rotation.

    JSON representation 
     { 
 "protectionLevel" 
 : 
 enum (  ProtectionLevel 
 
) 
 , 
 "algorithm" 
 : 
 enum (  CryptoKeyVersionAlgorithm 
 
) 
 }
    Fields
    protectionLevel

    enum ( ProtectionLevel )

    ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE .
    algorithm

    enum ( CryptoKeyVersionAlgorithm )

    Required. Algorithm to use when creating a CryptoKeyVersion based on this template.

    For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT .

    KeyAccessJustificationsPolicy

    A KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for encrypt, decrypt, and sign operations on a CryptoKey .

    JSON representation 
     { 
 "allowedAccessReasons" 
 : 
 [ 
 enum (  AccessReason 
 
) 
 ] 
 }
    Fields
    allowedAccessReasons[]

    enum ( AccessReason )

    The list of allowed reasons for access to a CryptoKey . Zero allowed access reasons means all encrypt, decrypt, and sign operations for the CryptoKey associated with this policy will fail.

    AccessReason

    Describes the reason for a data access. Please refer to https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes for the detailed semantic meaning of justification reason codes.

    Enums
    REASON_UNSPECIFIED
    Unspecified access reason.
    CUSTOMER_INITIATED_SUPPORT
    Customer-initiated support.
    GOOGLE_INITIATED_SERVICE
    Google-initiated access for system management and troubleshooting.
    THIRD_PARTY_DATA_REQUEST
    Google-initiated access in response to a legal request or legal process.
    GOOGLE_INITIATED_REVIEW
    Google-initiated access for security, fraud, abuse, or compliance purposes.
    CUSTOMER_INITIATED_ACCESS
    Customer uses their account to perform any access to their own data which their IAM policy authorizes.
    GOOGLE_INITIATED_SYSTEM_OPERATION
    Google systems access customer data to help optimize the structure of the data or quality for future uses by the customer.
    REASON_NOT_EXPECTED
    No reason is expected for this key request.
    MODIFIED_CUSTOMER_INITIATED_ACCESS

    Customer uses their account to perform any access to their own data which their IAM policy authorizes, and one of the following is true:

    • A Google administrator has reset the root-access account associated with the user's organization within the past 7 days.
    • A Google-initiated emergency access operation has interacted with a resource in the same project or folder as the currently accessed resource within the past 7 days.
    MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION

    Google systems access customer data to help optimize the structure of the data or quality for future uses by the customer, and one of the following is true:

    • A Google administrator has reset the root-access account associated with the user's organization within the past 7 days.
    • A Google-initiated emergency access operation has interacted with a resource in the same project or folder as the currently accessed resource within the past 7 days.
    GOOGLE_RESPONSE_TO_PRODUCTION_ALERT
    Google-initiated access to maintain system reliability.
    CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING

    One of the following operations is being executed while simultaneously encountering an internal technical issue which prevented a more precise justification code from being generated:

    • Your account has been used to perform any access to your own data which your IAM policy authorizes.
    • An automated Google system operates on encrypted customer data which your IAM policy authorizes.
    • Customer-initiated Google support access.
    • Google-initiated support access to protect system reliability.

    Methods

    create

    		Create a new CryptoKey within a KeyRing .

    decrypt

    		Decrypts data that was protected by Encrypt .

    encrypt

    		Encrypts data, so that it can only be recovered by a call to Decrypt .

    get

    		Returns metadata for a given CryptoKey , as well as its primary CryptoKeyVersion .

    getIamPolicy

    		Gets the access control policy for a resource.

    list

    		Lists CryptoKeys .

    patch

    		Update a CryptoKey .

    setIamPolicy

    		Sets the access control policy on the specified resource.

    testIamPermissions

    		Returns permissions that a caller has on the specified resource.

    updatePrimaryVersion

    		Update the version of a CryptoKey that will be used in Encrypt .
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: