Resource key hashStay organized with collectionsSave and categorize content based on your preferences.
The resource key hash is a mechanism allowing Google to verify the integrity of
the wrapped encryption keys without having access to the keys.
Generating the resource key hash requires access to the unwrapped key including
the DEK, theresource_nameand theperimeter_idspecified during the key
wrapping operation.
We use the cryptographic function HMAC-SHA256 withunwrapped_dekas a key and
the concatenation of metadata as data("ResourceKeyDigest:", resource_name, ":", perimeter_id).
Theresource_nameandperimeter_idshould be UTF-8 encoded strings.
For example, whenresource_name = "my_resource",perimeter_id = "my_perimeter"andunwrapped_dek = 0xf00d, the resource key
hash is:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-11-14 UTC."],[],["The core mechanism is generating a resource key hash to verify wrapped encryption key integrity. This involves using HMAC-SHA256 with the unwrapped DEK as the key and a specific concatenation of metadata as data. The metadata consists of \"ResourceKeyDigest:\", the UTF-8 encoded `resource_name`, \":\", and the UTF-8 encoded `perimeter_id`. An example shows generating the hash using `openssl` with a sample `resource_name`, `perimeter_id`, and `unwrapped_dek`.\n"]]
