- Resource: CryptoKey
- CryptoKeyPurpose
- CryptoKeyVersionTemplate
- KeyAccessJustificationsPolicy
- AccessReason
- Methods
Resource: CryptoKey
A CryptoKey
represents a logical key that can be used for cryptographic operations.
A CryptoKey
is made up of zero or more versions
, which represent the actual key material used in cryptographic operations.
JSON representation |
---|
{ "name": string, "primary": { object ( |
Fields | |
---|---|
name |
Output only. The resource name for this |
primary |
Output only. A copy of the "primary" The Keys with |
purpose |
Immutable. The immutable purpose of this |
create |
Output only. The time at which this A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
next |
At
Key rotations performed manually via Keys with A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
version |
A template describing settings for new |
labels |
Labels with user-defined metadata. For more information, see Labeling Keys. |
import |
Immutable. Whether this key may contain imported versions only. |
destroy |
Immutable. The period of time that versions of this key spend in the A duration in seconds with up to nine fractional digits, ending with ' |
crypto |
Immutable. The resource name of the backend environment where the key material for all |
key |
Optional. The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. |
Union field rotation_schedule . Controls the rate of automatic rotation. rotation_schedule can be only one of the following: |
|
rotation |
If Keys with A duration in seconds with up to nine fractional digits, ending with ' |
CryptoKeyPurpose
CryptoKeyPurpose
describes the cryptographic capabilities of a CryptoKey
. A given key can only be used for the operations allowed by its purpose. For more information, see Key purposes.
Enums | |
---|---|
CRYPTO_KEY_PURPOSE_UNSPECIFIED |
Not specified. |
ENCRYPT_DECRYPT |
CryptoKeys with this purpose may be used with cryptoKeys.encrypt and cryptoKeys.decrypt . |
ASYMMETRIC_SIGN |
CryptoKeys with this purpose may be used with cryptoKeyVersions.asymmetricSign and cryptoKeyVersions.getPublicKey . |
ASYMMETRIC_DECRYPT |
CryptoKeys with this purpose may be used with cryptoKeyVersions.asymmetricDecrypt and cryptoKeyVersions.getPublicKey . |
RAW_ENCRYPT_DECRYPT |
CryptoKeys with this purpose may be used with cryptoKeyVersions.rawEncrypt and cryptoKeyVersions.rawDecrypt . This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation. |
MAC |
CryptoKeys with this purpose may be used with cryptoKeyVersions.macSign . |
CryptoKeyVersionTemplate
A CryptoKeyVersionTemplate
specifies the properties to use when creating a new CryptoKeyVersion
, either manually with cryptoKeyVersions.create
or automatically as a result of auto-rotation.
JSON representation |
---|
{ "protectionLevel": enum ( |
Fields | |
---|---|
protection |
|
algorithm |
Required. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and |
KeyAccessJustificationsPolicy
A KeyAccessJustificationsPolicy
specifies zero or more allowed AccessReason
values for encrypt, decrypt, and sign operations on a CryptoKey
.
JSON representation |
---|
{
"allowedAccessReasons": [
enum ( |
Fields | |
---|---|
allowed |
The list of allowed reasons for access to a |
AccessReason
Describes the reason for a data access. Please refer to https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes for the detailed semantic meaning of justification reason codes.
Enums | |
---|---|
REASON_UNSPECIFIED |
Unspecified access reason. |
CUSTOMER_INITIATED_SUPPORT |
Customer-initiated support. |
GOOGLE_INITIATED_SERVICE |
Google-initiated access for system management and troubleshooting. |
THIRD_PARTY_DATA_REQUEST |
Google-initiated access in response to a legal request or legal process. |
GOOGLE_INITIATED_REVIEW |
Google-initiated access for security, fraud, abuse, or compliance purposes. |
CUSTOMER_INITIATED_ACCESS |
Customer uses their account to perform any access to their own data which their IAM policy authorizes. |
GOOGLE_INITIATED_SYSTEM_OPERATION |
Google systems access customer data to help optimize the structure of the data or quality for future uses by the customer. |
REASON_NOT_EXPECTED |
No reason is expected for this key request. |
MODIFIED_CUSTOMER_INITIATED_ACCESS |
Customer uses their account to perform any access to their own data which their IAM policy authorizes, and one of the following is true:
|
MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION |
Google systems access customer data to help optimize the structure of the data or quality for future uses by the customer, and one of the following is true:
|
GOOGLE_RESPONSE_TO_PRODUCTION_ALERT |
Google-initiated access to maintain system reliability. |
CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING |
One of the following operations is being executed while simultaneously encountering an internal technical issue which prevented a more precise justification code from being generated:
|
Methods |
|
---|---|
|
Create a new CryptoKey within a KeyRing . |
|
Decrypts data that was protected by Encrypt . |
|
Encrypts data, so that it can only be recovered by a call to Decrypt . |
|
Returns metadata for a given CryptoKey , as well as its primary CryptoKeyVersion . |
|
Gets the access control policy for a resource. |
|
Lists CryptoKeys . |
|
Update a CryptoKey . |
|
Sets the access control policy on the specified resource. |
|
Returns permissions that a caller has on the specified resource. |
|
Update the version of a CryptoKey that will be used in Encrypt . |