// Copyright 2020 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package google.cloud.kms.v1; import "google/api/field_behavior.proto"; import "google/api/resource.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/timestamp.proto"; import "google/api/annotations.proto"; option cc_enable_arenas = true; option csharp_namespace = "Google.Cloud.Kms.V1"; option go_package = "google.golang.org/genproto/googleapis/cloud/kms/v1;kms"; option java_multiple_files = true; option java_outer_classname = "KmsResourcesProto"; option java_package = "com.google.cloud.kms.v1"; option php_namespace = "Google\\Cloud\\Kms\\V1"; // A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey]. message KeyRing { option (google.api.resource) = { type: "cloudkms.googleapis.com/KeyRing" pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}" }; // Output only. The resource name for the [KeyRing][google.cloud.kms.v1.KeyRing] in the format // `projects/*/locations/*/keyRings/*`. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing] was created. google.protobuf.Timestamp create_time = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; } // A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic // operations. // // A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of one or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which // represent the actual key material used in cryptographic operations. message CryptoKey { option (google.api.resource) = { type: "cloudkms.googleapis.com/CryptoKey" pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}" }; // [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] describes the cryptographic capabilities of a // [CryptoKey][google.cloud.kms.v1.CryptoKey]. A given key can only be used for the operations allowed by // its purpose. For more information, see // [Key purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes). enum CryptoKeyPurpose { // Not specified. CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0; // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with // [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] and // [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. ENCRYPT_DECRYPT = 1; // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with // [AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign] and // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. ASYMMETRIC_SIGN = 5; // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with // [AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt] and // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. ASYMMETRIC_DECRYPT = 6; } // Output only. The resource name for this [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format // `projects/*/locations/*/keyRings/*/cryptoKeys/*`. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. A copy of the "primary" [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used // by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this [CryptoKey][google.cloud.kms.v1.CryptoKey] is given // in [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name]. // // The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary version can be updated via // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. // // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] may have a // primary. For other keys, this field will be omitted. CryptoKeyVersion primary = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; // Immutable. The immutable purpose of this [CryptoKey][google.cloud.kms.v1.CryptoKey]. CryptoKeyPurpose purpose = 3 [(google.api.field_behavior) = IMMUTABLE]; // Output only. The time at which this [CryptoKey][google.cloud.kms.v1.CryptoKey] was created. google.protobuf.Timestamp create_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; // At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time], the Key Management Service will automatically: // // 1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey]. // 2. Mark the new version as primary. // // Key rotations performed manually via // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] and // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion] // do not affect [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]. // // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support // automatic rotation. For other keys, this field must be omitted. google.protobuf.Timestamp next_rotation_time = 7; // Controls the rate of automatic rotation. oneof rotation_schedule { // [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] will be advanced by this period when the service // automatically rotates a key. Must be at least 24 hours and at most // 876,000 hours. // // If [rotation_period][google.cloud.kms.v1.CryptoKey.rotation_period] is set, [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] must also be set. // // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support // automatic rotation. For other keys, this field must be omitted. google.protobuf.Duration rotation_period = 8; } // A template describing settings for new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances. // The properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances created by either // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or // auto-rotation are controlled by this template. CryptoKeyVersionTemplate version_template = 11; // Labels with user-defined metadata. For more information, see // [Labeling Keys](/kms/docs/labeling-keys). map labels = 10; } // A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate] specifies the properties to use when creating // a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either manually with // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or // automatically as a result of auto-rotation. message CryptoKeyVersionTemplate { // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on // this template. Immutable. Defaults to [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE]. ProtectionLevel protection_level = 1; // Required. [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] to use // when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this template. // // For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both // this field is omitted and [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 3 [(google.api.field_behavior) = REQUIRED]; } // Contains an HSM-generated attestation about a key operation. For more // information, see [Verifying attestations] // (https://cloud.google.com/kms/docs/attest-key). message KeyOperationAttestation { // Attestation formats provided by the HSM. enum AttestationFormat { // Not specified. ATTESTATION_FORMAT_UNSPECIFIED = 0; // Cavium HSM attestation compressed with gzip. Note that this format is // defined by Cavium and subject to change at any time. CAVIUM_V1_COMPRESSED = 3; // Cavium HSM attestation V2 compressed with gzip. This is a new format // introduced in Cavium's version 3.2-08. CAVIUM_V2_COMPRESSED = 4; } // Output only. The format of the attestation data. AttestationFormat format = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The attestation data provided by the HSM when the key // operation was performed. bytes content = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; } // A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the // associated key material. // // An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be // used for cryptographic operations. // // For security reasons, the raw cryptographic key material represented by a // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to // encrypt, decrypt, or sign data when an authorized user or application invokes // Cloud KMS. message CryptoKeyVersion { option (google.api.resource) = { type: "cloudkms.googleapis.com/CryptoKeyVersion" pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}" }; // The algorithm of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating what // parameters must be used for each cryptographic operation. // // The // [GOOGLE_SYMMETRIC_ENCRYPTION][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION] // algorithm is usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. // // Algorithms beginning with "RSA_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. // // The fields in the name after "RSA_SIGN_" correspond to the following // parameters: padding algorithm, modulus bit length, and digest algorithm. // // For PSS, the salt length used is equal to the length of digest // algorithm. For example, // [RSA_SIGN_PSS_2048_SHA256][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256] // will use PSS with a salt length of 256 bits or 32 bytes. // // Algorithms beginning with "RSA_DECRYPT_" are usable with // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT]. // // The fields in the name after "RSA_DECRYPT_" correspond to the following // parameters: padding algorithm, modulus bit length, and digest algorithm. // // Algorithms beginning with "EC_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. // // The fields in the name after "EC_SIGN_" correspond to the following // parameters: elliptic curve, digest algorithm. // // For more information, see [Key purposes and algorithms] // (https://cloud.google.com/kms/docs/algorithms). enum CryptoKeyVersionAlgorithm { // Not specified. CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0; // Creates symmetric encryption keys. GOOGLE_SYMMETRIC_ENCRYPTION = 1; // RSASSA-PSS 2048 bit key with a SHA256 digest. RSA_SIGN_PSS_2048_SHA256 = 2; // RSASSA-PSS 3072 bit key with a SHA256 digest. RSA_SIGN_PSS_3072_SHA256 = 3; // RSASSA-PSS 4096 bit key with a SHA256 digest. RSA_SIGN_PSS_4096_SHA256 = 4; // RSASSA-PSS 4096 bit key with a SHA512 digest. RSA_SIGN_PSS_4096_SHA512 = 15; // RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest. RSA_SIGN_PKCS1_2048_SHA256 = 5; // RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest. RSA_SIGN_PKCS1_3072_SHA256 = 6; // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest. RSA_SIGN_PKCS1_4096_SHA256 = 7; // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest. RSA_SIGN_PKCS1_4096_SHA512 = 16; // RSAES-OAEP 2048 bit key with a SHA256 digest. RSA_DECRYPT_OAEP_2048_SHA256 = 8; // RSAES-OAEP 3072 bit key with a SHA256 digest. RSA_DECRYPT_OAEP_3072_SHA256 = 9; // RSAES-OAEP 4096 bit key with a SHA256 digest. RSA_DECRYPT_OAEP_4096_SHA256 = 10; // RSAES-OAEP 4096 bit key with a SHA512 digest. RSA_DECRYPT_OAEP_4096_SHA512 = 17; // ECDSA on the NIST P-256 curve with a SHA256 digest. EC_SIGN_P256_SHA256 = 12; // ECDSA on the NIST P-384 curve with a SHA384 digest. EC_SIGN_P384_SHA384 = 13; // Algorithm representing symmetric encryption by an external key manager. EXTERNAL_SYMMETRIC_ENCRYPTION = 18; } // The state of a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating if it can be used. enum CryptoKeyVersionState { // Not specified. CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0; // This version is still being generated. It may not be used, enabled, // disabled, or destroyed yet. Cloud KMS will automatically mark this // version [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] as soon as the version is ready. PENDING_GENERATION = 5; // This version may be used for cryptographic operations. ENABLED = 1; // This version may not be used, but the key material is still available, // and the version can be placed back into the [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] state. DISABLED = 2; // This version is destroyed, and the key material is no longer stored. // A version may not leave this state once entered. DESTROYED = 3; // This version is scheduled for destruction, and will be destroyed soon. // Call // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] // to put it back into the [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] state. DESTROY_SCHEDULED = 4; // This version is still being imported. It may not be used, enabled, // disabled, or destroyed yet. Cloud KMS will automatically mark this // version [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] as soon as the version is ready. PENDING_IMPORT = 6; // This version was not imported successfully. It may not be used, enabled, // disabled, or destroyed. The submitted key material has been discarded. // Additional details can be found in // [CryptoKeyVersion.import_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.import_failure_reason]. IMPORT_FAILED = 7; } // A view for [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]s. Controls the level of detail returned // for [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] in // [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions] and // [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. enum CryptoKeyVersionView { // Default view for each [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Does not include // the [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation] field. CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0; // Provides all fields in each [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], including the // [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation]. FULL = 1; } // Output only. The resource name for this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format // `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; // The current state of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. CryptoKeyVersionState state = 3; // Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] describing how crypto operations are // performed with this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. ProtectionLevel protection_level = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] that this // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] supports. CryptoKeyVersionAlgorithm algorithm = 10 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. Statement that was generated and signed by the HSM at key // creation time. Use this statement to verify attributes of the key as stored // on the HSM, independently of Google. Only provided for key versions with // [protection_level][google.cloud.kms.v1.CryptoKeyVersion.protection_level] [HSM][google.cloud.kms.v1.ProtectionLevel.HSM]. KeyOperationAttestation attestation = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created. google.protobuf.Timestamp create_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was // generated. google.protobuf.Timestamp generate_time = 11 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material is scheduled // for destruction. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]. google.protobuf.Timestamp destroy_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The time this CryptoKeyVersion's key material was // destroyed. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]. google.protobuf.Timestamp destroy_event_time = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The name of the [ImportJob][google.cloud.kms.v1.ImportJob] used to import this // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only present if the underlying key material was // imported. string import_job = 14 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material // was imported. google.protobuf.Timestamp import_time = 15 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The root cause of an import failure. Only present if // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is // [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED]. string import_failure_reason = 16 [(google.api.field_behavior) = OUTPUT_ONLY]; // ExternalProtectionLevelOptions stores a group of additional fields for // configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that are specific to the // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level. ExternalProtectionLevelOptions external_protection_level_options = 17; } // The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. message PublicKey { option (google.api.resource) = { type: "cloudkms.googleapis.com/PublicKey" pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}/publicKey" }; // The public key, encoded in PEM format. For more information, see the // [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for // [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and // [Textual Encoding of Subject Public Key Info] // (https://tools.ietf.org/html/rfc7468#section-13). string pem = 1; // The [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] associated // with this key. CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2; } // An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material, // generated outside of Cloud KMS. // // When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a "wrapping key", // which is a public/private key pair. You use the wrapping key to encrypt (also // known as wrap) the pre-existing key material to protect it during the import // process. The nature of the wrapping key depends on the choice of // [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation // is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key] // can be fetched. The fetched public key can then be used to wrap your // pre-existing key material. // // Once the key material is wrapped, it can be imported into a new // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling // [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. // Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single // [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to // unwrap the key material. Only Cloud KMS has access to the private key. // // An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS // will no longer be able to import or unwrap any key material that was wrapped // with the [ImportJob][google.cloud.kms.v1.ImportJob]'s public key. // // For more information, see // [Importing a key](https://cloud.google.com/kms/docs/importing-a-key). message ImportJob { option (google.api.resource) = { type: "cloudkms.googleapis.com/ImportJob" pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}" }; // The public key component of the wrapping key. For details of the type of // key this public key corresponds to, see the [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod]. message WrappingPublicKey { // The public key, encoded in PEM format. For more information, see the [RFC // 7468](https://tools.ietf.org/html/rfc7468) sections for [General // Considerations](https://tools.ietf.org/html/rfc7468#section-2) and // [Textual Encoding of Subject Public Key Info] // (https://tools.ietf.org/html/rfc7468#section-13). string pem = 1; } // [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] describes the key wrapping method chosen for this // [ImportJob][google.cloud.kms.v1.ImportJob]. enum ImportMethod { // Not specified. IMPORT_METHOD_UNSPECIFIED = 0; // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping // scheme defined in the PKCS #11 standard. In summary, this involves // wrapping the raw key with an ephemeral AES key, and wrapping the // ephemeral AES key with a 3072 bit RSA key. For more details, see // [RSA AES key wrap // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). RSA_OAEP_3072_SHA1_AES_256 = 1; // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping // scheme defined in the PKCS #11 standard. In summary, this involves // wrapping the raw key with an ephemeral AES key, and wrapping the // ephemeral AES key with a 4096 bit RSA key. For more details, see // [RSA AES key wrap // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). RSA_OAEP_4096_SHA1_AES_256 = 2; } // The state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used. enum ImportJobState { // Not specified. IMPORT_JOB_STATE_UNSPECIFIED = 0; // The wrapping key for this job is still being generated. It may not be // used. Cloud KMS will automatically mark this job as // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] as soon as the wrapping key is generated. PENDING_GENERATION = 1; // This job may be used in // [CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey] and // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] // requests. ACTIVE = 2; // This job can no longer be used and may not leave this state once entered. EXPIRED = 3; } // Output only. The resource name for this [ImportJob][google.cloud.kms.v1.ImportJob] in the format // `projects/*/locations/*/keyRings/*/importJobs/*`. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; // Required. Immutable. The wrapping method to be used for incoming key material. ImportMethod import_method = 2 [ (google.api.field_behavior) = REQUIRED, (google.api.field_behavior) = IMMUTABLE ]; // Required. Immutable. The protection level of the [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] of the // [version_template][google.cloud.kms.v1.CryptoKey.version_template] on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you // attempt to import into. ProtectionLevel protection_level = 9 [ (google.api.field_behavior) = REQUIRED, (google.api.field_behavior) = IMMUTABLE ]; // Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] was created. google.protobuf.Timestamp create_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]'s key material was generated. google.protobuf.Timestamp generate_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for // expiration and can no longer be used to import key material. google.protobuf.Timestamp expire_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob] expired. Only present if // [state][google.cloud.kms.v1.ImportJob.state] is [EXPIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED]. google.protobuf.Timestamp expire_event_time = 10 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The current state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can // be used. ImportJobState state = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The public key with which to wrap key material prior to // import. Only returned if [state][google.cloud.kms.v1.ImportJob.state] is // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE]. WrappingPublicKey public_key = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. Statement that was generated and signed by the key creator // (for example, an HSM) at key creation time. Use this statement to verify // attributes of the key as stored on the HSM, independently of Google. // Only present if the chosen [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is one with a protection // level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM]. KeyOperationAttestation attestation = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; } // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] specifies how cryptographic operations are performed. // For more information, see [Protection levels] // (https://cloud.google.com/kms/docs/algorithms#protection_levels). enum ProtectionLevel { // Not specified. PROTECTION_LEVEL_UNSPECIFIED = 0; // Crypto operations are performed in software. SOFTWARE = 1; // Crypto operations are performed in a Hardware Security Module. HSM = 2; // Crypto operations are performed by an external key manager. EXTERNAL = 3; } // ExternalProtectionLevelOptions stores a group of additional fields for // configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that are specific to the // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level. message ExternalProtectionLevelOptions { // The URI for an external resource that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents. string external_key_uri = 1; }