Google Cloud Native is in preview. Google Cloud Classic is fully supported.
google-native.cloudkms/v1.CryptoKey
Explore with Pulumi AI
Google Cloud Native is in preview. Google Cloud Classic is fully supported.
Create a new CryptoKey within a KeyRing. CryptoKey.purpose and CryptoKey.version_template.algorithm are required. Note - this resource’s API doesn’t support deletion. When deleted, the resource will persist on Google Cloud even though it will be deleted from Pulumi state.
Create CryptoKey Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new CryptoKey(name: string, args: CryptoKeyArgs, opts?: CustomResourceOptions);
@overload
def CryptoKey(resource_name: str,
args: CryptoKeyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def CryptoKey(resource_name: str,
opts: Optional[ResourceOptions] = None,
key_ring_id: Optional[str] = None,
location: Optional[str] = None,
destroy_scheduled_duration: Optional[str] = None,
import_only: Optional[bool] = None,
crypto_key_id: Optional[str] = None,
labels: Optional[Mapping[str, str]] = None,
crypto_key_backend: Optional[str] = None,
next_rotation_time: Optional[str] = None,
project: Optional[str] = None,
purpose: Optional[CryptoKeyPurpose] = None,
rotation_period: Optional[str] = None,
skip_initial_version_creation: Optional[bool] = None,
version_template: Optional[CryptoKeyVersionTemplateArgs] = None)
func NewCryptoKey(ctx *Context, name string, args CryptoKeyArgs, opts ...ResourceOption) (*CryptoKey, error)
public CryptoKey(string name, CryptoKeyArgs args, CustomResourceOptions? opts = null)
public CryptoKey(String name, CryptoKeyArgs args)
public CryptoKey(String name, CryptoKeyArgs args, CustomResourceOptions options)
type: google-native:cloudkms/v1:CryptoKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args CryptoKeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args CryptoKeyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args CryptoKeyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CryptoKeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args CryptoKeyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var cryptoKeyResource = new GoogleNative.Cloudkms.V1.CryptoKey("cryptoKeyResource", new()
{
KeyRingId = "string",
Location = "string",
DestroyScheduledDuration = "string",
ImportOnly = false,
CryptoKeyId = "string",
Labels =
{
{ "string", "string" },
},
CryptoKeyBackend = "string",
NextRotationTime = "string",
Project = "string",
Purpose = GoogleNative.Cloudkms.V1.CryptoKeyPurpose.CryptoKeyPurposeUnspecified,
RotationPeriod = "string",
SkipInitialVersionCreation = false,
VersionTemplate = new GoogleNative.Cloudkms.V1.Inputs.CryptoKeyVersionTemplateArgs
{
Algorithm = GoogleNative.Cloudkms.V1.CryptoKeyVersionTemplateAlgorithm.CryptoKeyVersionAlgorithmUnspecified,
ProtectionLevel = GoogleNative.Cloudkms.V1.CryptoKeyVersionTemplateProtectionLevel.ProtectionLevelUnspecified,
},
});
example, err := cloudkms.NewCryptoKey(ctx, "cryptoKeyResource", &cloudkms.CryptoKeyArgs{
KeyRingId: pulumi.String("string"),
Location: pulumi.String("string"),
DestroyScheduledDuration: pulumi.String("string"),
ImportOnly: pulumi.Bool(false),
CryptoKeyId: pulumi.String("string"),
Labels: pulumi.StringMap{
"string": pulumi.String("string"),
},
CryptoKeyBackend: pulumi.String("string"),
NextRotationTime: pulumi.String("string"),
Project: pulumi.String("string"),
Purpose: cloudkms.CryptoKeyPurposeCryptoKeyPurposeUnspecified,
RotationPeriod: pulumi.String("string"),
SkipInitialVersionCreation: pulumi.Bool(false),
VersionTemplate: &cloudkms.CryptoKeyVersionTemplateArgs{
Algorithm: cloudkms.CryptoKeyVersionTemplateAlgorithmCryptoKeyVersionAlgorithmUnspecified,
ProtectionLevel: cloudkms.CryptoKeyVersionTemplateProtectionLevelProtectionLevelUnspecified,
},
})
var cryptoKeyResource = new CryptoKey("cryptoKeyResource", CryptoKeyArgs.builder()
.keyRingId("string")
.location("string")
.destroyScheduledDuration("string")
.importOnly(false)
.cryptoKeyId("string")
.labels(Map.of("string", "string"))
.cryptoKeyBackend("string")
.nextRotationTime("string")
.project("string")
.purpose("CRYPTO_KEY_PURPOSE_UNSPECIFIED")
.rotationPeriod("string")
.skipInitialVersionCreation(false)
.versionTemplate(CryptoKeyVersionTemplateArgs.builder()
.algorithm("CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED")
.protectionLevel("PROTECTION_LEVEL_UNSPECIFIED")
.build())
.build());
crypto_key_resource = google_native.cloudkms.v1.CryptoKey("cryptoKeyResource",
key_ring_id="string",
location="string",
destroy_scheduled_duration="string",
import_only=False,
crypto_key_id="string",
labels={
"string": "string",
},
crypto_key_backend="string",
next_rotation_time="string",
project="string",
purpose=google_native.cloudkms.v1.CryptoKeyPurpose.CRYPTO_KEY_PURPOSE_UNSPECIFIED,
rotation_period="string",
skip_initial_version_creation=False,
version_template={
"algorithm": google_native.cloudkms.v1.CryptoKeyVersionTemplateAlgorithm.CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED,
"protection_level": google_native.cloudkms.v1.CryptoKeyVersionTemplateProtectionLevel.PROTECTION_LEVEL_UNSPECIFIED,
})
const cryptoKeyResource = new google_native.cloudkms.v1.CryptoKey("cryptoKeyResource", {
keyRingId: "string",
location: "string",
destroyScheduledDuration: "string",
importOnly: false,
cryptoKeyId: "string",
labels: {
string: "string",
},
cryptoKeyBackend: "string",
nextRotationTime: "string",
project: "string",
purpose: google_native.cloudkms.v1.CryptoKeyPurpose.CryptoKeyPurposeUnspecified,
rotationPeriod: "string",
skipInitialVersionCreation: false,
versionTemplate: {
algorithm: google_native.cloudkms.v1.CryptoKeyVersionTemplateAlgorithm.CryptoKeyVersionAlgorithmUnspecified,
protectionLevel: google_native.cloudkms.v1.CryptoKeyVersionTemplateProtectionLevel.ProtectionLevelUnspecified,
},
});
type: google-native:cloudkms/v1:CryptoKey
properties:
cryptoKeyBackend: string
cryptoKeyId: string
destroyScheduledDuration: string
importOnly: false
keyRingId: string
labels:
string: string
location: string
nextRotationTime: string
project: string
purpose: CRYPTO_KEY_PURPOSE_UNSPECIFIED
rotationPeriod: string
skipInitialVersionCreation: false
versionTemplate:
algorithm: CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED
protectionLevel: PROTECTION_LEVEL_UNSPECIFIED
CryptoKey Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The CryptoKey resource accepts the following input properties:
- Key
Ring stringId - Crypto
Key stringBackend - Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format
projects/*/locations/*/ekmConnections/*
. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future. - Crypto
Key stringId - Required. It must be unique within a KeyRing and match the regular expression
[a-zA-Z0-9_-]{1,63}
- Destroy
Scheduled stringDuration - Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
- Import
Only bool - Immutable. Whether this key may contain imported versions only.
- Labels Dictionary<string, string>
- Labels with user-defined metadata. For more information, see Labeling Keys.
- Location string
- Next
Rotation stringTime - At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
- Project string
- Purpose
Pulumi.
Google Native. Cloudkms. V1. Crypto Key Purpose - Immutable. The immutable purpose of this CryptoKey.
- Rotation
Period string - next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
- Skip
Initial boolVersion Creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
- Version
Template Pulumi.Google Native. Cloudkms. V1. Inputs. Crypto Key Version Template - A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.
- Key
Ring stringId - Crypto
Key stringBackend - Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format
projects/*/locations/*/ekmConnections/*
. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future. - Crypto
Key stringId - Required. It must be unique within a KeyRing and match the regular expression
[a-zA-Z0-9_-]{1,63}
- Destroy
Scheduled stringDuration - Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
- Import
Only bool - Immutable. Whether this key may contain imported versions only.
- Labels map[string]string
- Labels with user-defined metadata. For more information, see Labeling Keys.
- Location string
- Next
Rotation stringTime - At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
- Project string
- Purpose
Crypto
Key Purpose - Immutable. The immutable purpose of this CryptoKey.
- Rotation
Period string - next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
- Skip
Initial boolVersion Creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
- Version
Template CryptoKey Version Template Args - A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.
- key
Ring StringId - crypto
Key StringBackend - Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format
projects/*/locations/*/ekmConnections/*
. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future. - crypto
Key StringId - Required. It must be unique within a KeyRing and match the regular expression
[a-zA-Z0-9_-]{1,63}
- destroy
Scheduled StringDuration - Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
- import
Only Boolean - Immutable. Whether this key may contain imported versions only.
- labels Map<String,String>
- Labels with user-defined metadata. For more information, see Labeling Keys.
- location String
- next
Rotation StringTime - At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
- project String
- purpose
Crypto
Key Purpose - Immutable. The immutable purpose of this CryptoKey.
- rotation
Period String - next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
- skip
Initial BooleanVersion Creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
- version
Template CryptoKey Version Template - A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.
- key
Ring stringId - crypto
Key stringBackend - Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format
projects/*/locations/*/ekmConnections/*
. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future. - crypto
Key stringId - Required. It must be unique within a KeyRing and match the regular expression
[a-zA-Z0-9_-]{1,63}
- destroy
Scheduled stringDuration - Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
- import
Only boolean - Immutable. Whether this key may contain imported versions only.
- labels {[key: string]: string}
- Labels with user-defined metadata. For more information, see Labeling Keys.
- location string
- next
Rotation stringTime - At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
- project string
- purpose
Crypto
Key Purpose - Immutable. The immutable purpose of this CryptoKey.
- rotation
Period string - next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
- skip
Initial booleanVersion Creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
- version
Template CryptoKey Version Template - A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.
- key_
ring_ strid - crypto_
key_ strbackend - Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format
projects/*/locations/*/ekmConnections/*
. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future. - crypto_
key_ strid - Required. It must be unique within a KeyRing and match the regular expression
[a-zA-Z0-9_-]{1,63}
- destroy_
scheduled_ strduration - Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
- import_
only bool - Immutable. Whether this key may contain imported versions only.
- labels Mapping[str, str]
- Labels with user-defined metadata. For more information, see Labeling Keys.
- location str
- next_
rotation_ strtime - At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
- project str
- purpose
Crypto
Key Purpose - Immutable. The immutable purpose of this CryptoKey.
- rotation_
period str - next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
- skip_
initial_ boolversion_ creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
- version_
template CryptoKey Version Template Args - A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.
- key
Ring StringId - crypto
Key StringBackend - Immutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format
projects/*/locations/*/ekmConnections/*
. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future. - crypto
Key StringId - Required. It must be unique within a KeyRing and match the regular expression
[a-zA-Z0-9_-]{1,63}
- destroy
Scheduled StringDuration - Immutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
- import
Only Boolean - Immutable. Whether this key may contain imported versions only.
- labels Map<String>
- Labels with user-defined metadata. For more information, see Labeling Keys.
- location String
- next
Rotation StringTime - At next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
- project String
- purpose "CRYPTO_KEY_PURPOSE_UNSPECIFIED" | "ENCRYPT_DECRYPT" | "ASYMMETRIC_SIGN" | "ASYMMETRIC_DECRYPT" | "RAW_ENCRYPT_DECRYPT" | "MAC"
- Immutable. The immutable purpose of this CryptoKey.
- rotation
Period String - next_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
- skip
Initial BooleanVersion Creation - If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
- version
Template Property Map - A template describing settings for new CryptoKeyVersion instances. The properties of new CryptoKeyVersion instances created by either CreateCryptoKeyVersion or auto-rotation are controlled by this template.
Outputs
All input properties are implicitly available as output properties. Additionally, the CryptoKey resource produces the following output properties:
- Create
Time string - The time at which this CryptoKey was created.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The resource name for this CryptoKey in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*
. - Primary
Pulumi.
Google Native. Cloudkms. V1. Outputs. Crypto Key Version Response - A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.
- Create
Time string - The time at which this CryptoKey was created.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The resource name for this CryptoKey in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*
. - Primary
Crypto
Key Version Response - A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.
- create
Time String - The time at which this CryptoKey was created.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The resource name for this CryptoKey in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*
. - primary
Crypto
Key Version Response - A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.
- create
Time string - The time at which this CryptoKey was created.
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- The resource name for this CryptoKey in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*
. - primary
Crypto
Key Version Response - A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.
- create_
time str - The time at which this CryptoKey was created.
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- The resource name for this CryptoKey in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*
. - primary
Crypto
Key Version Response - A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.
- create
Time String - The time at which this CryptoKey was created.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The resource name for this CryptoKey in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*
. - primary Property Map
- A copy of the "primary" CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. The CryptoKey's primary version can be updated via UpdateCryptoKeyPrimaryVersion. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be omitted.
Supporting Types
CertificateChainsResponse, CertificateChainsResponseArgs
- Cavium
Certs List<string> - Cavium certificate chain corresponding to the attestation.
- Google
Card List<string>Certs - Google card certificate chain corresponding to the attestation.
- Google
Partition List<string>Certs - Google partition certificate chain corresponding to the attestation.
- Cavium
Certs []string - Cavium certificate chain corresponding to the attestation.
- Google
Card []stringCerts - Google card certificate chain corresponding to the attestation.
- Google
Partition []stringCerts - Google partition certificate chain corresponding to the attestation.
- cavium
Certs List<String> - Cavium certificate chain corresponding to the attestation.
- google
Card List<String>Certs - Google card certificate chain corresponding to the attestation.
- google
Partition List<String>Certs - Google partition certificate chain corresponding to the attestation.
- cavium
Certs string[] - Cavium certificate chain corresponding to the attestation.
- google
Card string[]Certs - Google card certificate chain corresponding to the attestation.
- google
Partition string[]Certs - Google partition certificate chain corresponding to the attestation.
- cavium_
certs Sequence[str] - Cavium certificate chain corresponding to the attestation.
- google_
card_ Sequence[str]certs - Google card certificate chain corresponding to the attestation.
- google_
partition_ Sequence[str]certs - Google partition certificate chain corresponding to the attestation.
- cavium
Certs List<String> - Cavium certificate chain corresponding to the attestation.
- google
Card List<String>Certs - Google card certificate chain corresponding to the attestation.
- google
Partition List<String>Certs - Google partition certificate chain corresponding to the attestation.
CryptoKeyPurpose, CryptoKeyPurposeArgs
- Crypto
Key Purpose Unspecified - CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
- Encrypt
Decrypt - ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
- Asymmetric
Sign - ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
- Asymmetric
Decrypt - ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
- Raw
Encrypt Decrypt - RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
- Mac
- MACCryptoKeys with this purpose may be used with MacSign.
- Crypto
Key Purpose Crypto Key Purpose Unspecified - CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
- Crypto
Key Purpose Encrypt Decrypt - ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
- Crypto
Key Purpose Asymmetric Sign - ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
- Crypto
Key Purpose Asymmetric Decrypt - ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
- Crypto
Key Purpose Raw Encrypt Decrypt - RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
- Crypto
Key Purpose Mac - MACCryptoKeys with this purpose may be used with MacSign.
- Crypto
Key Purpose Unspecified - CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
- Encrypt
Decrypt - ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
- Asymmetric
Sign - ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
- Asymmetric
Decrypt - ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
- Raw
Encrypt Decrypt - RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
- Mac
- MACCryptoKeys with this purpose may be used with MacSign.
- Crypto
Key Purpose Unspecified - CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
- Encrypt
Decrypt - ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
- Asymmetric
Sign - ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
- Asymmetric
Decrypt - ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
- Raw
Encrypt Decrypt - RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
- Mac
- MACCryptoKeys with this purpose may be used with MacSign.
- CRYPTO_KEY_PURPOSE_UNSPECIFIED
- CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
- ENCRYPT_DECRYPT
- ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
- ASYMMETRIC_SIGN
- ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
- ASYMMETRIC_DECRYPT
- ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
- RAW_ENCRYPT_DECRYPT
- RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
- MAC
- MACCryptoKeys with this purpose may be used with MacSign.
- "CRYPTO_KEY_PURPOSE_UNSPECIFIED"
- CRYPTO_KEY_PURPOSE_UNSPECIFIEDNot specified.
- "ENCRYPT_DECRYPT"
- ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with Encrypt and Decrypt.
- "ASYMMETRIC_SIGN"
- ASYMMETRIC_SIGNCryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.
- "ASYMMETRIC_DECRYPT"
- ASYMMETRIC_DECRYPTCryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.
- "RAW_ENCRYPT_DECRYPT"
- RAW_ENCRYPT_DECRYPTCryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.
- "MAC"
- MACCryptoKeys with this purpose may be used with MacSign.
CryptoKeyVersionResponse, CryptoKeyVersionResponseArgs
- Algorithm string
- The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
- Attestation
Pulumi.
Google Native. Cloudkms. V1. Inputs. Key Operation Attestation Response - Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
- Create
Time string - The time at which this CryptoKeyVersion was created.
- Destroy
Event stringTime - The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
- Destroy
Time string - The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
- External
Destruction stringFailure Reason - The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
- External
Protection Pulumi.Level Options Google Native. Cloudkms. V1. Inputs. External Protection Level Options Response - ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
- Generate
Time string - The time this CryptoKeyVersion's key material was generated.
- Generation
Failure stringReason - The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
- Import
Failure stringReason - The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
- Import
Job string - The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
- Import
Time string - The time at which this CryptoKeyVersion's key material was most recently imported.
- Name string
- The resource name for this CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*
. - Protection
Level string - The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
- Reimport
Eligible bool - Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
- State string
- The current state of the CryptoKeyVersion.
- Algorithm string
- The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
- Attestation
Key
Operation Attestation Response - Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
- Create
Time string - The time at which this CryptoKeyVersion was created.
- Destroy
Event stringTime - The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
- Destroy
Time string - The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
- External
Destruction stringFailure Reason - The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
- External
Protection ExternalLevel Options Protection Level Options Response - ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
- Generate
Time string - The time this CryptoKeyVersion's key material was generated.
- Generation
Failure stringReason - The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
- Import
Failure stringReason - The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
- Import
Job string - The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
- Import
Time string - The time at which this CryptoKeyVersion's key material was most recently imported.
- Name string
- The resource name for this CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*
. - Protection
Level string - The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
- Reimport
Eligible bool - Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
- State string
- The current state of the CryptoKeyVersion.
- algorithm String
- The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
- attestation
Key
Operation Attestation Response - Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
- create
Time String - The time at which this CryptoKeyVersion was created.
- destroy
Event StringTime - The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
- destroy
Time String - The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
- external
Destruction StringFailure Reason - The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
- external
Protection ExternalLevel Options Protection Level Options Response - ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
- generate
Time String - The time this CryptoKeyVersion's key material was generated.
- generation
Failure StringReason - The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
- import
Failure StringReason - The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
- import
Job String - The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
- import
Time String - The time at which this CryptoKeyVersion's key material was most recently imported.
- name String
- The resource name for this CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*
. - protection
Level String - The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
- reimport
Eligible Boolean - Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
- state String
- The current state of the CryptoKeyVersion.
- algorithm string
- The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
- attestation
Key
Operation Attestation Response - Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
- create
Time string - The time at which this CryptoKeyVersion was created.
- destroy
Event stringTime - The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
- destroy
Time string - The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
- external
Destruction stringFailure Reason - The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
- external
Protection ExternalLevel Options Protection Level Options Response - ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
- generate
Time string - The time this CryptoKeyVersion's key material was generated.
- generation
Failure stringReason - The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
- import
Failure stringReason - The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
- import
Job string - The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
- import
Time string - The time at which this CryptoKeyVersion's key material was most recently imported.
- name string
- The resource name for this CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*
. - protection
Level string - The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
- reimport
Eligible boolean - Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
- state string
- The current state of the CryptoKeyVersion.
- algorithm str
- The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
- attestation
Key
Operation Attestation Response - Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
- create_
time str - The time at which this CryptoKeyVersion was created.
- destroy_
event_ strtime - The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
- destroy_
time str - The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
- external_
destruction_ strfailure_ reason - The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
- external_
protection_ Externallevel_ options Protection Level Options Response - ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
- generate_
time str - The time this CryptoKeyVersion's key material was generated.
- generation_
failure_ strreason - The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
- import_
failure_ strreason - The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
- import_
job str - The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
- import_
time str - The time at which this CryptoKeyVersion's key material was most recently imported.
- name str
- The resource name for this CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*
. - protection_
level str - The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
- reimport_
eligible bool - Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
- state str
- The current state of the CryptoKeyVersion.
- algorithm String
- The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
- attestation Property Map
- Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protection_level HSM.
- create
Time String - The time at which this CryptoKeyVersion was created.
- destroy
Event StringTime - The time this CryptoKeyVersion's key material was destroyed. Only present if state is DESTROYED.
- destroy
Time String - The time this CryptoKeyVersion's key material is scheduled for destruction. Only present if state is DESTROY_SCHEDULED.
- external
Destruction StringFailure Reason - The root cause of the most recent external destruction failure. Only present if state is EXTERNAL_DESTRUCTION_FAILED.
- external
Protection Property MapLevel Options - ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
- generate
Time String - The time this CryptoKeyVersion's key material was generated.
- generation
Failure StringReason - The root cause of the most recent generation failure. Only present if state is GENERATION_FAILED.
- import
Failure StringReason - The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
- import
Job String - The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
- import
Time String - The time at which this CryptoKeyVersion's key material was most recently imported.
- name String
- The resource name for this CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*
. - protection
Level String - The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
- reimport
Eligible Boolean - Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
- state String
- The current state of the CryptoKeyVersion.
CryptoKeyVersionTemplate, CryptoKeyVersionTemplateArgs
- Algorithm
Pulumi.
Google Native. Cloudkms. V1. Crypto Key Version Template Algorithm - Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
- Protection
Level Pulumi.Google Native. Cloudkms. V1. Crypto Key Version Template Protection Level - ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
- Algorithm
Crypto
Key Version Template Algorithm - Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
- Protection
Level CryptoKey Version Template Protection Level - ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
- algorithm
Crypto
Key Version Template Algorithm - Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
- protection
Level CryptoKey Version Template Protection Level - ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
- algorithm
Crypto
Key Version Template Algorithm - Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
- protection
Level CryptoKey Version Template Protection Level - ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
- algorithm
Crypto
Key Version Template Algorithm - Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
- protection_
level CryptoKey Version Template Protection Level - ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
- algorithm "CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED" | "GOOGLE_SYMMETRIC_ENCRYPTION" | "AES_128_GCM" | "AES_256_GCM" | "AES_128_CBC" | "AES_256_CBC" | "AES_128_CTR" | "AES_256_CTR" | "RSA_SIGN_PSS_2048_SHA256" | "RSA_SIGN_PSS_3072_SHA256" | "RSA_SIGN_PSS_4096_SHA256" | "RSA_SIGN_PSS_4096_SHA512" | "RSA_SIGN_PKCS1_2048_SHA256" | "RSA_SIGN_PKCS1_3072_SHA256" | "RSA_SIGN_PKCS1_4096_SHA256" | "RSA_SIGN_PKCS1_4096_SHA512" | "RSA_SIGN_RAW_PKCS1_2048" | "RSA_SIGN_RAW_PKCS1_3072" | "RSA_SIGN_RAW_PKCS1_4096" | "RSA_DECRYPT_OAEP_2048_SHA256" | "RSA_DECRYPT_OAEP_3072_SHA256" | "RSA_DECRYPT_OAEP_4096_SHA256" | "RSA_DECRYPT_OAEP_4096_SHA512" | "RSA_DECRYPT_OAEP_2048_SHA1" | "RSA_DECRYPT_OAEP_3072_SHA1" | "RSA_DECRYPT_OAEP_4096_SHA1" | "EC_SIGN_P256_SHA256" | "EC_SIGN_P384_SHA384" | "EC_SIGN_SECP256K1_SHA256" | "HMAC_SHA256" | "HMAC_SHA1" | "HMAC_SHA384" | "HMAC_SHA512" | "HMAC_SHA224" | "EXTERNAL_SYMMETRIC_ENCRYPTION"
- Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
- protection
Level "PROTECTION_LEVEL_UNSPECIFIED" | "SOFTWARE" | "HSM" | "EXTERNAL" | "EXTERNAL_VPC" - ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
CryptoKeyVersionTemplateAlgorithm, CryptoKeyVersionTemplateAlgorithmArgs
- Crypto
Key Version Algorithm Unspecified - CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
- Google
Symmetric Encryption - GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
- Aes128Gcm
- AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
- Aes256Gcm
- AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
- Aes128Cbc
- AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
- Aes256Cbc
- AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
- Aes128Ctr
- AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
- Aes256Ctr
- AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
- Rsa
Sign Pss2048Sha256 - RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- Rsa
Sign Pss3072Sha256 - RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- Rsa
Sign Pss4096Sha256 - RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- Rsa
Sign Pss4096Sha512 - RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- Rsa
Sign Pkcs12048Sha256 - RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
- Rsa
Sign Pkcs13072Sha256 - RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
- Rsa
Sign Pkcs14096Sha256 - RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
- Rsa
Sign Pkcs14096Sha512 - RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
- Rsa
Sign Raw Pkcs12048 - RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
- Rsa
Sign Raw Pkcs13072 - RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
- Rsa
Sign Raw Pkcs14096 - RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
- Rsa
Decrypt Oaep2048Sha256 - RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
- Rsa
Decrypt Oaep3072Sha256 - RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
- Rsa
Decrypt Oaep4096Sha256 - RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
- Rsa
Decrypt Oaep4096Sha512 - RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
- Rsa
Decrypt Oaep2048Sha1 - RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
- Rsa
Decrypt Oaep3072Sha1 - RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
- Rsa
Decrypt Oaep4096Sha1 - RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
- Ec
Sign P256Sha256 - EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- Ec
Sign P384Sha384 - EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- Ec
Sign Secp256k1Sha256 - EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- Hmac
Sha256 - HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
- Hmac
Sha1 - HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
- Hmac
Sha384 - HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
- Hmac
Sha512 - HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
- Hmac
Sha224 - HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
- External
Symmetric Encryption - EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.
- Crypto
Key Version Template Algorithm Crypto Key Version Algorithm Unspecified - CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
- Crypto
Key Version Template Algorithm Google Symmetric Encryption - GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
- Crypto
Key Version Template Algorithm Aes128Gcm - AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
- Crypto
Key Version Template Algorithm Aes256Gcm - AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
- Crypto
Key Version Template Algorithm Aes128Cbc - AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
- Crypto
Key Version Template Algorithm Aes256Cbc - AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
- Crypto
Key Version Template Algorithm Aes128Ctr - AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
- Crypto
Key Version Template Algorithm Aes256Ctr - AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
- Crypto
Key Version Template Algorithm Rsa Sign Pss2048Sha256 - RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- Crypto
Key Version Template Algorithm Rsa Sign Pss3072Sha256 - RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- Crypto
Key Version Template Algorithm Rsa Sign Pss4096Sha256 - RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- Crypto
Key Version Template Algorithm Rsa Sign Pss4096Sha512 - RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- Crypto
Key Version Template Algorithm Rsa Sign Pkcs12048Sha256 - RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
- Crypto
Key Version Template Algorithm Rsa Sign Pkcs13072Sha256 - RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
- Crypto
Key Version Template Algorithm Rsa Sign Pkcs14096Sha256 - RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
- Crypto
Key Version Template Algorithm Rsa Sign Pkcs14096Sha512 - RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
- Crypto
Key Version Template Algorithm Rsa Sign Raw Pkcs12048 - RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
- Crypto
Key Version Template Algorithm Rsa Sign Raw Pkcs13072 - RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
- Crypto
Key Version Template Algorithm Rsa Sign Raw Pkcs14096 - RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
- Crypto
Key Version Template Algorithm Rsa Decrypt Oaep2048Sha256 - RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
- Crypto
Key Version Template Algorithm Rsa Decrypt Oaep3072Sha256 - RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
- Crypto
Key Version Template Algorithm Rsa Decrypt Oaep4096Sha256 - RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
- Crypto
Key Version Template Algorithm Rsa Decrypt Oaep4096Sha512 - RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
- Crypto
Key Version Template Algorithm Rsa Decrypt Oaep2048Sha1 - RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
- Crypto
Key Version Template Algorithm Rsa Decrypt Oaep3072Sha1 - RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
- Crypto
Key Version Template Algorithm Rsa Decrypt Oaep4096Sha1 - RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
- Crypto
Key Version Template Algorithm Ec Sign P256Sha256 - EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- Crypto
Key Version Template Algorithm Ec Sign P384Sha384 - EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- Crypto
Key Version Template Algorithm Ec Sign Secp256k1Sha256 - EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- Crypto
Key Version Template Algorithm Hmac Sha256 - HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
- Crypto
Key Version Template Algorithm Hmac Sha1 - HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
- Crypto
Key Version Template Algorithm Hmac Sha384 - HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
- Crypto
Key Version Template Algorithm Hmac Sha512 - HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
- Crypto
Key Version Template Algorithm Hmac Sha224 - HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
- Crypto
Key Version Template Algorithm External Symmetric Encryption - EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.
- Crypto
Key Version Algorithm Unspecified - CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
- Google
Symmetric Encryption - GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
- Aes128Gcm
- AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
- Aes256Gcm
- AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
- Aes128Cbc
- AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
- Aes256Cbc
- AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
- Aes128Ctr
- AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
- Aes256Ctr
- AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
- Rsa
Sign Pss2048Sha256 - RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- Rsa
Sign Pss3072Sha256 - RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- Rsa
Sign Pss4096Sha256 - RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- Rsa
Sign Pss4096Sha512 - RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- Rsa
Sign Pkcs12048Sha256 - RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
- Rsa
Sign Pkcs13072Sha256 - RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
- Rsa
Sign Pkcs14096Sha256 - RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
- Rsa
Sign Pkcs14096Sha512 - RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
- Rsa
Sign Raw Pkcs12048 - RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
- Rsa
Sign Raw Pkcs13072 - RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
- Rsa
Sign Raw Pkcs14096 - RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
- Rsa
Decrypt Oaep2048Sha256 - RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
- Rsa
Decrypt Oaep3072Sha256 - RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
- Rsa
Decrypt Oaep4096Sha256 - RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
- Rsa
Decrypt Oaep4096Sha512 - RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
- Rsa
Decrypt Oaep2048Sha1 - RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
- Rsa
Decrypt Oaep3072Sha1 - RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
- Rsa
Decrypt Oaep4096Sha1 - RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
- Ec
Sign P256Sha256 - EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- Ec
Sign P384Sha384 - EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- Ec
Sign Secp256k1Sha256 - EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- Hmac
Sha256 - HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
- Hmac
Sha1 - HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
- Hmac
Sha384 - HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
- Hmac
Sha512 - HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
- Hmac
Sha224 - HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
- External
Symmetric Encryption - EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.
- Crypto
Key Version Algorithm Unspecified - CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
- Google
Symmetric Encryption - GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
- Aes128Gcm
- AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
- Aes256Gcm
- AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
- Aes128Cbc
- AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
- Aes256Cbc
- AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
- Aes128Ctr
- AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
- Aes256Ctr
- AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
- Rsa
Sign Pss2048Sha256 - RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- Rsa
Sign Pss3072Sha256 - RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- Rsa
Sign Pss4096Sha256 - RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- Rsa
Sign Pss4096Sha512 - RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- Rsa
Sign Pkcs12048Sha256 - RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
- Rsa
Sign Pkcs13072Sha256 - RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
- Rsa
Sign Pkcs14096Sha256 - RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
- Rsa
Sign Pkcs14096Sha512 - RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
- Rsa
Sign Raw Pkcs12048 - RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
- Rsa
Sign Raw Pkcs13072 - RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
- Rsa
Sign Raw Pkcs14096 - RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
- Rsa
Decrypt Oaep2048Sha256 - RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
- Rsa
Decrypt Oaep3072Sha256 - RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
- Rsa
Decrypt Oaep4096Sha256 - RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
- Rsa
Decrypt Oaep4096Sha512 - RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
- Rsa
Decrypt Oaep2048Sha1 - RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
- Rsa
Decrypt Oaep3072Sha1 - RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
- Rsa
Decrypt Oaep4096Sha1 - RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
- Ec
Sign P256Sha256 - EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- Ec
Sign P384Sha384 - EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- Ec
Sign Secp256k1Sha256 - EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- Hmac
Sha256 - HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
- Hmac
Sha1 - HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
- Hmac
Sha384 - HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
- Hmac
Sha512 - HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
- Hmac
Sha224 - HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
- External
Symmetric Encryption - EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.
- CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED
- CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
- GOOGLE_SYMMETRIC_ENCRYPTION
- GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
- AES128_GCM
- AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
- AES256_GCM
- AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
- AES128_CBC
- AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
- AES256_CBC
- AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
- AES128_CTR
- AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
- AES256_CTR
- AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
- RSA_SIGN_PSS2048_SHA256
- RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- RSA_SIGN_PSS3072_SHA256
- RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- RSA_SIGN_PSS4096_SHA256
- RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- RSA_SIGN_PSS4096_SHA512
- RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- RSA_SIGN_PKCS12048_SHA256
- RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
- RSA_SIGN_PKCS13072_SHA256
- RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
- RSA_SIGN_PKCS14096_SHA256
- RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
- RSA_SIGN_PKCS14096_SHA512
- RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
- RSA_SIGN_RAW_PKCS12048
- RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
- RSA_SIGN_RAW_PKCS13072
- RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
- RSA_SIGN_RAW_PKCS14096
- RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
- RSA_DECRYPT_OAEP2048_SHA256
- RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
- RSA_DECRYPT_OAEP3072_SHA256
- RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
- RSA_DECRYPT_OAEP4096_SHA256
- RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
- RSA_DECRYPT_OAEP4096_SHA512
- RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
- RSA_DECRYPT_OAEP2048_SHA1
- RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
- RSA_DECRYPT_OAEP3072_SHA1
- RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
- RSA_DECRYPT_OAEP4096_SHA1
- RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
- EC_SIGN_P256_SHA256
- EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- EC_SIGN_P384_SHA384
- EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- EC_SIGN_SECP256K1_SHA256
- EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- HMAC_SHA256
- HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
- HMAC_SHA1
- HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
- HMAC_SHA384
- HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
- HMAC_SHA512
- HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
- HMAC_SHA224
- HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
- EXTERNAL_SYMMETRIC_ENCRYPTION
- EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.
- "CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED"
- CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIEDNot specified.
- "GOOGLE_SYMMETRIC_ENCRYPTION"
- GOOGLE_SYMMETRIC_ENCRYPTIONCreates symmetric encryption keys.
- "AES_128_GCM"
- AES_128_GCMAES-GCM (Galois Counter Mode) using 128-bit keys.
- "AES_256_GCM"
- AES_256_GCMAES-GCM (Galois Counter Mode) using 256-bit keys.
- "AES_128_CBC"
- AES_128_CBCAES-CBC (Cipher Block Chaining Mode) using 128-bit keys.
- "AES_256_CBC"
- AES_256_CBCAES-CBC (Cipher Block Chaining Mode) using 256-bit keys.
- "AES_128_CTR"
- AES_128_CTRAES-CTR (Counter Mode) using 128-bit keys.
- "AES_256_CTR"
- AES_256_CTRAES-CTR (Counter Mode) using 256-bit keys.
- "RSA_SIGN_PSS_2048_SHA256"
- RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- "RSA_SIGN_PSS_3072_SHA256"
- RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- "RSA_SIGN_PSS_4096_SHA256"
- RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- "RSA_SIGN_PSS_4096_SHA512"
- RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- "RSA_SIGN_PKCS1_2048_SHA256"
- RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
- "RSA_SIGN_PKCS1_3072_SHA256"
- RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
- "RSA_SIGN_PKCS1_4096_SHA256"
- RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
- "RSA_SIGN_PKCS1_4096_SHA512"
- RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
- "RSA_SIGN_RAW_PKCS1_2048"
- RSA_SIGN_RAW_PKCS1_2048RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
- "RSA_SIGN_RAW_PKCS1_3072"
- RSA_SIGN_RAW_PKCS1_3072RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
- "RSA_SIGN_RAW_PKCS1_4096"
- RSA_SIGN_RAW_PKCS1_4096RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
- "RSA_DECRYPT_OAEP_2048_SHA256"
- RSA_DECRYPT_OAEP_2048_SHA256RSAES-OAEP 2048 bit key with a SHA256 digest.
- "RSA_DECRYPT_OAEP_3072_SHA256"
- RSA_DECRYPT_OAEP_3072_SHA256RSAES-OAEP 3072 bit key with a SHA256 digest.
- "RSA_DECRYPT_OAEP_4096_SHA256"
- RSA_DECRYPT_OAEP_4096_SHA256RSAES-OAEP 4096 bit key with a SHA256 digest.
- "RSA_DECRYPT_OAEP_4096_SHA512"
- RSA_DECRYPT_OAEP_4096_SHA512RSAES-OAEP 4096 bit key with a SHA512 digest.
- "RSA_DECRYPT_OAEP_2048_SHA1"
- RSA_DECRYPT_OAEP_2048_SHA1RSAES-OAEP 2048 bit key with a SHA1 digest.
- "RSA_DECRYPT_OAEP_3072_SHA1"
- RSA_DECRYPT_OAEP_3072_SHA1RSAES-OAEP 3072 bit key with a SHA1 digest.
- "RSA_DECRYPT_OAEP_4096_SHA1"
- RSA_DECRYPT_OAEP_4096_SHA1RSAES-OAEP 4096 bit key with a SHA1 digest.
- "EC_SIGN_P256_SHA256"
- EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- "EC_SIGN_P384_SHA384"
- EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- "EC_SIGN_SECP256K1_SHA256"
- EC_SIGN_SECP256K1_SHA256ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used: https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms
- "HMAC_SHA256"
- HMAC_SHA256HMAC-SHA256 signing with a 256 bit key.
- "HMAC_SHA1"
- HMAC_SHA1HMAC-SHA1 signing with a 160 bit key.
- "HMAC_SHA384"
- HMAC_SHA384HMAC-SHA384 signing with a 384 bit key.
- "HMAC_SHA512"
- HMAC_SHA512HMAC-SHA512 signing with a 512 bit key.
- "HMAC_SHA224"
- HMAC_SHA224HMAC-SHA224 signing with a 224 bit key.
- "EXTERNAL_SYMMETRIC_ENCRYPTION"
- EXTERNAL_SYMMETRIC_ENCRYPTIONAlgorithm representing symmetric encryption by an external key manager.
CryptoKeyVersionTemplateProtectionLevel, CryptoKeyVersionTemplateProtectionLevelArgs
- Protection
Level Unspecified - PROTECTION_LEVEL_UNSPECIFIEDNot specified.
- Software
- SOFTWARECrypto operations are performed in software.
- Hsm
- HSMCrypto operations are performed in a Hardware Security Module.
- External
- EXTERNALCrypto operations are performed by an external key manager.
- External
Vpc - EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.
- Crypto
Key Version Template Protection Level Protection Level Unspecified - PROTECTION_LEVEL_UNSPECIFIEDNot specified.
- Crypto
Key Version Template Protection Level Software - SOFTWARECrypto operations are performed in software.
- Crypto
Key Version Template Protection Level Hsm - HSMCrypto operations are performed in a Hardware Security Module.
- Crypto
Key Version Template Protection Level External - EXTERNALCrypto operations are performed by an external key manager.
- Crypto
Key Version Template Protection Level External Vpc - EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.
- Protection
Level Unspecified - PROTECTION_LEVEL_UNSPECIFIEDNot specified.
- Software
- SOFTWARECrypto operations are performed in software.
- Hsm
- HSMCrypto operations are performed in a Hardware Security Module.
- External
- EXTERNALCrypto operations are performed by an external key manager.
- External
Vpc - EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.
- Protection
Level Unspecified - PROTECTION_LEVEL_UNSPECIFIEDNot specified.
- Software
- SOFTWARECrypto operations are performed in software.
- Hsm
- HSMCrypto operations are performed in a Hardware Security Module.
- External
- EXTERNALCrypto operations are performed by an external key manager.
- External
Vpc - EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.
- PROTECTION_LEVEL_UNSPECIFIED
- PROTECTION_LEVEL_UNSPECIFIEDNot specified.
- SOFTWARE
- SOFTWARECrypto operations are performed in software.
- HSM
- HSMCrypto operations are performed in a Hardware Security Module.
- EXTERNAL
- EXTERNALCrypto operations are performed by an external key manager.
- EXTERNAL_VPC
- EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.
- "PROTECTION_LEVEL_UNSPECIFIED"
- PROTECTION_LEVEL_UNSPECIFIEDNot specified.
- "SOFTWARE"
- SOFTWARECrypto operations are performed in software.
- "HSM"
- HSMCrypto operations are performed in a Hardware Security Module.
- "EXTERNAL"
- EXTERNALCrypto operations are performed by an external key manager.
- "EXTERNAL_VPC"
- EXTERNAL_VPCCrypto operations are performed in an EKM-over-VPC backend.
CryptoKeyVersionTemplateResponse, CryptoKeyVersionTemplateResponseArgs
- Algorithm string
- Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
- Protection
Level string - ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
- Algorithm string
- Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
- Protection
Level string - ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
- algorithm String
- Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
- protection
Level String - ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
- algorithm string
- Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
- protection
Level string - ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
- algorithm str
- Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
- protection_
level str - ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
- algorithm String
- Algorithm to use when creating a CryptoKeyVersion based on this template. For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both this field is omitted and CryptoKey.purpose is ENCRYPT_DECRYPT.
- protection
Level String - ProtectionLevel to use when creating a CryptoKeyVersion based on this template. Immutable. Defaults to SOFTWARE.
ExternalProtectionLevelOptionsResponse, ExternalProtectionLevelOptionsResponseArgs
- Ekm
Connection stringKey Path - The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
- External
Key stringUri - The URI for an external resource that this CryptoKeyVersion represents.
- Ekm
Connection stringKey Path - The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
- External
Key stringUri - The URI for an external resource that this CryptoKeyVersion represents.
- ekm
Connection StringKey Path - The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
- external
Key StringUri - The URI for an external resource that this CryptoKeyVersion represents.
- ekm
Connection stringKey Path - The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
- external
Key stringUri - The URI for an external resource that this CryptoKeyVersion represents.
- ekm_
connection_ strkey_ path - The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
- external_
key_ struri - The URI for an external resource that this CryptoKeyVersion represents.
- ekm
Connection StringKey Path - The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of external_key_uri when using an EkmConnection.
- external
Key StringUri - The URI for an external resource that this CryptoKeyVersion represents.
KeyOperationAttestationResponse, KeyOperationAttestationResponseArgs
- Cert
Chains Pulumi.Google Native. Cloudkms. V1. Inputs. Certificate Chains Response - The certificate chains needed to validate the attestation
- Content string
- The attestation data provided by the HSM when the key operation was performed.
- Format string
- The format of the attestation data.
- Cert
Chains CertificateChains Response - The certificate chains needed to validate the attestation
- Content string
- The attestation data provided by the HSM when the key operation was performed.
- Format string
- The format of the attestation data.
- cert
Chains CertificateChains Response - The certificate chains needed to validate the attestation
- content String
- The attestation data provided by the HSM when the key operation was performed.
- format String
- The format of the attestation data.
- cert
Chains CertificateChains Response - The certificate chains needed to validate the attestation
- content string
- The attestation data provided by the HSM when the key operation was performed.
- format string
- The format of the attestation data.
- cert_
chains CertificateChains Response - The certificate chains needed to validate the attestation
- content str
- The attestation data provided by the HSM when the key operation was performed.
- format str
- The format of the attestation data.
- cert
Chains Property Map - The certificate chains needed to validate the attestation
- content String
- The attestation data provided by the HSM when the key operation was performed.
- format String
- The format of the attestation data.
Package Details
- Repository
- Google Cloud Native pulumi/pulumi-google-native
- License
- Apache-2.0
Google Cloud Native is in preview. Google Cloud Classic is fully supported.