1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.kms.v1; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/protobuf/duration.proto"; 22import "google/protobuf/timestamp.proto"; 23import "google/protobuf/wrappers.proto"; 24 25option cc_enable_arenas = true; 26option csharp_namespace = "Google.Cloud.Kms.V1"; 27option go_package = "cloud.google.com/go/kms/apiv1/kmspb;kmspb"; 28option java_multiple_files = true; 29option java_outer_classname = "KmsResourcesProto"; 30option java_package = "com.google.cloud.kms.v1"; 31option php_namespace = "Google\\Cloud\\Kms\\V1"; 32 33// A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of 34// [CryptoKeys][google.cloud.kms.v1.CryptoKey]. 35message KeyRing { 36 option (google.api.resource) = { 37 type: "cloudkms.googleapis.com/KeyRing" 38 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}" 39 }; 40 41 // Output only. The resource name for the 42 // [KeyRing][google.cloud.kms.v1.KeyRing] in the format 43 // `projects/*/locations/*/keyRings/*`. 44 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 45 46 // Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing] 47 // was created. 48 google.protobuf.Timestamp create_time = 2 49 [(google.api.field_behavior) = OUTPUT_ONLY]; 50} 51 52// A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that 53// can be used for cryptographic operations. 54// 55// A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more 56// [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual 57// key material used in cryptographic operations. 58message CryptoKey { 59 option (google.api.resource) = { 60 type: "cloudkms.googleapis.com/CryptoKey" 61 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}" 62 }; 63 64 // [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] 65 // describes the cryptographic capabilities of a 66 // [CryptoKey][google.cloud.kms.v1.CryptoKey]. A given key can only be used 67 // for the operations allowed by its purpose. For more information, see [Key 68 // purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes). 69 enum CryptoKeyPurpose { 70 // Not specified. 71 CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0; 72 73 // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used 74 // with [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] and 75 // [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. 76 ENCRYPT_DECRYPT = 1; 77 78 // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used 79 // with 80 // [AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign] 81 // and 82 // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. 83 ASYMMETRIC_SIGN = 5; 84 85 // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used 86 // with 87 // [AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt] 88 // and 89 // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. 90 ASYMMETRIC_DECRYPT = 6; 91 92 // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used 93 // with [MacSign][google.cloud.kms.v1.KeyManagementService.MacSign]. 94 MAC = 9; 95 } 96 97 // Output only. The resource name for this 98 // [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format 99 // `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 100 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 101 102 // Output only. A copy of the "primary" 103 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used 104 // by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this 105 // [CryptoKey][google.cloud.kms.v1.CryptoKey] is given in 106 // [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name]. 107 // 108 // The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary version can be 109 // updated via 110 // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. 111 // 112 // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] 113 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] 114 // may have a primary. For other keys, this field will be omitted. 115 CryptoKeyVersion primary = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 116 117 // Immutable. The immutable purpose of this 118 // [CryptoKey][google.cloud.kms.v1.CryptoKey]. 119 CryptoKeyPurpose purpose = 3 [(google.api.field_behavior) = IMMUTABLE]; 120 121 // Output only. The time at which this 122 // [CryptoKey][google.cloud.kms.v1.CryptoKey] was created. 123 google.protobuf.Timestamp create_time = 5 124 [(google.api.field_behavior) = OUTPUT_ONLY]; 125 126 // At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time], 127 // the Key Management Service will automatically: 128 // 129 // 1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey]. 130 // 2. Mark the new version as primary. 131 // 132 // Key rotations performed manually via 133 // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] 134 // and 135 // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion] 136 // do not affect 137 // [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]. 138 // 139 // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] 140 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] 141 // support automatic rotation. For other keys, this field must be omitted. 142 google.protobuf.Timestamp next_rotation_time = 7; 143 144 // Controls the rate of automatic rotation. 145 oneof rotation_schedule { 146 // [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] 147 // will be advanced by this period when the service automatically rotates a 148 // key. Must be at least 24 hours and at most 876,000 hours. 149 // 150 // If [rotation_period][google.cloud.kms.v1.CryptoKey.rotation_period] is 151 // set, 152 // [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] 153 // must also be set. 154 // 155 // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] 156 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] 157 // support automatic rotation. For other keys, this field must be omitted. 158 google.protobuf.Duration rotation_period = 8; 159 } 160 161 // A template describing settings for new 162 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances. The 163 // properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] 164 // instances created by either 165 // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] 166 // or auto-rotation are controlled by this template. 167 CryptoKeyVersionTemplate version_template = 11; 168 169 // Labels with user-defined metadata. For more information, see 170 // [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys). 171 map<string, string> labels = 10; 172 173 // Immutable. Whether this key may contain imported versions only. 174 bool import_only = 13 [(google.api.field_behavior) = IMMUTABLE]; 175 176 // Immutable. The period of time that versions of this key spend in the 177 // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] 178 // state before transitioning to 179 // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]. 180 // If not specified at creation time, the default duration is 24 hours. 181 google.protobuf.Duration destroy_scheduled_duration = 14 182 [(google.api.field_behavior) = IMMUTABLE]; 183 184 // Immutable. The resource name of the backend environment where the key 185 // material for all [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] 186 // associated with this [CryptoKey][google.cloud.kms.v1.CryptoKey] reside and 187 // where all related cryptographic operations are performed. Only applicable 188 // if [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] have a 189 // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of 190 // [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], with the 191 // resource name in the format `projects/*/locations/*/ekmConnections/*`. 192 // Note, this list is non-exhaustive and may apply to additional 193 // [ProtectionLevels][google.cloud.kms.v1.ProtectionLevel] in the future. 194 string crypto_key_backend = 15 [ 195 (google.api.field_behavior) = IMMUTABLE, 196 (google.api.resource_reference) = { type: "*" } 197 ]; 198} 199 200// A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate] 201// specifies the properties to use when creating a new 202// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either manually 203// with 204// [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] 205// or automatically as a result of auto-rotation. 206message CryptoKeyVersionTemplate { 207 // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating 208 // a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this 209 // template. Immutable. Defaults to 210 // [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE]. 211 ProtectionLevel protection_level = 1; 212 213 // Required. 214 // [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] 215 // to use when creating a 216 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this 217 // template. 218 // 219 // For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both 220 // this field is omitted and 221 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is 222 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. 223 CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 3 224 [(google.api.field_behavior) = REQUIRED]; 225} 226 227// Contains an HSM-generated attestation about a key operation. For more 228// information, see [Verifying attestations] 229// (https://cloud.google.com/kms/docs/attest-key). 230message KeyOperationAttestation { 231 // Attestation formats provided by the HSM. 232 enum AttestationFormat { 233 // Not specified. 234 ATTESTATION_FORMAT_UNSPECIFIED = 0; 235 236 // Cavium HSM attestation compressed with gzip. Note that this format is 237 // defined by Cavium and subject to change at any time. 238 // 239 // See 240 // https://www.marvell.com/products/security-solutions/nitrox-hs-adapters/software-key-attestation.html. 241 CAVIUM_V1_COMPRESSED = 3; 242 243 // Cavium HSM attestation V2 compressed with gzip. This is a new format 244 // introduced in Cavium's version 3.2-08. 245 CAVIUM_V2_COMPRESSED = 4; 246 } 247 248 // Certificate chains needed to verify the attestation. 249 // Certificates in chains are PEM-encoded and are ordered based on 250 // https://tools.ietf.org/html/rfc5246#section-7.4.2. 251 message CertificateChains { 252 // Cavium certificate chain corresponding to the attestation. 253 repeated string cavium_certs = 1; 254 255 // Google card certificate chain corresponding to the attestation. 256 repeated string google_card_certs = 2; 257 258 // Google partition certificate chain corresponding to the attestation. 259 repeated string google_partition_certs = 3; 260 } 261 262 // Output only. The format of the attestation data. 263 AttestationFormat format = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 264 265 // Output only. The attestation data provided by the HSM when the key 266 // operation was performed. 267 bytes content = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 268 269 // Output only. The certificate chains needed to validate the attestation 270 CertificateChains cert_chains = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 271} 272 273// A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an 274// individual cryptographic key, and the associated key material. 275// 276// An 277// [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] 278// version can be used for cryptographic operations. 279// 280// For security reasons, the raw cryptographic key material represented by a 281// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed 282// or exported. It can only be used to encrypt, decrypt, or sign data when an 283// authorized user or application invokes Cloud KMS. 284message CryptoKeyVersion { 285 option (google.api.resource) = { 286 type: "cloudkms.googleapis.com/CryptoKeyVersion" 287 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}" 288 }; 289 290 // The algorithm of the 291 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating what 292 // parameters must be used for each cryptographic operation. 293 // 294 // The 295 // [GOOGLE_SYMMETRIC_ENCRYPTION][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION] 296 // algorithm is usable with 297 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 298 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. 299 // 300 // Algorithms beginning with "RSA_SIGN_" are usable with 301 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 302 // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. 303 // 304 // The fields in the name after "RSA_SIGN_" correspond to the following 305 // parameters: padding algorithm, modulus bit length, and digest algorithm. 306 // 307 // For PSS, the salt length used is equal to the length of digest 308 // algorithm. For example, 309 // [RSA_SIGN_PSS_2048_SHA256][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256] 310 // will use PSS with a salt length of 256 bits or 32 bytes. 311 // 312 // Algorithms beginning with "RSA_DECRYPT_" are usable with 313 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 314 // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT]. 315 // 316 // The fields in the name after "RSA_DECRYPT_" correspond to the following 317 // parameters: padding algorithm, modulus bit length, and digest algorithm. 318 // 319 // Algorithms beginning with "EC_SIGN_" are usable with 320 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 321 // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. 322 // 323 // The fields in the name after "EC_SIGN_" correspond to the following 324 // parameters: elliptic curve, digest algorithm. 325 // 326 // Algorithms beginning with "HMAC_" are usable with 327 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 328 // [MAC][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.MAC]. 329 // 330 // The suffix following "HMAC_" corresponds to the hash algorithm being used 331 // (eg. SHA256). 332 // 333 // For more information, see [Key purposes and algorithms] 334 // (https://cloud.google.com/kms/docs/algorithms). 335 enum CryptoKeyVersionAlgorithm { 336 // Not specified. 337 CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0; 338 339 // Creates symmetric encryption keys. 340 GOOGLE_SYMMETRIC_ENCRYPTION = 1; 341 342 // RSASSA-PSS 2048 bit key with a SHA256 digest. 343 RSA_SIGN_PSS_2048_SHA256 = 2; 344 345 // RSASSA-PSS 3072 bit key with a SHA256 digest. 346 RSA_SIGN_PSS_3072_SHA256 = 3; 347 348 // RSASSA-PSS 4096 bit key with a SHA256 digest. 349 RSA_SIGN_PSS_4096_SHA256 = 4; 350 351 // RSASSA-PSS 4096 bit key with a SHA512 digest. 352 RSA_SIGN_PSS_4096_SHA512 = 15; 353 354 // RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest. 355 RSA_SIGN_PKCS1_2048_SHA256 = 5; 356 357 // RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest. 358 RSA_SIGN_PKCS1_3072_SHA256 = 6; 359 360 // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest. 361 RSA_SIGN_PKCS1_4096_SHA256 = 7; 362 363 // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest. 364 RSA_SIGN_PKCS1_4096_SHA512 = 16; 365 366 // RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key. 367 RSA_SIGN_RAW_PKCS1_2048 = 28; 368 369 // RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key. 370 RSA_SIGN_RAW_PKCS1_3072 = 29; 371 372 // RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key. 373 RSA_SIGN_RAW_PKCS1_4096 = 30; 374 375 // RSAES-OAEP 2048 bit key with a SHA256 digest. 376 RSA_DECRYPT_OAEP_2048_SHA256 = 8; 377 378 // RSAES-OAEP 3072 bit key with a SHA256 digest. 379 RSA_DECRYPT_OAEP_3072_SHA256 = 9; 380 381 // RSAES-OAEP 4096 bit key with a SHA256 digest. 382 RSA_DECRYPT_OAEP_4096_SHA256 = 10; 383 384 // RSAES-OAEP 4096 bit key with a SHA512 digest. 385 RSA_DECRYPT_OAEP_4096_SHA512 = 17; 386 387 // RSAES-OAEP 2048 bit key with a SHA1 digest. 388 RSA_DECRYPT_OAEP_2048_SHA1 = 37; 389 390 // RSAES-OAEP 3072 bit key with a SHA1 digest. 391 RSA_DECRYPT_OAEP_3072_SHA1 = 38; 392 393 // RSAES-OAEP 4096 bit key with a SHA1 digest. 394 RSA_DECRYPT_OAEP_4096_SHA1 = 39; 395 396 // ECDSA on the NIST P-256 curve with a SHA256 digest. 397 // Other hash functions can also be used: 398 // https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms 399 EC_SIGN_P256_SHA256 = 12; 400 401 // ECDSA on the NIST P-384 curve with a SHA384 digest. 402 // Other hash functions can also be used: 403 // https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms 404 EC_SIGN_P384_SHA384 = 13; 405 406 // ECDSA on the non-NIST secp256k1 curve. This curve is only supported for 407 // HSM protection level. 408 // Other hash functions can also be used: 409 // https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms 410 EC_SIGN_SECP256K1_SHA256 = 31; 411 412 // HMAC-SHA256 signing with a 256 bit key. 413 HMAC_SHA256 = 32; 414 415 // HMAC-SHA1 signing with a 160 bit key. 416 HMAC_SHA1 = 33; 417 418 // HMAC-SHA384 signing with a 384 bit key. 419 HMAC_SHA384 = 34; 420 421 // HMAC-SHA512 signing with a 512 bit key. 422 HMAC_SHA512 = 35; 423 424 // HMAC-SHA224 signing with a 224 bit key. 425 HMAC_SHA224 = 36; 426 427 // Algorithm representing symmetric encryption by an external key manager. 428 EXTERNAL_SYMMETRIC_ENCRYPTION = 18; 429 } 430 431 // The state of a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], 432 // indicating if it can be used. 433 enum CryptoKeyVersionState { 434 // Not specified. 435 CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0; 436 437 // This version is still being generated. It may not be used, enabled, 438 // disabled, or destroyed yet. Cloud KMS will automatically mark this 439 // version 440 // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] 441 // as soon as the version is ready. 442 PENDING_GENERATION = 5; 443 444 // This version may be used for cryptographic operations. 445 ENABLED = 1; 446 447 // This version may not be used, but the key material is still available, 448 // and the version can be placed back into the 449 // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] 450 // state. 451 DISABLED = 2; 452 453 // This version is destroyed, and the key material is no longer stored. 454 // This version may only become 455 // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] 456 // again if this version is 457 // [reimport_eligible][google.cloud.kms.v1.CryptoKeyVersion.reimport_eligible] 458 // and the original key material is reimported with a call to 459 // [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. 460 DESTROYED = 3; 461 462 // This version is scheduled for destruction, and will be destroyed soon. 463 // Call 464 // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] 465 // to put it back into the 466 // [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] 467 // state. 468 DESTROY_SCHEDULED = 4; 469 470 // This version is still being imported. It may not be used, enabled, 471 // disabled, or destroyed yet. Cloud KMS will automatically mark this 472 // version 473 // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] 474 // as soon as the version is ready. 475 PENDING_IMPORT = 6; 476 477 // This version was not imported successfully. It may not be used, enabled, 478 // disabled, or destroyed. The submitted key material has been discarded. 479 // Additional details can be found in 480 // [CryptoKeyVersion.import_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.import_failure_reason]. 481 IMPORT_FAILED = 7; 482 483 // This version was not generated successfully. It may not be used, enabled, 484 // disabled, or destroyed. Additional details can be found in 485 // [CryptoKeyVersion.generation_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.generation_failure_reason]. 486 GENERATION_FAILED = 8; 487 488 // This version was destroyed, and it may not be used or enabled again. 489 // Cloud KMS is waiting for the corresponding key material residing in an 490 // external key manager to be destroyed. 491 PENDING_EXTERNAL_DESTRUCTION = 9; 492 493 // This version was destroyed, and it may not be used or enabled again. 494 // However, Cloud KMS could not confirm that the corresponding key material 495 // residing in an external key manager was destroyed. Additional details can 496 // be found in 497 // [CryptoKeyVersion.external_destruction_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.external_destruction_failure_reason]. 498 EXTERNAL_DESTRUCTION_FAILED = 10; 499 } 500 501 // A view for [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]s. 502 // Controls the level of detail returned for 503 // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] in 504 // [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions] 505 // and 506 // [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. 507 enum CryptoKeyVersionView { 508 // Default view for each 509 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Does not 510 // include the 511 // [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation] field. 512 CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0; 513 514 // Provides all fields in each 515 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], including the 516 // [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation]. 517 FULL = 1; 518 } 519 520 // Output only. The resource name for this 521 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format 522 // `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 523 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 524 525 // The current state of the 526 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. 527 CryptoKeyVersionState state = 3; 528 529 // Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] 530 // describing how crypto operations are performed with this 531 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. 532 ProtectionLevel protection_level = 7 533 [(google.api.field_behavior) = OUTPUT_ONLY]; 534 535 // Output only. The 536 // [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] 537 // that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] 538 // supports. 539 CryptoKeyVersionAlgorithm algorithm = 10 540 [(google.api.field_behavior) = OUTPUT_ONLY]; 541 542 // Output only. Statement that was generated and signed by the HSM at key 543 // creation time. Use this statement to verify attributes of the key as stored 544 // on the HSM, independently of Google. Only provided for key versions with 545 // [protection_level][google.cloud.kms.v1.CryptoKeyVersion.protection_level] 546 // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM]. 547 KeyOperationAttestation attestation = 8 548 [(google.api.field_behavior) = OUTPUT_ONLY]; 549 550 // Output only. The time at which this 551 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created. 552 google.protobuf.Timestamp create_time = 4 553 [(google.api.field_behavior) = OUTPUT_ONLY]; 554 555 // Output only. The time this 556 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was 557 // generated. 558 google.protobuf.Timestamp generate_time = 11 559 [(google.api.field_behavior) = OUTPUT_ONLY]; 560 561 // Output only. The time this 562 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material is 563 // scheduled for destruction. Only present if 564 // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 565 // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]. 566 google.protobuf.Timestamp destroy_time = 5 567 [(google.api.field_behavior) = OUTPUT_ONLY]; 568 569 // Output only. The time this CryptoKeyVersion's key material was 570 // destroyed. Only present if 571 // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 572 // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]. 573 google.protobuf.Timestamp destroy_event_time = 6 574 [(google.api.field_behavior) = OUTPUT_ONLY]; 575 576 // Output only. The name of the [ImportJob][google.cloud.kms.v1.ImportJob] 577 // used in the most recent import of this 578 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only present if 579 // the underlying key material was imported. 580 string import_job = 14 [(google.api.field_behavior) = OUTPUT_ONLY]; 581 582 // Output only. The time at which this 583 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was 584 // most recently imported. 585 google.protobuf.Timestamp import_time = 15 586 [(google.api.field_behavior) = OUTPUT_ONLY]; 587 588 // Output only. The root cause of the most recent import failure. Only present 589 // if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 590 // [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED]. 591 string import_failure_reason = 16 [(google.api.field_behavior) = OUTPUT_ONLY]; 592 593 // Output only. The root cause of the most recent generation failure. Only 594 // present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 595 // [GENERATION_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.GENERATION_FAILED]. 596 string generation_failure_reason = 19 597 [(google.api.field_behavior) = OUTPUT_ONLY]; 598 599 // Output only. The root cause of the most recent external destruction 600 // failure. Only present if 601 // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 602 // [EXTERNAL_DESTRUCTION_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.EXTERNAL_DESTRUCTION_FAILED]. 603 string external_destruction_failure_reason = 20 604 [(google.api.field_behavior) = OUTPUT_ONLY]; 605 606 // ExternalProtectionLevelOptions stores a group of additional fields for 607 // configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that 608 // are specific to the 609 // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level 610 // and [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] 611 // protection levels. 612 ExternalProtectionLevelOptions external_protection_level_options = 17; 613 614 // Output only. Whether or not this key version is eligible for reimport, by 615 // being specified as a target in 616 // [ImportCryptoKeyVersionRequest.crypto_key_version][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.crypto_key_version]. 617 bool reimport_eligible = 18 [(google.api.field_behavior) = OUTPUT_ONLY]; 618} 619 620// The public key for a given 621// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via 622// [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. 623message PublicKey { 624 option (google.api.resource) = { 625 type: "cloudkms.googleapis.com/PublicKey" 626 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}/publicKey" 627 }; 628 629 // The public key, encoded in PEM format. For more information, see the 630 // [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for 631 // [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and 632 // [Textual Encoding of Subject Public Key Info] 633 // (https://tools.ietf.org/html/rfc7468#section-13). 634 string pem = 1; 635 636 // The 637 // [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] 638 // associated with this key. 639 CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2; 640 641 // Integrity verification field. A CRC32C checksum of the returned 642 // [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem]. An integrity check of 643 // [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] can be performed by 644 // computing the CRC32C checksum of 645 // [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] and comparing your 646 // results to this field. Discard the response in case of non-matching 647 // checksum values, and perform a limited number of retries. A persistent 648 // mismatch may indicate an issue in your computation of the CRC32C checksum. 649 // Note: This field is defined as int64 for reasons of compatibility across 650 // different languages. However, it is a non-negative integer, which will 651 // never exceed 2^32-1, and can be safely downconverted to uint32 in languages 652 // that support this type. 653 // 654 // NOTE: This field is in Beta. 655 google.protobuf.Int64Value pem_crc32c = 3; 656 657 // The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the 658 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key. 659 // Provided here for verification. 660 // 661 // NOTE: This field is in Beta. 662 string name = 4; 663 664 // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the 665 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key. 666 ProtectionLevel protection_level = 5; 667} 668 669// An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create 670// [CryptoKeys][google.cloud.kms.v1.CryptoKey] and 671// [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing 672// key material, generated outside of Cloud KMS. 673// 674// When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will 675// generate a "wrapping key", which is a public/private key pair. You use the 676// wrapping key to encrypt (also known as wrap) the pre-existing key material to 677// protect it during the import process. The nature of the wrapping key depends 678// on the choice of 679// [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the 680// wrapping key generation is complete, the 681// [state][google.cloud.kms.v1.ImportJob.state] will be set to 682// [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the 683// [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The 684// fetched public key can then be used to wrap your pre-existing key material. 685// 686// Once the key material is wrapped, it can be imported into a new 687// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing 688// [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling 689// [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. 690// Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be 691// imported with a single [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS 692// uses the private key portion of the wrapping key to unwrap the key material. 693// Only Cloud KMS has access to the private key. 694// 695// An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is 696// created. Once expired, Cloud KMS will no longer be able to import or unwrap 697// any key material that was wrapped with the 698// [ImportJob][google.cloud.kms.v1.ImportJob]'s public key. 699// 700// For more information, see 701// [Importing a key](https://cloud.google.com/kms/docs/importing-a-key). 702message ImportJob { 703 option (google.api.resource) = { 704 type: "cloudkms.googleapis.com/ImportJob" 705 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}" 706 }; 707 708 // [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] describes the 709 // key wrapping method chosen for this 710 // [ImportJob][google.cloud.kms.v1.ImportJob]. 711 enum ImportMethod { 712 // Not specified. 713 IMPORT_METHOD_UNSPECIFIED = 0; 714 715 // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping 716 // scheme defined in the PKCS #11 standard. In summary, this involves 717 // wrapping the raw key with an ephemeral AES key, and wrapping the 718 // ephemeral AES key with a 3072 bit RSA key. For more details, see 719 // [RSA AES key wrap 720 // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). 721 RSA_OAEP_3072_SHA1_AES_256 = 1; 722 723 // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping 724 // scheme defined in the PKCS #11 standard. In summary, this involves 725 // wrapping the raw key with an ephemeral AES key, and wrapping the 726 // ephemeral AES key with a 4096 bit RSA key. For more details, see 727 // [RSA AES key wrap 728 // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). 729 RSA_OAEP_4096_SHA1_AES_256 = 2; 730 731 // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping 732 // scheme defined in the PKCS #11 standard. In summary, this involves 733 // wrapping the raw key with an ephemeral AES key, and wrapping the 734 // ephemeral AES key with a 3072 bit RSA key. For more details, see 735 // [RSA AES key wrap 736 // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). 737 RSA_OAEP_3072_SHA256_AES_256 = 3; 738 739 // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping 740 // scheme defined in the PKCS #11 standard. In summary, this involves 741 // wrapping the raw key with an ephemeral AES key, and wrapping the 742 // ephemeral AES key with a 4096 bit RSA key. For more details, see 743 // [RSA AES key wrap 744 // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). 745 RSA_OAEP_4096_SHA256_AES_256 = 4; 746 747 // This ImportMethod represents RSAES-OAEP with a 3072 bit RSA key. The 748 // key material to be imported is wrapped directly with the RSA key. Due 749 // to technical limitations of RSA wrapping, this method cannot be used to 750 // wrap RSA keys for import. 751 RSA_OAEP_3072_SHA256 = 5; 752 753 // This ImportMethod represents RSAES-OAEP with a 4096 bit RSA key. The 754 // key material to be imported is wrapped directly with the RSA key. Due 755 // to technical limitations of RSA wrapping, this method cannot be used to 756 // wrap RSA keys for import. 757 RSA_OAEP_4096_SHA256 = 6; 758 } 759 760 // The state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if 761 // it can be used. 762 enum ImportJobState { 763 // Not specified. 764 IMPORT_JOB_STATE_UNSPECIFIED = 0; 765 766 // The wrapping key for this job is still being generated. It may not be 767 // used. Cloud KMS will automatically mark this job as 768 // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] as soon as 769 // the wrapping key is generated. 770 PENDING_GENERATION = 1; 771 772 // This job may be used in 773 // [CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey] 774 // and 775 // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] 776 // requests. 777 ACTIVE = 2; 778 779 // This job can no longer be used and may not leave this state once entered. 780 EXPIRED = 3; 781 } 782 783 // The public key component of the wrapping key. For details of the type of 784 // key this public key corresponds to, see the 785 // [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod]. 786 message WrappingPublicKey { 787 // The public key, encoded in PEM format. For more information, see the [RFC 788 // 7468](https://tools.ietf.org/html/rfc7468) sections for [General 789 // Considerations](https://tools.ietf.org/html/rfc7468#section-2) and 790 // [Textual Encoding of Subject Public Key Info] 791 // (https://tools.ietf.org/html/rfc7468#section-13). 792 string pem = 1; 793 } 794 795 // Output only. The resource name for this 796 // [ImportJob][google.cloud.kms.v1.ImportJob] in the format 797 // `projects/*/locations/*/keyRings/*/importJobs/*`. 798 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 799 800 // Required. Immutable. The wrapping method to be used for incoming key 801 // material. 802 ImportMethod import_method = 2 [ 803 (google.api.field_behavior) = REQUIRED, 804 (google.api.field_behavior) = IMMUTABLE 805 ]; 806 807 // Required. Immutable. The protection level of the 808 // [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the 809 // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] 810 // of the [version_template][google.cloud.kms.v1.CryptoKey.version_template] 811 // on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you attempt to import 812 // into. 813 ProtectionLevel protection_level = 9 [ 814 (google.api.field_behavior) = REQUIRED, 815 (google.api.field_behavior) = IMMUTABLE 816 ]; 817 818 // Output only. The time at which this 819 // [ImportJob][google.cloud.kms.v1.ImportJob] was created. 820 google.protobuf.Timestamp create_time = 3 821 [(google.api.field_behavior) = OUTPUT_ONLY]; 822 823 // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]'s key 824 // material was generated. 825 google.protobuf.Timestamp generate_time = 4 826 [(google.api.field_behavior) = OUTPUT_ONLY]; 827 828 // Output only. The time at which this 829 // [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for expiration and 830 // can no longer be used to import key material. 831 google.protobuf.Timestamp expire_time = 5 832 [(google.api.field_behavior) = OUTPUT_ONLY]; 833 834 // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob] 835 // expired. Only present if [state][google.cloud.kms.v1.ImportJob.state] is 836 // [EXPIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED]. 837 google.protobuf.Timestamp expire_event_time = 10 838 [(google.api.field_behavior) = OUTPUT_ONLY]; 839 840 // Output only. The current state of the 841 // [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used. 842 ImportJobState state = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 843 844 // Output only. The public key with which to wrap key material prior to 845 // import. Only returned if [state][google.cloud.kms.v1.ImportJob.state] is 846 // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE]. 847 WrappingPublicKey public_key = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; 848 849 // Output only. Statement that was generated and signed by the key creator 850 // (for example, an HSM) at key creation time. Use this statement to verify 851 // attributes of the key as stored on the HSM, independently of Google. 852 // Only present if the chosen 853 // [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is one with a 854 // protection level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM]. 855 KeyOperationAttestation attestation = 8 856 [(google.api.field_behavior) = OUTPUT_ONLY]; 857} 858 859// ExternalProtectionLevelOptions stores a group of additional fields for 860// configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that 861// are specific to the [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] 862// protection level and 863// [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] protection 864// levels. 865message ExternalProtectionLevelOptions { 866 // The URI for an external resource that this 867 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents. 868 string external_key_uri = 1; 869 870 // The path to the external key material on the EKM when using 871 // [EkmConnection][google.cloud.kms.v1.EkmConnection] e.g., "v0/my/key". Set 872 // this field instead of external_key_uri when using an 873 // [EkmConnection][google.cloud.kms.v1.EkmConnection]. 874 string ekm_connection_key_path = 2; 875} 876 877// [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] specifies how 878// cryptographic operations are performed. For more information, see [Protection 879// levels] (https://cloud.google.com/kms/docs/algorithms#protection_levels). 880enum ProtectionLevel { 881 // Not specified. 882 PROTECTION_LEVEL_UNSPECIFIED = 0; 883 884 // Crypto operations are performed in software. 885 SOFTWARE = 1; 886 887 // Crypto operations are performed in a Hardware Security Module. 888 HSM = 2; 889 890 // Crypto operations are performed by an external key manager. 891 EXTERNAL = 3; 892 893 // Crypto operations are performed in an EKM-over-VPC backend. 894 EXTERNAL_VPC = 4; 895} 896