1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.kms.v1; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/protobuf/duration.proto"; 22import "google/protobuf/timestamp.proto"; 23import "google/protobuf/wrappers.proto"; 24 25option cc_enable_arenas = true; 26option csharp_namespace = "Google.Cloud.Kms.V1"; 27option go_package = "cloud.google.com/go/kms/apiv1/kmspb;kmspb"; 28option java_multiple_files = true; 29option java_outer_classname = "KmsResourcesProto"; 30option java_package = "com.google.cloud.kms.v1"; 31option php_namespace = "Google\\Cloud\\Kms\\V1"; 32 33// A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of 34// [CryptoKeys][google.cloud.kms.v1.CryptoKey]. 35message KeyRing { 36 option (google.api.resource) = { 37 type: "cloudkms.googleapis.com/KeyRing" 38 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}" 39 }; 40 41 // Output only. The resource name for the 42 // [KeyRing][google.cloud.kms.v1.KeyRing] in the format 43 // `projects/*/locations/*/keyRings/*`. 44 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 45 46 // Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing] 47 // was created. 48 google.protobuf.Timestamp create_time = 2 49 [(google.api.field_behavior) = OUTPUT_ONLY]; 50} 51 52// A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that 53// can be used for cryptographic operations. 54// 55// A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more 56// [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual 57// key material used in cryptographic operations. 58message CryptoKey { 59 option (google.api.resource) = { 60 type: "cloudkms.googleapis.com/CryptoKey" 61 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}" 62 }; 63 64 // [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] 65 // describes the cryptographic capabilities of a 66 // [CryptoKey][google.cloud.kms.v1.CryptoKey]. A given key can only be used 67 // for the operations allowed by its purpose. For more information, see [Key 68 // purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes). 69 enum CryptoKeyPurpose { 70 // Not specified. 71 CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0; 72 73 // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used 74 // with [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] and 75 // [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. 76 ENCRYPT_DECRYPT = 1; 77 78 // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used 79 // with 80 // [AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign] 81 // and 82 // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. 83 ASYMMETRIC_SIGN = 5; 84 85 // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used 86 // with 87 // [AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt] 88 // and 89 // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. 90 ASYMMETRIC_DECRYPT = 6; 91 92 // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used 93 // with [RawEncrypt][google.cloud.kms.v1.KeyManagementService.RawEncrypt] 94 // and [RawDecrypt][google.cloud.kms.v1.KeyManagementService.RawDecrypt]. 95 // This purpose is meant to be used for interoperable symmetric 96 // encryption and does not support automatic CryptoKey rotation. 97 RAW_ENCRYPT_DECRYPT = 7; 98 99 // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used 100 // with [MacSign][google.cloud.kms.v1.KeyManagementService.MacSign]. 101 MAC = 9; 102 } 103 104 // Output only. The resource name for this 105 // [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format 106 // `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 107 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 108 109 // Output only. A copy of the "primary" 110 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used 111 // by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this 112 // [CryptoKey][google.cloud.kms.v1.CryptoKey] is given in 113 // [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name]. 114 // 115 // The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary version can be 116 // updated via 117 // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. 118 // 119 // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] 120 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] 121 // may have a primary. For other keys, this field will be omitted. 122 CryptoKeyVersion primary = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 123 124 // Immutable. The immutable purpose of this 125 // [CryptoKey][google.cloud.kms.v1.CryptoKey]. 126 CryptoKeyPurpose purpose = 3 [(google.api.field_behavior) = IMMUTABLE]; 127 128 // Output only. The time at which this 129 // [CryptoKey][google.cloud.kms.v1.CryptoKey] was created. 130 google.protobuf.Timestamp create_time = 5 131 [(google.api.field_behavior) = OUTPUT_ONLY]; 132 133 // At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time], 134 // the Key Management Service will automatically: 135 // 136 // 1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey]. 137 // 2. Mark the new version as primary. 138 // 139 // Key rotations performed manually via 140 // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] 141 // and 142 // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion] 143 // do not affect 144 // [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]. 145 // 146 // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] 147 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] 148 // support automatic rotation. For other keys, this field must be omitted. 149 google.protobuf.Timestamp next_rotation_time = 7; 150 151 // Controls the rate of automatic rotation. 152 oneof rotation_schedule { 153 // [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] 154 // will be advanced by this period when the service automatically rotates a 155 // key. Must be at least 24 hours and at most 876,000 hours. 156 // 157 // If [rotation_period][google.cloud.kms.v1.CryptoKey.rotation_period] is 158 // set, 159 // [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] 160 // must also be set. 161 // 162 // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] 163 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] 164 // support automatic rotation. For other keys, this field must be omitted. 165 google.protobuf.Duration rotation_period = 8; 166 } 167 168 // A template describing settings for new 169 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances. The 170 // properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] 171 // instances created by either 172 // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] 173 // or auto-rotation are controlled by this template. 174 CryptoKeyVersionTemplate version_template = 11; 175 176 // Labels with user-defined metadata. For more information, see 177 // [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys). 178 map<string, string> labels = 10; 179 180 // Immutable. Whether this key may contain imported versions only. 181 bool import_only = 13 [(google.api.field_behavior) = IMMUTABLE]; 182 183 // Immutable. The period of time that versions of this key spend in the 184 // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] 185 // state before transitioning to 186 // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]. 187 // If not specified at creation time, the default duration is 24 hours. 188 google.protobuf.Duration destroy_scheduled_duration = 14 189 [(google.api.field_behavior) = IMMUTABLE]; 190 191 // Immutable. The resource name of the backend environment where the key 192 // material for all [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] 193 // associated with this [CryptoKey][google.cloud.kms.v1.CryptoKey] reside and 194 // where all related cryptographic operations are performed. Only applicable 195 // if [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] have a 196 // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of 197 // [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], with the 198 // resource name in the format `projects/*/locations/*/ekmConnections/*`. 199 // Note, this list is non-exhaustive and may apply to additional 200 // [ProtectionLevels][google.cloud.kms.v1.ProtectionLevel] in the future. 201 string crypto_key_backend = 15 [ 202 (google.api.field_behavior) = IMMUTABLE, 203 (google.api.resource_reference) = { type: "*" } 204 ]; 205} 206 207// A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate] 208// specifies the properties to use when creating a new 209// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either manually 210// with 211// [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] 212// or automatically as a result of auto-rotation. 213message CryptoKeyVersionTemplate { 214 // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating 215 // a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this 216 // template. Immutable. Defaults to 217 // [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE]. 218 ProtectionLevel protection_level = 1; 219 220 // Required. 221 // [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] 222 // to use when creating a 223 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this 224 // template. 225 // 226 // For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both 227 // this field is omitted and 228 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is 229 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. 230 CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 3 231 [(google.api.field_behavior) = REQUIRED]; 232} 233 234// Contains an HSM-generated attestation about a key operation. For more 235// information, see [Verifying attestations] 236// (https://cloud.google.com/kms/docs/attest-key). 237message KeyOperationAttestation { 238 // Attestation formats provided by the HSM. 239 enum AttestationFormat { 240 // Not specified. 241 ATTESTATION_FORMAT_UNSPECIFIED = 0; 242 243 // Cavium HSM attestation compressed with gzip. Note that this format is 244 // defined by Cavium and subject to change at any time. 245 // 246 // See 247 // https://www.marvell.com/products/security-solutions/nitrox-hs-adapters/software-key-attestation.html. 248 CAVIUM_V1_COMPRESSED = 3; 249 250 // Cavium HSM attestation V2 compressed with gzip. This is a new format 251 // introduced in Cavium's version 3.2-08. 252 CAVIUM_V2_COMPRESSED = 4; 253 } 254 255 // Certificate chains needed to verify the attestation. 256 // Certificates in chains are PEM-encoded and are ordered based on 257 // https://tools.ietf.org/html/rfc5246#section-7.4.2. 258 message CertificateChains { 259 // Cavium certificate chain corresponding to the attestation. 260 repeated string cavium_certs = 1; 261 262 // Google card certificate chain corresponding to the attestation. 263 repeated string google_card_certs = 2; 264 265 // Google partition certificate chain corresponding to the attestation. 266 repeated string google_partition_certs = 3; 267 } 268 269 // Output only. The format of the attestation data. 270 AttestationFormat format = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 271 272 // Output only. The attestation data provided by the HSM when the key 273 // operation was performed. 274 bytes content = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 275 276 // Output only. The certificate chains needed to validate the attestation 277 CertificateChains cert_chains = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 278} 279 280// A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an 281// individual cryptographic key, and the associated key material. 282// 283// An 284// [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] 285// version can be used for cryptographic operations. 286// 287// For security reasons, the raw cryptographic key material represented by a 288// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed 289// or exported. It can only be used to encrypt, decrypt, or sign data when an 290// authorized user or application invokes Cloud KMS. 291message CryptoKeyVersion { 292 option (google.api.resource) = { 293 type: "cloudkms.googleapis.com/CryptoKeyVersion" 294 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}" 295 }; 296 297 // The algorithm of the 298 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating what 299 // parameters must be used for each cryptographic operation. 300 // 301 // The 302 // [GOOGLE_SYMMETRIC_ENCRYPTION][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION] 303 // algorithm is usable with 304 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 305 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. 306 // 307 // Algorithms beginning with `RSA_SIGN_` are usable with 308 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 309 // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. 310 // 311 // The fields in the name after `RSA_SIGN_` correspond to the following 312 // parameters: padding algorithm, modulus bit length, and digest algorithm. 313 // 314 // For PSS, the salt length used is equal to the length of digest 315 // algorithm. For example, 316 // [RSA_SIGN_PSS_2048_SHA256][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256] 317 // will use PSS with a salt length of 256 bits or 32 bytes. 318 // 319 // Algorithms beginning with `RSA_DECRYPT_` are usable with 320 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 321 // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT]. 322 // 323 // The fields in the name after `RSA_DECRYPT_` correspond to the following 324 // parameters: padding algorithm, modulus bit length, and digest algorithm. 325 // 326 // Algorithms beginning with `EC_SIGN_` are usable with 327 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 328 // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. 329 // 330 // The fields in the name after `EC_SIGN_` correspond to the following 331 // parameters: elliptic curve, digest algorithm. 332 // 333 // Algorithms beginning with `HMAC_` are usable with 334 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 335 // [MAC][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.MAC]. 336 // 337 // The suffix following `HMAC_` corresponds to the hash algorithm being used 338 // (eg. SHA256). 339 // 340 // For more information, see [Key purposes and algorithms] 341 // (https://cloud.google.com/kms/docs/algorithms). 342 enum CryptoKeyVersionAlgorithm { 343 // Not specified. 344 CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0; 345 346 // Creates symmetric encryption keys. 347 GOOGLE_SYMMETRIC_ENCRYPTION = 1; 348 349 // AES-GCM (Galois Counter Mode) using 128-bit keys. 350 AES_128_GCM = 41; 351 352 // AES-GCM (Galois Counter Mode) using 256-bit keys. 353 AES_256_GCM = 19; 354 355 // AES-CBC (Cipher Block Chaining Mode) using 128-bit keys. 356 AES_128_CBC = 42; 357 358 // AES-CBC (Cipher Block Chaining Mode) using 256-bit keys. 359 AES_256_CBC = 43; 360 361 // AES-CTR (Counter Mode) using 128-bit keys. 362 AES_128_CTR = 44; 363 364 // AES-CTR (Counter Mode) using 256-bit keys. 365 AES_256_CTR = 45; 366 367 // RSASSA-PSS 2048 bit key with a SHA256 digest. 368 RSA_SIGN_PSS_2048_SHA256 = 2; 369 370 // RSASSA-PSS 3072 bit key with a SHA256 digest. 371 RSA_SIGN_PSS_3072_SHA256 = 3; 372 373 // RSASSA-PSS 4096 bit key with a SHA256 digest. 374 RSA_SIGN_PSS_4096_SHA256 = 4; 375 376 // RSASSA-PSS 4096 bit key with a SHA512 digest. 377 RSA_SIGN_PSS_4096_SHA512 = 15; 378 379 // RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest. 380 RSA_SIGN_PKCS1_2048_SHA256 = 5; 381 382 // RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest. 383 RSA_SIGN_PKCS1_3072_SHA256 = 6; 384 385 // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest. 386 RSA_SIGN_PKCS1_4096_SHA256 = 7; 387 388 // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest. 389 RSA_SIGN_PKCS1_4096_SHA512 = 16; 390 391 // RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key. 392 RSA_SIGN_RAW_PKCS1_2048 = 28; 393 394 // RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key. 395 RSA_SIGN_RAW_PKCS1_3072 = 29; 396 397 // RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key. 398 RSA_SIGN_RAW_PKCS1_4096 = 30; 399 400 // RSAES-OAEP 2048 bit key with a SHA256 digest. 401 RSA_DECRYPT_OAEP_2048_SHA256 = 8; 402 403 // RSAES-OAEP 3072 bit key with a SHA256 digest. 404 RSA_DECRYPT_OAEP_3072_SHA256 = 9; 405 406 // RSAES-OAEP 4096 bit key with a SHA256 digest. 407 RSA_DECRYPT_OAEP_4096_SHA256 = 10; 408 409 // RSAES-OAEP 4096 bit key with a SHA512 digest. 410 RSA_DECRYPT_OAEP_4096_SHA512 = 17; 411 412 // RSAES-OAEP 2048 bit key with a SHA1 digest. 413 RSA_DECRYPT_OAEP_2048_SHA1 = 37; 414 415 // RSAES-OAEP 3072 bit key with a SHA1 digest. 416 RSA_DECRYPT_OAEP_3072_SHA1 = 38; 417 418 // RSAES-OAEP 4096 bit key with a SHA1 digest. 419 RSA_DECRYPT_OAEP_4096_SHA1 = 39; 420 421 // ECDSA on the NIST P-256 curve with a SHA256 digest. 422 // Other hash functions can also be used: 423 // https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms 424 EC_SIGN_P256_SHA256 = 12; 425 426 // ECDSA on the NIST P-384 curve with a SHA384 digest. 427 // Other hash functions can also be used: 428 // https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms 429 EC_SIGN_P384_SHA384 = 13; 430 431 // ECDSA on the non-NIST secp256k1 curve. This curve is only supported for 432 // HSM protection level. 433 // Other hash functions can also be used: 434 // https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms 435 EC_SIGN_SECP256K1_SHA256 = 31; 436 437 // HMAC-SHA256 signing with a 256 bit key. 438 HMAC_SHA256 = 32; 439 440 // HMAC-SHA1 signing with a 160 bit key. 441 HMAC_SHA1 = 33; 442 443 // HMAC-SHA384 signing with a 384 bit key. 444 HMAC_SHA384 = 34; 445 446 // HMAC-SHA512 signing with a 512 bit key. 447 HMAC_SHA512 = 35; 448 449 // HMAC-SHA224 signing with a 224 bit key. 450 HMAC_SHA224 = 36; 451 452 // Algorithm representing symmetric encryption by an external key manager. 453 EXTERNAL_SYMMETRIC_ENCRYPTION = 18; 454 } 455 456 // The state of a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], 457 // indicating if it can be used. 458 enum CryptoKeyVersionState { 459 // Not specified. 460 CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0; 461 462 // This version is still being generated. It may not be used, enabled, 463 // disabled, or destroyed yet. Cloud KMS will automatically mark this 464 // version 465 // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] 466 // as soon as the version is ready. 467 PENDING_GENERATION = 5; 468 469 // This version may be used for cryptographic operations. 470 ENABLED = 1; 471 472 // This version may not be used, but the key material is still available, 473 // and the version can be placed back into the 474 // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] 475 // state. 476 DISABLED = 2; 477 478 // This version is destroyed, and the key material is no longer stored. 479 // This version may only become 480 // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] 481 // again if this version is 482 // [reimport_eligible][google.cloud.kms.v1.CryptoKeyVersion.reimport_eligible] 483 // and the original key material is reimported with a call to 484 // [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. 485 DESTROYED = 3; 486 487 // This version is scheduled for destruction, and will be destroyed soon. 488 // Call 489 // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] 490 // to put it back into the 491 // [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] 492 // state. 493 DESTROY_SCHEDULED = 4; 494 495 // This version is still being imported. It may not be used, enabled, 496 // disabled, or destroyed yet. Cloud KMS will automatically mark this 497 // version 498 // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] 499 // as soon as the version is ready. 500 PENDING_IMPORT = 6; 501 502 // This version was not imported successfully. It may not be used, enabled, 503 // disabled, or destroyed. The submitted key material has been discarded. 504 // Additional details can be found in 505 // [CryptoKeyVersion.import_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.import_failure_reason]. 506 IMPORT_FAILED = 7; 507 508 // This version was not generated successfully. It may not be used, enabled, 509 // disabled, or destroyed. Additional details can be found in 510 // [CryptoKeyVersion.generation_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.generation_failure_reason]. 511 GENERATION_FAILED = 8; 512 513 // This version was destroyed, and it may not be used or enabled again. 514 // Cloud KMS is waiting for the corresponding key material residing in an 515 // external key manager to be destroyed. 516 PENDING_EXTERNAL_DESTRUCTION = 9; 517 518 // This version was destroyed, and it may not be used or enabled again. 519 // However, Cloud KMS could not confirm that the corresponding key material 520 // residing in an external key manager was destroyed. Additional details can 521 // be found in 522 // [CryptoKeyVersion.external_destruction_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.external_destruction_failure_reason]. 523 EXTERNAL_DESTRUCTION_FAILED = 10; 524 } 525 526 // A view for [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]s. 527 // Controls the level of detail returned for 528 // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] in 529 // [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions] 530 // and 531 // [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. 532 enum CryptoKeyVersionView { 533 // Default view for each 534 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Does not 535 // include the 536 // [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation] field. 537 CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0; 538 539 // Provides all fields in each 540 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], including the 541 // [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation]. 542 FULL = 1; 543 } 544 545 // Output only. The resource name for this 546 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format 547 // `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 548 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 549 550 // The current state of the 551 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. 552 CryptoKeyVersionState state = 3; 553 554 // Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] 555 // describing how crypto operations are performed with this 556 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. 557 ProtectionLevel protection_level = 7 558 [(google.api.field_behavior) = OUTPUT_ONLY]; 559 560 // Output only. The 561 // [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] 562 // that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] 563 // supports. 564 CryptoKeyVersionAlgorithm algorithm = 10 565 [(google.api.field_behavior) = OUTPUT_ONLY]; 566 567 // Output only. Statement that was generated and signed by the HSM at key 568 // creation time. Use this statement to verify attributes of the key as stored 569 // on the HSM, independently of Google. Only provided for key versions with 570 // [protection_level][google.cloud.kms.v1.CryptoKeyVersion.protection_level] 571 // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM]. 572 KeyOperationAttestation attestation = 8 573 [(google.api.field_behavior) = OUTPUT_ONLY]; 574 575 // Output only. The time at which this 576 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created. 577 google.protobuf.Timestamp create_time = 4 578 [(google.api.field_behavior) = OUTPUT_ONLY]; 579 580 // Output only. The time this 581 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was 582 // generated. 583 google.protobuf.Timestamp generate_time = 11 584 [(google.api.field_behavior) = OUTPUT_ONLY]; 585 586 // Output only. The time this 587 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material is 588 // scheduled for destruction. Only present if 589 // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 590 // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]. 591 google.protobuf.Timestamp destroy_time = 5 592 [(google.api.field_behavior) = OUTPUT_ONLY]; 593 594 // Output only. The time this CryptoKeyVersion's key material was 595 // destroyed. Only present if 596 // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 597 // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]. 598 google.protobuf.Timestamp destroy_event_time = 6 599 [(google.api.field_behavior) = OUTPUT_ONLY]; 600 601 // Output only. The name of the [ImportJob][google.cloud.kms.v1.ImportJob] 602 // used in the most recent import of this 603 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only present if 604 // the underlying key material was imported. 605 string import_job = 14 [(google.api.field_behavior) = OUTPUT_ONLY]; 606 607 // Output only. The time at which this 608 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was 609 // most recently imported. 610 google.protobuf.Timestamp import_time = 15 611 [(google.api.field_behavior) = OUTPUT_ONLY]; 612 613 // Output only. The root cause of the most recent import failure. Only present 614 // if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 615 // [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED]. 616 string import_failure_reason = 16 [(google.api.field_behavior) = OUTPUT_ONLY]; 617 618 // Output only. The root cause of the most recent generation failure. Only 619 // present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 620 // [GENERATION_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.GENERATION_FAILED]. 621 string generation_failure_reason = 19 622 [(google.api.field_behavior) = OUTPUT_ONLY]; 623 624 // Output only. The root cause of the most recent external destruction 625 // failure. Only present if 626 // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 627 // [EXTERNAL_DESTRUCTION_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.EXTERNAL_DESTRUCTION_FAILED]. 628 string external_destruction_failure_reason = 20 629 [(google.api.field_behavior) = OUTPUT_ONLY]; 630 631 // ExternalProtectionLevelOptions stores a group of additional fields for 632 // configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that 633 // are specific to the 634 // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level 635 // and [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] 636 // protection levels. 637 ExternalProtectionLevelOptions external_protection_level_options = 17; 638 639 // Output only. Whether or not this key version is eligible for reimport, by 640 // being specified as a target in 641 // [ImportCryptoKeyVersionRequest.crypto_key_version][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.crypto_key_version]. 642 bool reimport_eligible = 18 [(google.api.field_behavior) = OUTPUT_ONLY]; 643} 644 645// The public keys for a given 646// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via 647// [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. 648message PublicKey { 649 option (google.api.resource) = { 650 type: "cloudkms.googleapis.com/PublicKey" 651 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}/publicKey" 652 }; 653 654 // The public key, encoded in PEM format. For more information, see the 655 // [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for 656 // [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and 657 // [Textual Encoding of Subject Public Key Info] 658 // (https://tools.ietf.org/html/rfc7468#section-13). 659 string pem = 1; 660 661 // The 662 // [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] 663 // associated with this key. 664 CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2; 665 666 // Integrity verification field. A CRC32C checksum of the returned 667 // [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem]. An integrity check of 668 // [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] can be performed by 669 // computing the CRC32C checksum of 670 // [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] and comparing your 671 // results to this field. Discard the response in case of non-matching 672 // checksum values, and perform a limited number of retries. A persistent 673 // mismatch may indicate an issue in your computation of the CRC32C checksum. 674 // Note: This field is defined as int64 for reasons of compatibility across 675 // different languages. However, it is a non-negative integer, which will 676 // never exceed 2^32-1, and can be safely downconverted to uint32 in languages 677 // that support this type. 678 // 679 // NOTE: This field is in Beta. 680 google.protobuf.Int64Value pem_crc32c = 3; 681 682 // The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the 683 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key. 684 // Provided here for verification. 685 // 686 // NOTE: This field is in Beta. 687 string name = 4; 688 689 // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the 690 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key. 691 ProtectionLevel protection_level = 5; 692} 693 694// An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create 695// [CryptoKeys][google.cloud.kms.v1.CryptoKey] and 696// [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing 697// key material, generated outside of Cloud KMS. 698// 699// When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will 700// generate a "wrapping key", which is a public/private key pair. You use the 701// wrapping key to encrypt (also known as wrap) the pre-existing key material to 702// protect it during the import process. The nature of the wrapping key depends 703// on the choice of 704// [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the 705// wrapping key generation is complete, the 706// [state][google.cloud.kms.v1.ImportJob.state] will be set to 707// [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the 708// [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The 709// fetched public key can then be used to wrap your pre-existing key material. 710// 711// Once the key material is wrapped, it can be imported into a new 712// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing 713// [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling 714// [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. 715// Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be 716// imported with a single [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS 717// uses the private key portion of the wrapping key to unwrap the key material. 718// Only Cloud KMS has access to the private key. 719// 720// An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is 721// created. Once expired, Cloud KMS will no longer be able to import or unwrap 722// any key material that was wrapped with the 723// [ImportJob][google.cloud.kms.v1.ImportJob]'s public key. 724// 725// For more information, see 726// [Importing a key](https://cloud.google.com/kms/docs/importing-a-key). 727message ImportJob { 728 option (google.api.resource) = { 729 type: "cloudkms.googleapis.com/ImportJob" 730 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}" 731 }; 732 733 // [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] describes the 734 // key wrapping method chosen for this 735 // [ImportJob][google.cloud.kms.v1.ImportJob]. 736 enum ImportMethod { 737 // Not specified. 738 IMPORT_METHOD_UNSPECIFIED = 0; 739 740 // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping 741 // scheme defined in the PKCS #11 standard. In summary, this involves 742 // wrapping the raw key with an ephemeral AES key, and wrapping the 743 // ephemeral AES key with a 3072 bit RSA key. For more details, see 744 // [RSA AES key wrap 745 // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). 746 RSA_OAEP_3072_SHA1_AES_256 = 1; 747 748 // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping 749 // scheme defined in the PKCS #11 standard. In summary, this involves 750 // wrapping the raw key with an ephemeral AES key, and wrapping the 751 // ephemeral AES key with a 4096 bit RSA key. For more details, see 752 // [RSA AES key wrap 753 // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). 754 RSA_OAEP_4096_SHA1_AES_256 = 2; 755 756 // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping 757 // scheme defined in the PKCS #11 standard. In summary, this involves 758 // wrapping the raw key with an ephemeral AES key, and wrapping the 759 // ephemeral AES key with a 3072 bit RSA key. For more details, see 760 // [RSA AES key wrap 761 // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). 762 RSA_OAEP_3072_SHA256_AES_256 = 3; 763 764 // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping 765 // scheme defined in the PKCS #11 standard. In summary, this involves 766 // wrapping the raw key with an ephemeral AES key, and wrapping the 767 // ephemeral AES key with a 4096 bit RSA key. For more details, see 768 // [RSA AES key wrap 769 // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). 770 RSA_OAEP_4096_SHA256_AES_256 = 4; 771 772 // This ImportMethod represents RSAES-OAEP with a 3072 bit RSA key. The 773 // key material to be imported is wrapped directly with the RSA key. Due 774 // to technical limitations of RSA wrapping, this method cannot be used to 775 // wrap RSA keys for import. 776 RSA_OAEP_3072_SHA256 = 5; 777 778 // This ImportMethod represents RSAES-OAEP with a 4096 bit RSA key. The 779 // key material to be imported is wrapped directly with the RSA key. Due 780 // to technical limitations of RSA wrapping, this method cannot be used to 781 // wrap RSA keys for import. 782 RSA_OAEP_4096_SHA256 = 6; 783 } 784 785 // The state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if 786 // it can be used. 787 enum ImportJobState { 788 // Not specified. 789 IMPORT_JOB_STATE_UNSPECIFIED = 0; 790 791 // The wrapping key for this job is still being generated. It may not be 792 // used. Cloud KMS will automatically mark this job as 793 // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] as soon as 794 // the wrapping key is generated. 795 PENDING_GENERATION = 1; 796 797 // This job may be used in 798 // [CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey] 799 // and 800 // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] 801 // requests. 802 ACTIVE = 2; 803 804 // This job can no longer be used and may not leave this state once entered. 805 EXPIRED = 3; 806 } 807 808 // The public key component of the wrapping key. For details of the type of 809 // key this public key corresponds to, see the 810 // [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod]. 811 message WrappingPublicKey { 812 // The public key, encoded in PEM format. For more information, see the [RFC 813 // 7468](https://tools.ietf.org/html/rfc7468) sections for [General 814 // Considerations](https://tools.ietf.org/html/rfc7468#section-2) and 815 // [Textual Encoding of Subject Public Key Info] 816 // (https://tools.ietf.org/html/rfc7468#section-13). 817 string pem = 1; 818 } 819 820 // Output only. The resource name for this 821 // [ImportJob][google.cloud.kms.v1.ImportJob] in the format 822 // `projects/*/locations/*/keyRings/*/importJobs/*`. 823 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 824 825 // Required. Immutable. The wrapping method to be used for incoming key 826 // material. 827 ImportMethod import_method = 2 [ 828 (google.api.field_behavior) = REQUIRED, 829 (google.api.field_behavior) = IMMUTABLE 830 ]; 831 832 // Required. Immutable. The protection level of the 833 // [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the 834 // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] 835 // of the [version_template][google.cloud.kms.v1.CryptoKey.version_template] 836 // on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you attempt to import 837 // into. 838 ProtectionLevel protection_level = 9 [ 839 (google.api.field_behavior) = REQUIRED, 840 (google.api.field_behavior) = IMMUTABLE 841 ]; 842 843 // Output only. The time at which this 844 // [ImportJob][google.cloud.kms.v1.ImportJob] was created. 845 google.protobuf.Timestamp create_time = 3 846 [(google.api.field_behavior) = OUTPUT_ONLY]; 847 848 // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]'s key 849 // material was generated. 850 google.protobuf.Timestamp generate_time = 4 851 [(google.api.field_behavior) = OUTPUT_ONLY]; 852 853 // Output only. The time at which this 854 // [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for expiration and 855 // can no longer be used to import key material. 856 google.protobuf.Timestamp expire_time = 5 857 [(google.api.field_behavior) = OUTPUT_ONLY]; 858 859 // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob] 860 // expired. Only present if [state][google.cloud.kms.v1.ImportJob.state] is 861 // [EXPIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED]. 862 google.protobuf.Timestamp expire_event_time = 10 863 [(google.api.field_behavior) = OUTPUT_ONLY]; 864 865 // Output only. The current state of the 866 // [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used. 867 ImportJobState state = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 868 869 // Output only. The public key with which to wrap key material prior to 870 // import. Only returned if [state][google.cloud.kms.v1.ImportJob.state] is 871 // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE]. 872 WrappingPublicKey public_key = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; 873 874 // Output only. Statement that was generated and signed by the key creator 875 // (for example, an HSM) at key creation time. Use this statement to verify 876 // attributes of the key as stored on the HSM, independently of Google. 877 // Only present if the chosen 878 // [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is one with a 879 // protection level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM]. 880 KeyOperationAttestation attestation = 8 881 [(google.api.field_behavior) = OUTPUT_ONLY]; 882} 883 884// ExternalProtectionLevelOptions stores a group of additional fields for 885// configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that 886// are specific to the [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] 887// protection level and 888// [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] protection 889// levels. 890message ExternalProtectionLevelOptions { 891 // The URI for an external resource that this 892 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents. 893 string external_key_uri = 1; 894 895 // The path to the external key material on the EKM when using 896 // [EkmConnection][google.cloud.kms.v1.EkmConnection] e.g., "v0/my/key". Set 897 // this field instead of external_key_uri when using an 898 // [EkmConnection][google.cloud.kms.v1.EkmConnection]. 899 string ekm_connection_key_path = 2; 900} 901 902// [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] specifies how 903// cryptographic operations are performed. For more information, see [Protection 904// levels] (https://cloud.google.com/kms/docs/algorithms#protection_levels). 905enum ProtectionLevel { 906 // Not specified. 907 PROTECTION_LEVEL_UNSPECIFIED = 0; 908 909 // Crypto operations are performed in software. 910 SOFTWARE = 1; 911 912 // Crypto operations are performed in a Hardware Security Module. 913 HSM = 2; 914 915 // Crypto operations are performed by an external key manager. 916 EXTERNAL = 3; 917 918 // Crypto operations are performed in an EKM-over-VPC backend. 919 EXTERNAL_VPC = 4; 920} 921