1// Copyright 2020 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.kms.v1; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/protobuf/duration.proto"; 22import "google/protobuf/timestamp.proto"; 23import "google/protobuf/wrappers.proto"; 24import "google/api/annotations.proto"; 25 26option cc_enable_arenas = true; 27option csharp_namespace = "Google.Cloud.Kms.V1"; 28option go_package = "google.golang.org/genproto/googleapis/cloud/kms/v1;kms"; 29option java_multiple_files = true; 30option java_outer_classname = "KmsResourcesProto"; 31option java_package = "com.google.cloud.kms.v1"; 32option php_namespace = "Google\\Cloud\\Kms\\V1"; 33 34// A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey]. 35message KeyRing { 36 option (google.api.resource) = { 37 type: "cloudkms.googleapis.com/KeyRing" 38 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}" 39 }; 40 41 // Output only. The resource name for the [KeyRing][google.cloud.kms.v1.KeyRing] in the format 42 // `projects/*/locations/*/keyRings/*`. 43 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 44 45 // Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing] was created. 46 google.protobuf.Timestamp create_time = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 47} 48 49// A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic 50// operations. 51// 52// A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], 53// which represent the actual key material used in cryptographic operations. 54message CryptoKey { 55 option (google.api.resource) = { 56 type: "cloudkms.googleapis.com/CryptoKey" 57 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}" 58 }; 59 60 // [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] describes the cryptographic capabilities of a 61 // [CryptoKey][google.cloud.kms.v1.CryptoKey]. A given key can only be used for the operations allowed by 62 // its purpose. For more information, see 63 // [Key purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes). 64 enum CryptoKeyPurpose { 65 // Not specified. 66 CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0; 67 68 // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with 69 // [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] and 70 // [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. 71 ENCRYPT_DECRYPT = 1; 72 73 // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with 74 // [AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign] and 75 // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. 76 ASYMMETRIC_SIGN = 5; 77 78 // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with 79 // [AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt] and 80 // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. 81 ASYMMETRIC_DECRYPT = 6; 82 } 83 84 // Output only. The resource name for this [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format 85 // `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 86 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 87 88 // Output only. A copy of the "primary" [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used 89 // by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this [CryptoKey][google.cloud.kms.v1.CryptoKey] is given 90 // in [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name]. 91 // 92 // The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary version can be updated via 93 // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. 94 // 95 // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] 96 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] may have a 97 // primary. For other keys, this field will be omitted. 98 CryptoKeyVersion primary = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 99 100 // Immutable. The immutable purpose of this [CryptoKey][google.cloud.kms.v1.CryptoKey]. 101 CryptoKeyPurpose purpose = 3 [(google.api.field_behavior) = IMMUTABLE]; 102 103 // Output only. The time at which this [CryptoKey][google.cloud.kms.v1.CryptoKey] was created. 104 google.protobuf.Timestamp create_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 105 106 // At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time], the Key Management Service will automatically: 107 // 108 // 1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey]. 109 // 2. Mark the new version as primary. 110 // 111 // Key rotations performed manually via 112 // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] and 113 // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion] 114 // do not affect [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]. 115 // 116 // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] 117 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support 118 // automatic rotation. For other keys, this field must be omitted. 119 google.protobuf.Timestamp next_rotation_time = 7; 120 121 // Controls the rate of automatic rotation. 122 oneof rotation_schedule { 123 // [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] will be advanced by this period when the service 124 // automatically rotates a key. Must be at least 24 hours and at most 125 // 876,000 hours. 126 // 127 // If [rotation_period][google.cloud.kms.v1.CryptoKey.rotation_period] is set, [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] must also be set. 128 // 129 // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] 130 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support 131 // automatic rotation. For other keys, this field must be omitted. 132 google.protobuf.Duration rotation_period = 8; 133 } 134 135 // A template describing settings for new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances. 136 // The properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances created by either 137 // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or 138 // auto-rotation are controlled by this template. 139 CryptoKeyVersionTemplate version_template = 11; 140 141 // Labels with user-defined metadata. For more information, see 142 // [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys). 143 map<string, string> labels = 10; 144} 145 146// A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate] specifies the properties to use when creating 147// a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either manually with 148// [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or 149// automatically as a result of auto-rotation. 150message CryptoKeyVersionTemplate { 151 // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on 152 // this template. Immutable. Defaults to [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE]. 153 ProtectionLevel protection_level = 1; 154 155 // Required. [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] to use 156 // when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this template. 157 // 158 // For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both 159 // this field is omitted and [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is 160 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. 161 CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 3 [(google.api.field_behavior) = REQUIRED]; 162} 163 164// Contains an HSM-generated attestation about a key operation. For more 165// information, see [Verifying attestations] 166// (https://cloud.google.com/kms/docs/attest-key). 167message KeyOperationAttestation { 168 // Attestation formats provided by the HSM. 169 enum AttestationFormat { 170 // Not specified. 171 ATTESTATION_FORMAT_UNSPECIFIED = 0; 172 173 // Cavium HSM attestation compressed with gzip. Note that this format is 174 // defined by Cavium and subject to change at any time. 175 CAVIUM_V1_COMPRESSED = 3; 176 177 // Cavium HSM attestation V2 compressed with gzip. This is a new format 178 // introduced in Cavium's version 3.2-08. 179 CAVIUM_V2_COMPRESSED = 4; 180 } 181 182 // Output only. The format of the attestation data. 183 AttestationFormat format = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 184 185 // Output only. The attestation data provided by the HSM when the key 186 // operation was performed. 187 bytes content = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 188} 189 190// A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the 191// associated key material. 192// 193// An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be 194// used for cryptographic operations. 195// 196// For security reasons, the raw cryptographic key material represented by a 197// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to 198// encrypt, decrypt, or sign data when an authorized user or application invokes 199// Cloud KMS. 200message CryptoKeyVersion { 201 option (google.api.resource) = { 202 type: "cloudkms.googleapis.com/CryptoKeyVersion" 203 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}" 204 }; 205 206 // The algorithm of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating what 207 // parameters must be used for each cryptographic operation. 208 // 209 // The 210 // [GOOGLE_SYMMETRIC_ENCRYPTION][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION] 211 // algorithm is usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 212 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. 213 // 214 // Algorithms beginning with "RSA_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 215 // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. 216 // 217 // The fields in the name after "RSA_SIGN_" correspond to the following 218 // parameters: padding algorithm, modulus bit length, and digest algorithm. 219 // 220 // For PSS, the salt length used is equal to the length of digest 221 // algorithm. For example, 222 // [RSA_SIGN_PSS_2048_SHA256][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256] 223 // will use PSS with a salt length of 256 bits or 32 bytes. 224 // 225 // Algorithms beginning with "RSA_DECRYPT_" are usable with 226 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 227 // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT]. 228 // 229 // The fields in the name after "RSA_DECRYPT_" correspond to the following 230 // parameters: padding algorithm, modulus bit length, and digest algorithm. 231 // 232 // Algorithms beginning with "EC_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 233 // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. 234 // 235 // The fields in the name after "EC_SIGN_" correspond to the following 236 // parameters: elliptic curve, digest algorithm. 237 // 238 // For more information, see [Key purposes and algorithms] 239 // (https://cloud.google.com/kms/docs/algorithms). 240 enum CryptoKeyVersionAlgorithm { 241 // Not specified. 242 CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0; 243 244 // Creates symmetric encryption keys. 245 GOOGLE_SYMMETRIC_ENCRYPTION = 1; 246 247 // RSASSA-PSS 2048 bit key with a SHA256 digest. 248 RSA_SIGN_PSS_2048_SHA256 = 2; 249 250 // RSASSA-PSS 3072 bit key with a SHA256 digest. 251 RSA_SIGN_PSS_3072_SHA256 = 3; 252 253 // RSASSA-PSS 4096 bit key with a SHA256 digest. 254 RSA_SIGN_PSS_4096_SHA256 = 4; 255 256 // RSASSA-PSS 4096 bit key with a SHA512 digest. 257 RSA_SIGN_PSS_4096_SHA512 = 15; 258 259 // RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest. 260 RSA_SIGN_PKCS1_2048_SHA256 = 5; 261 262 // RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest. 263 RSA_SIGN_PKCS1_3072_SHA256 = 6; 264 265 // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest. 266 RSA_SIGN_PKCS1_4096_SHA256 = 7; 267 268 // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest. 269 RSA_SIGN_PKCS1_4096_SHA512 = 16; 270 271 // RSAES-OAEP 2048 bit key with a SHA256 digest. 272 RSA_DECRYPT_OAEP_2048_SHA256 = 8; 273 274 // RSAES-OAEP 3072 bit key with a SHA256 digest. 275 RSA_DECRYPT_OAEP_3072_SHA256 = 9; 276 277 // RSAES-OAEP 4096 bit key with a SHA256 digest. 278 RSA_DECRYPT_OAEP_4096_SHA256 = 10; 279 280 // RSAES-OAEP 4096 bit key with a SHA512 digest. 281 RSA_DECRYPT_OAEP_4096_SHA512 = 17; 282 283 // ECDSA on the NIST P-256 curve with a SHA256 digest. 284 EC_SIGN_P256_SHA256 = 12; 285 286 // ECDSA on the NIST P-384 curve with a SHA384 digest. 287 EC_SIGN_P384_SHA384 = 13; 288 289 // Algorithm representing symmetric encryption by an external key manager. 290 EXTERNAL_SYMMETRIC_ENCRYPTION = 18; 291 } 292 293 // The state of a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating if it can be used. 294 enum CryptoKeyVersionState { 295 // Not specified. 296 CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0; 297 298 // This version is still being generated. It may not be used, enabled, 299 // disabled, or destroyed yet. Cloud KMS will automatically mark this 300 // version [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] as soon as the version is ready. 301 PENDING_GENERATION = 5; 302 303 // This version may be used for cryptographic operations. 304 ENABLED = 1; 305 306 // This version may not be used, but the key material is still available, 307 // and the version can be placed back into the [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] state. 308 DISABLED = 2; 309 310 // This version is destroyed, and the key material is no longer stored. 311 // A version may not leave this state once entered. 312 DESTROYED = 3; 313 314 // This version is scheduled for destruction, and will be destroyed soon. 315 // Call 316 // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] 317 // to put it back into the [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] state. 318 DESTROY_SCHEDULED = 4; 319 320 // This version is still being imported. It may not be used, enabled, 321 // disabled, or destroyed yet. Cloud KMS will automatically mark this 322 // version [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] as soon as the version is ready. 323 PENDING_IMPORT = 6; 324 325 // This version was not imported successfully. It may not be used, enabled, 326 // disabled, or destroyed. The submitted key material has been discarded. 327 // Additional details can be found in 328 // [CryptoKeyVersion.import_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.import_failure_reason]. 329 IMPORT_FAILED = 7; 330 } 331 332 // A view for [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]s. Controls the level of detail returned 333 // for [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] in 334 // [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions] and 335 // [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. 336 enum CryptoKeyVersionView { 337 // Default view for each [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Does not include 338 // the [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation] field. 339 CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0; 340 341 // Provides all fields in each [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], including the 342 // [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation]. 343 FULL = 1; 344 } 345 346 // Output only. The resource name for this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format 347 // `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 348 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 349 350 // The current state of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. 351 CryptoKeyVersionState state = 3; 352 353 // Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] describing how crypto operations are 354 // performed with this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. 355 ProtectionLevel protection_level = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; 356 357 // Output only. The [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] that this 358 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] supports. 359 CryptoKeyVersionAlgorithm algorithm = 10 [(google.api.field_behavior) = OUTPUT_ONLY]; 360 361 // Output only. Statement that was generated and signed by the HSM at key 362 // creation time. Use this statement to verify attributes of the key as stored 363 // on the HSM, independently of Google. Only provided for key versions with 364 // [protection_level][google.cloud.kms.v1.CryptoKeyVersion.protection_level] [HSM][google.cloud.kms.v1.ProtectionLevel.HSM]. 365 KeyOperationAttestation attestation = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; 366 367 // Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created. 368 google.protobuf.Timestamp create_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 369 370 // Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was 371 // generated. 372 google.protobuf.Timestamp generate_time = 11 [(google.api.field_behavior) = OUTPUT_ONLY]; 373 374 // Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material is scheduled 375 // for destruction. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 376 // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]. 377 google.protobuf.Timestamp destroy_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 378 379 // Output only. The time this CryptoKeyVersion's key material was 380 // destroyed. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 381 // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]. 382 google.protobuf.Timestamp destroy_event_time = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 383 384 // Output only. The name of the [ImportJob][google.cloud.kms.v1.ImportJob] used to import this 385 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only present if the underlying key material was 386 // imported. 387 string import_job = 14 [(google.api.field_behavior) = OUTPUT_ONLY]; 388 389 // Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material 390 // was imported. 391 google.protobuf.Timestamp import_time = 15 [(google.api.field_behavior) = OUTPUT_ONLY]; 392 393 // Output only. The root cause of an import failure. Only present if 394 // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 395 // [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED]. 396 string import_failure_reason = 16 [(google.api.field_behavior) = OUTPUT_ONLY]; 397 398 // ExternalProtectionLevelOptions stores a group of additional fields for 399 // configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that are specific to the 400 // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level. 401 ExternalProtectionLevelOptions external_protection_level_options = 17; 402} 403 404// The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via 405// [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. 406message PublicKey { 407 option (google.api.resource) = { 408 type: "cloudkms.googleapis.com/PublicKey" 409 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}/publicKey" 410 }; 411 412 // The public key, encoded in PEM format. For more information, see the 413 // [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for 414 // [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and 415 // [Textual Encoding of Subject Public Key Info] 416 // (https://tools.ietf.org/html/rfc7468#section-13). 417 string pem = 1; 418 419 // The [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] associated 420 // with this key. 421 CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2; 422 423 // Integrity verification field. A CRC32C checksum of the returned 424 // [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem]. An integrity check of [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] can be performed 425 // by computing the CRC32C checksum of [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] and 426 // comparing your results to this field. Discard the response in case of 427 // non-matching checksum values, and perform a limited number of retries. A 428 // persistent mismatch may indicate an issue in your computation of the CRC32C 429 // checksum. 430 // Note: This field is defined as int64 for reasons of compatibility across 431 // different languages. However, it is a non-negative integer, which will 432 // never exceed 2^32-1, and can be safely downconverted to uint32 in languages 433 // that support this type. 434 // 435 // NOTE: This field is in Beta. 436 google.protobuf.Int64Value pem_crc32c = 3; 437 438 // The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key. 439 // Provided here for verification. 440 // 441 // NOTE: This field is in Beta. 442 string name = 4; 443} 444 445// An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and 446// [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material, 447// generated outside of Cloud KMS. 448// 449// When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a "wrapping key", 450// which is a public/private key pair. You use the wrapping key to encrypt (also 451// known as wrap) the pre-existing key material to protect it during the import 452// process. The nature of the wrapping key depends on the choice of 453// [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation 454// is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to 455// [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key] 456// can be fetched. The fetched public key can then be used to wrap your 457// pre-existing key material. 458// 459// Once the key material is wrapped, it can be imported into a new 460// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling 461// [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. 462// Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single 463// [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to 464// unwrap the key material. Only Cloud KMS has access to the private key. 465// 466// An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS 467// will no longer be able to import or unwrap any key material that was wrapped 468// with the [ImportJob][google.cloud.kms.v1.ImportJob]'s public key. 469// 470// For more information, see 471// [Importing a key](https://cloud.google.com/kms/docs/importing-a-key). 472message ImportJob { 473 option (google.api.resource) = { 474 type: "cloudkms.googleapis.com/ImportJob" 475 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}" 476 }; 477 478 // The public key component of the wrapping key. For details of the type of 479 // key this public key corresponds to, see the [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod]. 480 message WrappingPublicKey { 481 // The public key, encoded in PEM format. For more information, see the [RFC 482 // 7468](https://tools.ietf.org/html/rfc7468) sections for [General 483 // Considerations](https://tools.ietf.org/html/rfc7468#section-2) and 484 // [Textual Encoding of Subject Public Key Info] 485 // (https://tools.ietf.org/html/rfc7468#section-13). 486 string pem = 1; 487 } 488 489 // [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] describes the key wrapping method chosen for this 490 // [ImportJob][google.cloud.kms.v1.ImportJob]. 491 enum ImportMethod { 492 // Not specified. 493 IMPORT_METHOD_UNSPECIFIED = 0; 494 495 // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping 496 // scheme defined in the PKCS #11 standard. In summary, this involves 497 // wrapping the raw key with an ephemeral AES key, and wrapping the 498 // ephemeral AES key with a 3072 bit RSA key. For more details, see 499 // [RSA AES key wrap 500 // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). 501 RSA_OAEP_3072_SHA1_AES_256 = 1; 502 503 // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping 504 // scheme defined in the PKCS #11 standard. In summary, this involves 505 // wrapping the raw key with an ephemeral AES key, and wrapping the 506 // ephemeral AES key with a 4096 bit RSA key. For more details, see 507 // [RSA AES key wrap 508 // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). 509 RSA_OAEP_4096_SHA1_AES_256 = 2; 510 } 511 512 // The state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used. 513 enum ImportJobState { 514 // Not specified. 515 IMPORT_JOB_STATE_UNSPECIFIED = 0; 516 517 // The wrapping key for this job is still being generated. It may not be 518 // used. Cloud KMS will automatically mark this job as 519 // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] as soon as the wrapping key is generated. 520 PENDING_GENERATION = 1; 521 522 // This job may be used in 523 // [CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey] and 524 // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] 525 // requests. 526 ACTIVE = 2; 527 528 // This job can no longer be used and may not leave this state once entered. 529 EXPIRED = 3; 530 } 531 532 // Output only. The resource name for this [ImportJob][google.cloud.kms.v1.ImportJob] in the format 533 // `projects/*/locations/*/keyRings/*/importJobs/*`. 534 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 535 536 // Required. Immutable. The wrapping method to be used for incoming key material. 537 ImportMethod import_method = 2 [ 538 (google.api.field_behavior) = REQUIRED, 539 (google.api.field_behavior) = IMMUTABLE 540 ]; 541 542 // Required. Immutable. The protection level of the [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the 543 // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] of the 544 // [version_template][google.cloud.kms.v1.CryptoKey.version_template] on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you 545 // attempt to import into. 546 ProtectionLevel protection_level = 9 [ 547 (google.api.field_behavior) = REQUIRED, 548 (google.api.field_behavior) = IMMUTABLE 549 ]; 550 551 // Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] was created. 552 google.protobuf.Timestamp create_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; 553 554 // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]'s key material was generated. 555 google.protobuf.Timestamp generate_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 556 557 // Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for 558 // expiration and can no longer be used to import key material. 559 google.protobuf.Timestamp expire_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 560 561 // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob] expired. Only present if 562 // [state][google.cloud.kms.v1.ImportJob.state] is [EXPIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED]. 563 google.protobuf.Timestamp expire_event_time = 10 [(google.api.field_behavior) = OUTPUT_ONLY]; 564 565 // Output only. The current state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can 566 // be used. 567 ImportJobState state = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 568 569 // Output only. The public key with which to wrap key material prior to 570 // import. Only returned if [state][google.cloud.kms.v1.ImportJob.state] is 571 // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE]. 572 WrappingPublicKey public_key = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; 573 574 // Output only. Statement that was generated and signed by the key creator 575 // (for example, an HSM) at key creation time. Use this statement to verify 576 // attributes of the key as stored on the HSM, independently of Google. 577 // Only present if the chosen [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is one with a protection 578 // level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM]. 579 KeyOperationAttestation attestation = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; 580} 581 582// [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] specifies how cryptographic operations are performed. 583// For more information, see [Protection levels] 584// (https://cloud.google.com/kms/docs/algorithms#protection_levels). 585enum ProtectionLevel { 586 // Not specified. 587 PROTECTION_LEVEL_UNSPECIFIED = 0; 588 589 // Crypto operations are performed in software. 590 SOFTWARE = 1; 591 592 // Crypto operations are performed in a Hardware Security Module. 593 HSM = 2; 594 595 // Crypto operations are performed by an external key manager. 596 EXTERNAL = 3; 597} 598 599// ExternalProtectionLevelOptions stores a group of additional fields for 600// configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that are specific to the 601// [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level. 602message ExternalProtectionLevelOptions { 603 // The URI for an external resource that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents. 604 string external_key_uri = 1; 605} 606