Package com.google.cloud.kms.v1 (2.32.0)

A client to Cloud Key Management Service (KMS) API

The interfaces provided are listed below, along with usage samples.

EkmServiceClient

Service Description: Google Cloud Key Management EKM Service

Manages external cryptographic keys and operations using those keys. Implements a REST model with the following objects:

  • EkmConnection

Sample for EkmServiceClient:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (EkmServiceClient ekmServiceClient = EkmServiceClient.create()) {
   EkmConnectionName name = EkmConnectionName.of("[PROJECT]", "[LOCATION]", "[EKM_CONNECTION]");
   EkmConnection response = ekmServiceClient.getEkmConnection(name);
 }
 

KeyManagementServiceClient

Service Description: Google Cloud Key Management Service

Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects:

  • KeyRing
  • CryptoKey
  • CryptoKeyVersion
  • ImportJob

If you are using manual gRPC libraries, see Using gRPC with Cloud KMS.

Sample for KeyManagementServiceClient:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (KeyManagementServiceClient keyManagementServiceClient =
     KeyManagementServiceClient.create()) {
   KeyRingName name = KeyRingName.of("[PROJECT]", "[LOCATION]", "[KEY_RING]");
   KeyRing response = keyManagementServiceClient.getKeyRing(name);
 }
 

Classes

AsymmetricDecryptRequest

Request message for KeyManagementService.AsymmetricDecrypt.

Protobuf type google.cloud.kms.v1.AsymmetricDecryptRequest

AsymmetricDecryptRequest.Builder

Request message for KeyManagementService.AsymmetricDecrypt.

Protobuf type google.cloud.kms.v1.AsymmetricDecryptRequest

AsymmetricDecryptResponse

Response message for KeyManagementService.AsymmetricDecrypt.

Protobuf type google.cloud.kms.v1.AsymmetricDecryptResponse

AsymmetricDecryptResponse.Builder

Response message for KeyManagementService.AsymmetricDecrypt.

Protobuf type google.cloud.kms.v1.AsymmetricDecryptResponse

AsymmetricSignRequest

Request message for KeyManagementService.AsymmetricSign.

Protobuf type google.cloud.kms.v1.AsymmetricSignRequest

AsymmetricSignRequest.Builder

Request message for KeyManagementService.AsymmetricSign.

Protobuf type google.cloud.kms.v1.AsymmetricSignRequest

AsymmetricSignResponse

Response message for KeyManagementService.AsymmetricSign.

Protobuf type google.cloud.kms.v1.AsymmetricSignResponse

AsymmetricSignResponse.Builder

Response message for KeyManagementService.AsymmetricSign.

Protobuf type google.cloud.kms.v1.AsymmetricSignResponse

Certificate

A Certificate represents an X.509 certificate used to authenticate HTTPS connections to EKM replicas.

Protobuf type google.cloud.kms.v1.Certificate

Certificate.Builder

A Certificate represents an X.509 certificate used to authenticate HTTPS connections to EKM replicas.

Protobuf type google.cloud.kms.v1.Certificate

CreateCryptoKeyRequest

Request message for KeyManagementService.CreateCryptoKey.

Protobuf type google.cloud.kms.v1.CreateCryptoKeyRequest

CreateCryptoKeyRequest.Builder

Request message for KeyManagementService.CreateCryptoKey.

Protobuf type google.cloud.kms.v1.CreateCryptoKeyRequest

CreateCryptoKeyVersionRequest

Request message for KeyManagementService.CreateCryptoKeyVersion.

Protobuf type google.cloud.kms.v1.CreateCryptoKeyVersionRequest

CreateCryptoKeyVersionRequest.Builder

Request message for KeyManagementService.CreateCryptoKeyVersion.

Protobuf type google.cloud.kms.v1.CreateCryptoKeyVersionRequest

CreateEkmConnectionRequest

Request message for EkmService.CreateEkmConnection.

Protobuf type google.cloud.kms.v1.CreateEkmConnectionRequest

CreateEkmConnectionRequest.Builder

Request message for EkmService.CreateEkmConnection.

Protobuf type google.cloud.kms.v1.CreateEkmConnectionRequest

CreateImportJobRequest

Request message for KeyManagementService.CreateImportJob.

Protobuf type google.cloud.kms.v1.CreateImportJobRequest

CreateImportJobRequest.Builder

Request message for KeyManagementService.CreateImportJob.

Protobuf type google.cloud.kms.v1.CreateImportJobRequest

CreateKeyRingRequest

Request message for KeyManagementService.CreateKeyRing.

Protobuf type google.cloud.kms.v1.CreateKeyRingRequest

CreateKeyRingRequest.Builder

Request message for KeyManagementService.CreateKeyRing.

Protobuf type google.cloud.kms.v1.CreateKeyRingRequest

CryptoKey

A CryptoKey represents a logical key that can be used for cryptographic operations.

A CryptoKey is made up of zero or more versions, which represent the actual key material used in cryptographic operations.

Protobuf type google.cloud.kms.v1.CryptoKey

CryptoKey.Builder

A CryptoKey represents a logical key that can be used for cryptographic operations.

A CryptoKey is made up of zero or more versions, which represent the actual key material used in cryptographic operations.

Protobuf type google.cloud.kms.v1.CryptoKey

CryptoKeyName

CryptoKeyName.Builder

Builder for projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}.

CryptoKeyPathName

AUTO-GENERATED DOCUMENTATION AND CLASS

CryptoKeyPathName.Builder

Builder for CryptoKeyPathName.

CryptoKeyVersion

A CryptoKeyVersion represents an individual cryptographic key, and the associated key material.

An ENABLED version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

Protobuf type google.cloud.kms.v1.CryptoKeyVersion

CryptoKeyVersion.Builder

A CryptoKeyVersion represents an individual cryptographic key, and the associated key material.

An ENABLED version can be used for cryptographic operations.

For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

Protobuf type google.cloud.kms.v1.CryptoKeyVersion

CryptoKeyVersionName

CryptoKeyVersionName.Builder

Builder for projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}.

CryptoKeyVersionTemplate

A CryptoKeyVersionTemplate specifies the properties to use when creating a new CryptoKeyVersion, either manually with CreateCryptoKeyVersion or automatically as a result of auto-rotation.

Protobuf type google.cloud.kms.v1.CryptoKeyVersionTemplate

CryptoKeyVersionTemplate.Builder

A CryptoKeyVersionTemplate specifies the properties to use when creating a new CryptoKeyVersion, either manually with CreateCryptoKeyVersion or automatically as a result of auto-rotation.

Protobuf type google.cloud.kms.v1.CryptoKeyVersionTemplate

DecryptRequest

Request message for KeyManagementService.Decrypt.

Protobuf type google.cloud.kms.v1.DecryptRequest

DecryptRequest.Builder

Request message for KeyManagementService.Decrypt.

Protobuf type google.cloud.kms.v1.DecryptRequest

DecryptResponse

Response message for KeyManagementService.Decrypt.

Protobuf type google.cloud.kms.v1.DecryptResponse

DecryptResponse.Builder

Response message for KeyManagementService.Decrypt.

Protobuf type google.cloud.kms.v1.DecryptResponse

DestroyCryptoKeyVersionRequest

Request message for KeyManagementService.DestroyCryptoKeyVersion.

Protobuf type google.cloud.kms.v1.DestroyCryptoKeyVersionRequest

DestroyCryptoKeyVersionRequest.Builder

Request message for KeyManagementService.DestroyCryptoKeyVersion.

Protobuf type google.cloud.kms.v1.DestroyCryptoKeyVersionRequest

Digest

A Digest holds a cryptographic message digest.

Protobuf type google.cloud.kms.v1.Digest

Digest.Builder

A Digest holds a cryptographic message digest.

Protobuf type google.cloud.kms.v1.Digest

EkmConfig

An EkmConfig is a singleton resource that represents configuration parameters that apply to all CryptoKeys and CryptoKeyVersions with a ProtectionLevel of EXTERNAL_VPC in a given project and location.

Protobuf type google.cloud.kms.v1.EkmConfig

EkmConfig.Builder

An EkmConfig is a singleton resource that represents configuration parameters that apply to all CryptoKeys and CryptoKeyVersions with a ProtectionLevel of EXTERNAL_VPC in a given project and location.

Protobuf type google.cloud.kms.v1.EkmConfig

EkmConfigName

EkmConfigName.Builder

Builder for projects/{project}/locations/{location}/ekmConfig.

EkmConnection

An EkmConnection represents an individual EKM connection. It can be used for creating CryptoKeys and CryptoKeyVersions with a ProtectionLevel of EXTERNAL_VPC, as well as performing cryptographic operations using keys created within the EkmConnection.

Protobuf type google.cloud.kms.v1.EkmConnection

EkmConnection.Builder

An EkmConnection represents an individual EKM connection. It can be used for creating CryptoKeys and CryptoKeyVersions with a ProtectionLevel of EXTERNAL_VPC, as well as performing cryptographic operations using keys created within the EkmConnection.

Protobuf type google.cloud.kms.v1.EkmConnection

EkmConnection.ServiceResolver

A ServiceResolver represents an EKM replica that can be reached within an EkmConnection.

Protobuf type google.cloud.kms.v1.EkmConnection.ServiceResolver

EkmConnection.ServiceResolver.Builder

A ServiceResolver represents an EKM replica that can be reached within an EkmConnection.

Protobuf type google.cloud.kms.v1.EkmConnection.ServiceResolver

EkmConnectionName

EkmConnectionName.Builder

Builder for projects/{project}/locations/{location}/ekmConnections/{ekm_connection}.

EkmServiceClient

Service Description: Google Cloud Key Management EKM Service

Manages external cryptographic keys and operations using those keys. Implements a REST model with the following objects:

  • EkmConnection

This class provides the ability to make remote calls to the backing service through method calls that map to API methods. Sample code to get started:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (EkmServiceClient ekmServiceClient = EkmServiceClient.create()) {
   EkmConnectionName name = EkmConnectionName.of("[PROJECT]", "[LOCATION]", "[EKM_CONNECTION]");
   EkmConnection response = ekmServiceClient.getEkmConnection(name);
 }
 

Note: close() needs to be called on the EkmServiceClient object to clean up resources such as threads. In the example above, try-with-resources is used, which automatically calls close().

The surface of this class includes several types of Java methods for each of the API's methods:

  1. A "flattened" method. With this type of method, the fields of the request type have been converted into function parameters. It may be the case that not all fields are available as parameters, and not every API method will have a flattened method entry point.
  2. A "request object" method. This type of method only takes one parameter, a request object, which must be constructed before the call. Not every API method will have a request object method.
  3. A "callable" method. This type of method takes no parameters and returns an immutable API callable object, which can be used to initiate calls to the service.

See the individual methods for example code.

Many parameters require resource names to be formatted in a particular way. To assist with these names, this class includes a format method for each type of name, and additionally a parse method to extract the individual identifiers contained within names that are returned.

This class can be customized by passing in a custom instance of EkmServiceSettings to create(). For example:

To customize credentials:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 EkmServiceSettings ekmServiceSettings =
     EkmServiceSettings.newBuilder()
         .setCredentialsProvider(FixedCredentialsProvider.create(myCredentials))
         .build();
 EkmServiceClient ekmServiceClient = EkmServiceClient.create(ekmServiceSettings);
 

To customize the endpoint:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 EkmServiceSettings ekmServiceSettings =
     EkmServiceSettings.newBuilder().setEndpoint(myEndpoint).build();
 EkmServiceClient ekmServiceClient = EkmServiceClient.create(ekmServiceSettings);
 

To use REST (HTTP1.1/JSON) transport (instead of gRPC) for sending and receiving requests over the wire:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 EkmServiceSettings ekmServiceSettings = EkmServiceSettings.newHttpJsonBuilder().build();
 EkmServiceClient ekmServiceClient = EkmServiceClient.create(ekmServiceSettings);
 

Please refer to the GitHub repository's samples for more quickstart code snippets.

EkmServiceClient.ListEkmConnectionsFixedSizeCollection

EkmServiceClient.ListEkmConnectionsPage

EkmServiceClient.ListEkmConnectionsPagedResponse

EkmServiceClient.ListLocationsFixedSizeCollection

EkmServiceClient.ListLocationsPage

EkmServiceClient.ListLocationsPagedResponse

EkmServiceGrpc

Google Cloud Key Management EKM Service Manages external cryptographic keys and operations using those keys. Implements a REST model with the following objects:

  • EkmConnection

EkmServiceGrpc.EkmServiceBlockingStub

A stub to allow clients to do synchronous rpc calls to service EkmService.

Google Cloud Key Management EKM Service Manages external cryptographic keys and operations using those keys. Implements a REST model with the following objects:

  • EkmConnection

EkmServiceGrpc.EkmServiceFutureStub

A stub to allow clients to do ListenableFuture-style rpc calls to service EkmService.

Google Cloud Key Management EKM Service Manages external cryptographic keys and operations using those keys. Implements a REST model with the following objects:

  • EkmConnection

EkmServiceGrpc.EkmServiceImplBase

Base class for the server implementation of the service EkmService.

Google Cloud Key Management EKM Service Manages external cryptographic keys and operations using those keys. Implements a REST model with the following objects:

  • EkmConnection

EkmServiceGrpc.EkmServiceStub

A stub to allow clients to do asynchronous rpc calls to service EkmService.

Google Cloud Key Management EKM Service Manages external cryptographic keys and operations using those keys. Implements a REST model with the following objects:

  • EkmConnection

EkmServiceProto

EkmServiceSettings

Settings class to configure an instance of EkmServiceClient.

The default instance has everything set to sensible defaults:

  • The default service address (cloudkms.googleapis.com) and default port (443) are used.
  • Credentials are acquired automatically through Application Default Credentials.
  • Retries are configured for idempotent methods but not for non-idempotent methods.

The builder of this class is recursive, so contained classes are themselves builders. When build() is called, the tree of builders is called to create the complete settings object.

For example, to set the total timeout of getEkmConnection to 30 seconds:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 EkmServiceSettings.Builder ekmServiceSettingsBuilder = EkmServiceSettings.newBuilder();
 ekmServiceSettingsBuilder
     .getEkmConnectionSettings()
     .setRetrySettings(
         ekmServiceSettingsBuilder
             .getEkmConnectionSettings()
             .getRetrySettings()
             .toBuilder()
             .setTotalTimeout(Duration.ofSeconds(30))
             .build());
 EkmServiceSettings ekmServiceSettings = ekmServiceSettingsBuilder.build();
 

EkmServiceSettings.Builder

Builder for EkmServiceSettings.

EncryptRequest

Request message for KeyManagementService.Encrypt.

Protobuf type google.cloud.kms.v1.EncryptRequest

EncryptRequest.Builder

Request message for KeyManagementService.Encrypt.

Protobuf type google.cloud.kms.v1.EncryptRequest

EncryptResponse

Response message for KeyManagementService.Encrypt.

Protobuf type google.cloud.kms.v1.EncryptResponse

EncryptResponse.Builder

Response message for KeyManagementService.Encrypt.

Protobuf type google.cloud.kms.v1.EncryptResponse

ExternalProtectionLevelOptions

ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.

Protobuf type google.cloud.kms.v1.ExternalProtectionLevelOptions

ExternalProtectionLevelOptions.Builder

ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.

Protobuf type google.cloud.kms.v1.ExternalProtectionLevelOptions

GenerateRandomBytesRequest

Request message for KeyManagementService.GenerateRandomBytes.

Protobuf type google.cloud.kms.v1.GenerateRandomBytesRequest

GenerateRandomBytesRequest.Builder

Request message for KeyManagementService.GenerateRandomBytes.

Protobuf type google.cloud.kms.v1.GenerateRandomBytesRequest

GenerateRandomBytesResponse

Response message for KeyManagementService.GenerateRandomBytes.

Protobuf type google.cloud.kms.v1.GenerateRandomBytesResponse

GenerateRandomBytesResponse.Builder

Response message for KeyManagementService.GenerateRandomBytes.

Protobuf type google.cloud.kms.v1.GenerateRandomBytesResponse

GetCryptoKeyRequest

Request message for KeyManagementService.GetCryptoKey.

Protobuf type google.cloud.kms.v1.GetCryptoKeyRequest

GetCryptoKeyRequest.Builder

Request message for KeyManagementService.GetCryptoKey.

Protobuf type google.cloud.kms.v1.GetCryptoKeyRequest

GetCryptoKeyVersionRequest

Request message for KeyManagementService.GetCryptoKeyVersion.

Protobuf type google.cloud.kms.v1.GetCryptoKeyVersionRequest

GetCryptoKeyVersionRequest.Builder

Request message for KeyManagementService.GetCryptoKeyVersion.

Protobuf type google.cloud.kms.v1.GetCryptoKeyVersionRequest

GetEkmConfigRequest

Request message for EkmService.GetEkmConfig.

Protobuf type google.cloud.kms.v1.GetEkmConfigRequest

GetEkmConfigRequest.Builder

Request message for EkmService.GetEkmConfig.

Protobuf type google.cloud.kms.v1.GetEkmConfigRequest

GetEkmConnectionRequest

Request message for EkmService.GetEkmConnection.

Protobuf type google.cloud.kms.v1.GetEkmConnectionRequest

GetEkmConnectionRequest.Builder

Request message for EkmService.GetEkmConnection.

Protobuf type google.cloud.kms.v1.GetEkmConnectionRequest

GetImportJobRequest

Request message for KeyManagementService.GetImportJob.

Protobuf type google.cloud.kms.v1.GetImportJobRequest

GetImportJobRequest.Builder

Request message for KeyManagementService.GetImportJob.

Protobuf type google.cloud.kms.v1.GetImportJobRequest

GetKeyRingRequest

Request message for KeyManagementService.GetKeyRing.

Protobuf type google.cloud.kms.v1.GetKeyRingRequest

GetKeyRingRequest.Builder

Request message for KeyManagementService.GetKeyRing.

Protobuf type google.cloud.kms.v1.GetKeyRingRequest

GetPublicKeyRequest

Request message for KeyManagementService.GetPublicKey.

Protobuf type google.cloud.kms.v1.GetPublicKeyRequest

GetPublicKeyRequest.Builder

Request message for KeyManagementService.GetPublicKey.

Protobuf type google.cloud.kms.v1.GetPublicKeyRequest

ImportCryptoKeyVersionRequest

Request message for KeyManagementService.ImportCryptoKeyVersion.

Protobuf type google.cloud.kms.v1.ImportCryptoKeyVersionRequest

ImportCryptoKeyVersionRequest.Builder

Request message for KeyManagementService.ImportCryptoKeyVersion.

Protobuf type google.cloud.kms.v1.ImportCryptoKeyVersionRequest

ImportJob

An ImportJob can be used to create CryptoKeys and CryptoKeyVersions using pre-existing key material, generated outside of Cloud KMS.

When an ImportJob is created, Cloud KMS will generate a "wrapping key", which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of import_method. When the wrapping key generation is complete, the state will be set to ACTIVE and the public_key can be fetched. The fetched public key can then be used to wrap your pre-existing key material.

Once the key material is wrapped, it can be imported into a new CryptoKeyVersion in an existing CryptoKey by calling ImportCryptoKeyVersion. Multiple CryptoKeyVersions can be imported with a single ImportJob. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key.

An ImportJob expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the ImportJob's public key.

For more information, see Importing a key.

Protobuf type google.cloud.kms.v1.ImportJob

ImportJob.Builder

An ImportJob can be used to create CryptoKeys and CryptoKeyVersions using pre-existing key material, generated outside of Cloud KMS.

When an ImportJob is created, Cloud KMS will generate a "wrapping key", which is a public/private key pair. You use the wrapping key to encrypt (also known as wrap) the pre-existing key material to protect it during the import process. The nature of the wrapping key depends on the choice of import_method. When the wrapping key generation is complete, the state will be set to ACTIVE and the public_key can be fetched. The fetched public key can then be used to wrap your pre-existing key material.

Once the key material is wrapped, it can be imported into a new CryptoKeyVersion in an existing CryptoKey by calling ImportCryptoKeyVersion. Multiple CryptoKeyVersions can be imported with a single ImportJob. Cloud KMS uses the private key portion of the wrapping key to unwrap the key material. Only Cloud KMS has access to the private key.

An ImportJob expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with the ImportJob's public key.

For more information, see Importing a key.

Protobuf type google.cloud.kms.v1.ImportJob

ImportJob.WrappingPublicKey

The public key component of the wrapping key. For details of the type of key this public key corresponds to, see the ImportMethod.

Protobuf type google.cloud.kms.v1.ImportJob.WrappingPublicKey

ImportJob.WrappingPublicKey.Builder

The public key component of the wrapping key. For details of the type of key this public key corresponds to, see the ImportMethod.

Protobuf type google.cloud.kms.v1.ImportJob.WrappingPublicKey

ImportJobName

ImportJobName.Builder

Builder for projects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}.

KeyManagementServiceClient

Service Description: Google Cloud Key Management Service

Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects:

  • KeyRing
  • CryptoKey
  • CryptoKeyVersion
  • ImportJob

If you are using manual gRPC libraries, see Using gRPC with Cloud KMS.

This class provides the ability to make remote calls to the backing service through method calls that map to API methods. Sample code to get started:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 try (KeyManagementServiceClient keyManagementServiceClient =
     KeyManagementServiceClient.create()) {
   KeyRingName name = KeyRingName.of("[PROJECT]", "[LOCATION]", "[KEY_RING]");
   KeyRing response = keyManagementServiceClient.getKeyRing(name);
 }
 

Note: close() needs to be called on the KeyManagementServiceClient object to clean up resources such as threads. In the example above, try-with-resources is used, which automatically calls close().

The surface of this class includes several types of Java methods for each of the API's methods:

  1. A "flattened" method. With this type of method, the fields of the request type have been converted into function parameters. It may be the case that not all fields are available as parameters, and not every API method will have a flattened method entry point.
  2. A "request object" method. This type of method only takes one parameter, a request object, which must be constructed before the call. Not every API method will have a request object method.
  3. A "callable" method. This type of method takes no parameters and returns an immutable API callable object, which can be used to initiate calls to the service.

See the individual methods for example code.

Many parameters require resource names to be formatted in a particular way. To assist with these names, this class includes a format method for each type of name, and additionally a parse method to extract the individual identifiers contained within names that are returned.

This class can be customized by passing in a custom instance of KeyManagementServiceSettings to create(). For example:

To customize credentials:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 KeyManagementServiceSettings keyManagementServiceSettings =
     KeyManagementServiceSettings.newBuilder()
         .setCredentialsProvider(FixedCredentialsProvider.create(myCredentials))
         .build();
 KeyManagementServiceClient keyManagementServiceClient =
     KeyManagementServiceClient.create(keyManagementServiceSettings);
 

To customize the endpoint:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 KeyManagementServiceSettings keyManagementServiceSettings =
     KeyManagementServiceSettings.newBuilder().setEndpoint(myEndpoint).build();
 KeyManagementServiceClient keyManagementServiceClient =
     KeyManagementServiceClient.create(keyManagementServiceSettings);
 

To use REST (HTTP1.1/JSON) transport (instead of gRPC) for sending and receiving requests over the wire:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 KeyManagementServiceSettings keyManagementServiceSettings =
     KeyManagementServiceSettings.newHttpJsonBuilder().build();
 KeyManagementServiceClient keyManagementServiceClient =
     KeyManagementServiceClient.create(keyManagementServiceSettings);
 

Please refer to the GitHub repository's samples for more quickstart code snippets.

KeyManagementServiceClient.ListCryptoKeyVersionsFixedSizeCollection

KeyManagementServiceClient.ListCryptoKeyVersionsPage

KeyManagementServiceClient.ListCryptoKeyVersionsPagedResponse

KeyManagementServiceClient.ListCryptoKeysFixedSizeCollection

KeyManagementServiceClient.ListCryptoKeysPage

KeyManagementServiceClient.ListCryptoKeysPagedResponse

KeyManagementServiceClient.ListImportJobsFixedSizeCollection

KeyManagementServiceClient.ListImportJobsPage

KeyManagementServiceClient.ListImportJobsPagedResponse

KeyManagementServiceClient.ListKeyRingsFixedSizeCollection

KeyManagementServiceClient.ListKeyRingsPage

KeyManagementServiceClient.ListKeyRingsPagedResponse

KeyManagementServiceClient.ListLocationsFixedSizeCollection

KeyManagementServiceClient.ListLocationsPage

KeyManagementServiceClient.ListLocationsPagedResponse

KeyManagementServiceGrpc

Google Cloud Key Management Service Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects:

KeyManagementServiceGrpc.KeyManagementServiceBlockingStub

A stub to allow clients to do synchronous rpc calls to service KeyManagementService.

Google Cloud Key Management Service Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects:

KeyManagementServiceGrpc.KeyManagementServiceFutureStub

A stub to allow clients to do ListenableFuture-style rpc calls to service KeyManagementService.

Google Cloud Key Management Service Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects:

KeyManagementServiceGrpc.KeyManagementServiceImplBase

Base class for the server implementation of the service KeyManagementService.

Google Cloud Key Management Service Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects:

KeyManagementServiceGrpc.KeyManagementServiceStub

A stub to allow clients to do asynchronous rpc calls to service KeyManagementService.

Google Cloud Key Management Service Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects:

KeyManagementServiceSettings

Settings class to configure an instance of KeyManagementServiceClient.

The default instance has everything set to sensible defaults:

  • The default service address (cloudkms.googleapis.com) and default port (443) are used.
  • Credentials are acquired automatically through Application Default Credentials.
  • Retries are configured for idempotent methods but not for non-idempotent methods.

The builder of this class is recursive, so contained classes are themselves builders. When build() is called, the tree of builders is called to create the complete settings object.

For example, to set the total timeout of getKeyRing to 30 seconds:


 // This snippet has been automatically generated and should be regarded as a code template only.
 // It will require modifications to work:
 // - It may require correct/in-range values for request initialization.
 // - It may require specifying regional endpoints when creating the service client as shown in
 // https://cloud.google.com/java/docs/setup#configure_endpoints_for_the_client_library
 KeyManagementServiceSettings.Builder keyManagementServiceSettingsBuilder =
     KeyManagementServiceSettings.newBuilder();
 keyManagementServiceSettingsBuilder
     .getKeyRingSettings()
     .setRetrySettings(
         keyManagementServiceSettingsBuilder
             .getKeyRingSettings()
             .getRetrySettings()
             .toBuilder()
             .setTotalTimeout(Duration.ofSeconds(30))
             .build());
 KeyManagementServiceSettings keyManagementServiceSettings =
     keyManagementServiceSettingsBuilder.build();
 

KeyManagementServiceSettings.Builder

Builder for KeyManagementServiceSettings.

KeyName

AUTO-GENERATED DOCUMENTATION AND CLASS

KeyNames (deprecated)

Deprecated. This resource name class will be removed in the next major version.

AUTO-GENERATED DOCUMENTATION AND CLASS

KeyOperationAttestation

Contains an HSM-generated attestation about a key operation. For more information, see Verifying attestations.

Protobuf type google.cloud.kms.v1.KeyOperationAttestation

KeyOperationAttestation.Builder

Contains an HSM-generated attestation about a key operation. For more information, see Verifying attestations.

Protobuf type google.cloud.kms.v1.KeyOperationAttestation

KeyOperationAttestation.CertificateChains

Certificate chains needed to verify the attestation. Certificates in chains are PEM-encoded and are ordered based on https://tools.ietf.org/html/rfc5246#section-7.4.2.

Protobuf type google.cloud.kms.v1.KeyOperationAttestation.CertificateChains

KeyOperationAttestation.CertificateChains.Builder

Certificate chains needed to verify the attestation. Certificates in chains are PEM-encoded and are ordered based on https://tools.ietf.org/html/rfc5246#section-7.4.2.

Protobuf type google.cloud.kms.v1.KeyOperationAttestation.CertificateChains

KeyRing

A KeyRing is a toplevel logical grouping of CryptoKeys.

Protobuf type google.cloud.kms.v1.KeyRing

KeyRing.Builder

A KeyRing is a toplevel logical grouping of CryptoKeys.

Protobuf type google.cloud.kms.v1.KeyRing

KeyRingName

KeyRingName.Builder

Builder for projects/{project}/locations/{location}/keyRings/{key_ring}.

KmsProto

KmsResourcesProto

ListCryptoKeyVersionsRequest

Request message for KeyManagementService.ListCryptoKeyVersions.

Protobuf type google.cloud.kms.v1.ListCryptoKeyVersionsRequest

ListCryptoKeyVersionsRequest.Builder

Request message for KeyManagementService.ListCryptoKeyVersions.

Protobuf type google.cloud.kms.v1.ListCryptoKeyVersionsRequest

ListCryptoKeyVersionsResponse

Response message for KeyManagementService.ListCryptoKeyVersions.

Protobuf type google.cloud.kms.v1.ListCryptoKeyVersionsResponse

ListCryptoKeyVersionsResponse.Builder

Response message for KeyManagementService.ListCryptoKeyVersions.

Protobuf type google.cloud.kms.v1.ListCryptoKeyVersionsResponse

ListCryptoKeysRequest

Request message for KeyManagementService.ListCryptoKeys.

Protobuf type google.cloud.kms.v1.ListCryptoKeysRequest

ListCryptoKeysRequest.Builder

Request message for KeyManagementService.ListCryptoKeys.

Protobuf type google.cloud.kms.v1.ListCryptoKeysRequest

ListCryptoKeysResponse

Response message for KeyManagementService.ListCryptoKeys.

Protobuf type google.cloud.kms.v1.ListCryptoKeysResponse

ListCryptoKeysResponse.Builder

Response message for KeyManagementService.ListCryptoKeys.

Protobuf type google.cloud.kms.v1.ListCryptoKeysResponse

ListEkmConnectionsRequest

Request message for EkmService.ListEkmConnections.

Protobuf type google.cloud.kms.v1.ListEkmConnectionsRequest

ListEkmConnectionsRequest.Builder

Request message for EkmService.ListEkmConnections.

Protobuf type google.cloud.kms.v1.ListEkmConnectionsRequest

ListEkmConnectionsResponse

Response message for EkmService.ListEkmConnections.

Protobuf type google.cloud.kms.v1.ListEkmConnectionsResponse

ListEkmConnectionsResponse.Builder

Response message for EkmService.ListEkmConnections.

Protobuf type google.cloud.kms.v1.ListEkmConnectionsResponse

ListImportJobsRequest

Request message for KeyManagementService.ListImportJobs.

Protobuf type google.cloud.kms.v1.ListImportJobsRequest

ListImportJobsRequest.Builder

Request message for KeyManagementService.ListImportJobs.

Protobuf type google.cloud.kms.v1.ListImportJobsRequest

ListImportJobsResponse

Response message for KeyManagementService.ListImportJobs.

Protobuf type google.cloud.kms.v1.ListImportJobsResponse

ListImportJobsResponse.Builder

Response message for KeyManagementService.ListImportJobs.

Protobuf type google.cloud.kms.v1.ListImportJobsResponse

ListKeyRingsRequest

Request message for KeyManagementService.ListKeyRings.

Protobuf type google.cloud.kms.v1.ListKeyRingsRequest

ListKeyRingsRequest.Builder

Request message for KeyManagementService.ListKeyRings.

Protobuf type google.cloud.kms.v1.ListKeyRingsRequest

ListKeyRingsResponse

Response message for KeyManagementService.ListKeyRings.

Protobuf type google.cloud.kms.v1.ListKeyRingsResponse

ListKeyRingsResponse.Builder

Response message for KeyManagementService.ListKeyRings.

Protobuf type google.cloud.kms.v1.ListKeyRingsResponse

LocationMetadata

Cloud KMS metadata for the given google.cloud.location.Location.

Protobuf type google.cloud.kms.v1.LocationMetadata

LocationMetadata.Builder

Cloud KMS metadata for the given google.cloud.location.Location.

Protobuf type google.cloud.kms.v1.LocationMetadata

LocationName

LocationName.Builder

Builder for projects/{project}/locations/{location}.

MacSignRequest

Request message for KeyManagementService.MacSign.

Protobuf type google.cloud.kms.v1.MacSignRequest

MacSignRequest.Builder

Request message for KeyManagementService.MacSign.

Protobuf type google.cloud.kms.v1.MacSignRequest

MacSignResponse

Response message for KeyManagementService.MacSign.

Protobuf type google.cloud.kms.v1.MacSignResponse

MacSignResponse.Builder

Response message for KeyManagementService.MacSign.

Protobuf type google.cloud.kms.v1.MacSignResponse

MacVerifyRequest

Request message for KeyManagementService.MacVerify.

Protobuf type google.cloud.kms.v1.MacVerifyRequest

MacVerifyRequest.Builder

Request message for KeyManagementService.MacVerify.

Protobuf type google.cloud.kms.v1.MacVerifyRequest

MacVerifyResponse

Response message for KeyManagementService.MacVerify.

Protobuf type google.cloud.kms.v1.MacVerifyResponse

MacVerifyResponse.Builder

Response message for KeyManagementService.MacVerify.

Protobuf type google.cloud.kms.v1.MacVerifyResponse

PublicKey

The public key for a given CryptoKeyVersion. Obtained via GetPublicKey.

Protobuf type google.cloud.kms.v1.PublicKey

PublicKey.Builder

The public key for a given CryptoKeyVersion. Obtained via GetPublicKey.

Protobuf type google.cloud.kms.v1.PublicKey

RawDecryptRequest

Request message for KeyManagementService.RawDecrypt.

Protobuf type google.cloud.kms.v1.RawDecryptRequest

RawDecryptRequest.Builder

Request message for KeyManagementService.RawDecrypt.

Protobuf type google.cloud.kms.v1.RawDecryptRequest

RawDecryptResponse

Response message for KeyManagementService.RawDecrypt.

Protobuf type google.cloud.kms.v1.RawDecryptResponse

RawDecryptResponse.Builder

Response message for KeyManagementService.RawDecrypt.

Protobuf type google.cloud.kms.v1.RawDecryptResponse

RawEncryptRequest

Request message for KeyManagementService.RawEncrypt.

Protobuf type google.cloud.kms.v1.RawEncryptRequest

RawEncryptRequest.Builder

Request message for KeyManagementService.RawEncrypt.

Protobuf type google.cloud.kms.v1.RawEncryptRequest

RawEncryptResponse

Response message for KeyManagementService.RawEncrypt.

Protobuf type google.cloud.kms.v1.RawEncryptResponse

RawEncryptResponse.Builder

Response message for KeyManagementService.RawEncrypt.

Protobuf type google.cloud.kms.v1.RawEncryptResponse

RestoreCryptoKeyVersionRequest

Request message for KeyManagementService.RestoreCryptoKeyVersion.

Protobuf type google.cloud.kms.v1.RestoreCryptoKeyVersionRequest

RestoreCryptoKeyVersionRequest.Builder

Request message for KeyManagementService.RestoreCryptoKeyVersion.

Protobuf type google.cloud.kms.v1.RestoreCryptoKeyVersionRequest

UntypedKeyName (deprecated)

Deprecated. This resource name class will be removed in the next major version.

AUTO-GENERATED DOCUMENTATION AND CLASS

UpdateCryptoKeyPrimaryVersionRequest

Request message for KeyManagementService.UpdateCryptoKeyPrimaryVersion.

Protobuf type google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest

UpdateCryptoKeyPrimaryVersionRequest.Builder

Request message for KeyManagementService.UpdateCryptoKeyPrimaryVersion.

Protobuf type google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest

UpdateCryptoKeyRequest

Request message for KeyManagementService.UpdateCryptoKey.

Protobuf type google.cloud.kms.v1.UpdateCryptoKeyRequest

UpdateCryptoKeyRequest.Builder

Request message for KeyManagementService.UpdateCryptoKey.

Protobuf type google.cloud.kms.v1.UpdateCryptoKeyRequest

UpdateCryptoKeyVersionRequest

Request message for KeyManagementService.UpdateCryptoKeyVersion.

Protobuf type google.cloud.kms.v1.UpdateCryptoKeyVersionRequest

UpdateCryptoKeyVersionRequest.Builder

Request message for KeyManagementService.UpdateCryptoKeyVersion.

Protobuf type google.cloud.kms.v1.UpdateCryptoKeyVersionRequest

UpdateEkmConfigRequest

Request message for EkmService.UpdateEkmConfig.

Protobuf type google.cloud.kms.v1.UpdateEkmConfigRequest

UpdateEkmConfigRequest.Builder

Request message for EkmService.UpdateEkmConfig.

Protobuf type google.cloud.kms.v1.UpdateEkmConfigRequest

UpdateEkmConnectionRequest

Request message for EkmService.UpdateEkmConnection.

Protobuf type google.cloud.kms.v1.UpdateEkmConnectionRequest

UpdateEkmConnectionRequest.Builder

Request message for EkmService.UpdateEkmConnection.

Protobuf type google.cloud.kms.v1.UpdateEkmConnectionRequest

VerifyConnectivityRequest

Request message for EkmService.VerifyConnectivity.

Protobuf type google.cloud.kms.v1.VerifyConnectivityRequest

VerifyConnectivityRequest.Builder

Request message for EkmService.VerifyConnectivity.

Protobuf type google.cloud.kms.v1.VerifyConnectivityRequest

VerifyConnectivityResponse

Response message for EkmService.VerifyConnectivity.

Protobuf type google.cloud.kms.v1.VerifyConnectivityResponse

VerifyConnectivityResponse.Builder

Response message for EkmService.VerifyConnectivity.

Protobuf type google.cloud.kms.v1.VerifyConnectivityResponse

Interfaces

AsymmetricDecryptRequestOrBuilder

AsymmetricDecryptResponseOrBuilder

AsymmetricSignRequestOrBuilder

AsymmetricSignResponseOrBuilder

CertificateOrBuilder

CreateCryptoKeyRequestOrBuilder

CreateCryptoKeyVersionRequestOrBuilder

CreateEkmConnectionRequestOrBuilder

CreateImportJobRequestOrBuilder

CreateKeyRingRequestOrBuilder

CryptoKeyOrBuilder

CryptoKeyVersionOrBuilder

CryptoKeyVersionTemplateOrBuilder

DecryptRequestOrBuilder

DecryptResponseOrBuilder

DestroyCryptoKeyVersionRequestOrBuilder

DigestOrBuilder

EkmConfigOrBuilder

EkmConnection.ServiceResolverOrBuilder

EkmConnectionOrBuilder

EkmServiceGrpc.AsyncService

Google Cloud Key Management EKM Service Manages external cryptographic keys and operations using those keys. Implements a REST model with the following objects:

  • EkmConnection

EncryptRequestOrBuilder

EncryptResponseOrBuilder

ExternalProtectionLevelOptionsOrBuilder

GenerateRandomBytesRequestOrBuilder

GenerateRandomBytesResponseOrBuilder

GetCryptoKeyRequestOrBuilder

GetCryptoKeyVersionRequestOrBuilder

GetEkmConfigRequestOrBuilder

GetEkmConnectionRequestOrBuilder

GetImportJobRequestOrBuilder

GetKeyRingRequestOrBuilder

GetPublicKeyRequestOrBuilder

ImportCryptoKeyVersionRequestOrBuilder

ImportJob.WrappingPublicKeyOrBuilder

ImportJobOrBuilder

KeyManagementServiceGrpc.AsyncService

Google Cloud Key Management Service Manages cryptographic keys and operations using those keys. Implements a REST model with the following objects:

KeyOperationAttestation.CertificateChainsOrBuilder

KeyOperationAttestationOrBuilder

KeyRingOrBuilder

ListCryptoKeyVersionsRequestOrBuilder

ListCryptoKeyVersionsResponseOrBuilder

ListCryptoKeysRequestOrBuilder

ListCryptoKeysResponseOrBuilder

ListEkmConnectionsRequestOrBuilder

ListEkmConnectionsResponseOrBuilder

ListImportJobsRequestOrBuilder

ListImportJobsResponseOrBuilder

ListKeyRingsRequestOrBuilder

ListKeyRingsResponseOrBuilder

LocationMetadataOrBuilder

MacSignRequestOrBuilder

MacSignResponseOrBuilder

MacVerifyRequestOrBuilder

MacVerifyResponseOrBuilder

PublicKeyOrBuilder

RawDecryptRequestOrBuilder

RawDecryptResponseOrBuilder

RawEncryptRequestOrBuilder

RawEncryptResponseOrBuilder

RestoreCryptoKeyVersionRequestOrBuilder

UpdateCryptoKeyPrimaryVersionRequestOrBuilder

UpdateCryptoKeyRequestOrBuilder

UpdateCryptoKeyVersionRequestOrBuilder

UpdateEkmConfigRequestOrBuilder

UpdateEkmConnectionRequestOrBuilder

VerifyConnectivityRequestOrBuilder

VerifyConnectivityResponseOrBuilder

Enums

CryptoKey.CryptoKeyPurpose

CryptoKeyPurpose describes the cryptographic capabilities of a CryptoKey. A given key can only be used for the operations allowed by its purpose. For more information, see Key purposes.

Protobuf enum google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose

CryptoKey.RotationScheduleCase

CryptoKeyVersion.CryptoKeyVersionAlgorithm

The algorithm of the CryptoKeyVersion, indicating what parameters must be used for each cryptographic operation.

The GOOGLE_SYMMETRIC_ENCRYPTION algorithm is usable with CryptoKey.purpose ENCRYPT_DECRYPT.

Algorithms beginning with RSA_SIGN_ are usable with CryptoKey.purpose ASYMMETRIC_SIGN.

The fields in the name after RSA_SIGN_ correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm.

For PSS, the salt length used is equal to the length of digest algorithm. For example, RSA_SIGN_PSS_2048_SHA256 will use PSS with a salt length of 256 bits or 32 bytes.

Algorithms beginning with RSA_DECRYPT_ are usable with CryptoKey.purpose ASYMMETRIC_DECRYPT.

The fields in the name after RSA_DECRYPT_ correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm.

Algorithms beginning with EC_SIGN_ are usable with CryptoKey.purpose ASYMMETRIC_SIGN.

The fields in the name after EC_SIGN_ correspond to the following parameters: elliptic curve, digest algorithm.

Algorithms beginning with HMAC_ are usable with CryptoKey.purpose MAC.

The suffix following HMAC_ corresponds to the hash algorithm being used (eg. SHA256).

For more information, see Key purposes and algorithms.

Protobuf enum google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm

CryptoKeyVersion.CryptoKeyVersionState

The state of a CryptoKeyVersion, indicating if it can be used.

Protobuf enum google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState

CryptoKeyVersion.CryptoKeyVersionView

A view for CryptoKeyVersions. Controls the level of detail returned for CryptoKeyVersions in KeyManagementService.ListCryptoKeyVersions and KeyManagementService.ListCryptoKeys.

Protobuf enum google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionView

Digest.DigestCase

EkmConnection.KeyManagementMode

KeyManagementMode describes who can perform control plane cryptographic operations using this EkmConnection.

Protobuf enum google.cloud.kms.v1.EkmConnection.KeyManagementMode

ImportCryptoKeyVersionRequest.WrappedKeyMaterialCase

ImportJob.ImportJobState

The state of the ImportJob, indicating if it can be used.

Protobuf enum google.cloud.kms.v1.ImportJob.ImportJobState

ImportJob.ImportMethod

ImportMethod describes the key wrapping method chosen for this ImportJob.

Protobuf enum google.cloud.kms.v1.ImportJob.ImportMethod

KeyOperationAttestation.AttestationFormat

Attestation formats provided by the HSM.

Protobuf enum google.cloud.kms.v1.KeyOperationAttestation.AttestationFormat

ProtectionLevel

ProtectionLevel specifies how cryptographic operations are performed. For more information, see Protection levels.

Protobuf enum google.cloud.kms.v1.ProtectionLevel