KeyManagementMode(value)KeyManagementMode describes who can perform control plane cryptographic operations using this EkmConnection.
- When creating a
<xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>
associated with this
<xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref>, the
caller must supply the key path of pre-existing external
key material that will be linked to the
<xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>.
- Destruction of external key material cannot be requested
via the Cloud KMS API and must be performed directly in
the EKM.
- Automatic rotation of key material is not supported.
CLOUD_KMS (2):
All <xref uid="google.cloud.kms.v1.CryptoKey">CryptoKeys</xref> created with
this <xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> use
EKM-side key management operations initiated from Cloud KMS.
This means that:
- When a
<xref uid="google.cloud.kms.v1.CryptoKeyVersion">CryptoKeyVersion</xref>
associated with this
<xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> is
created, the EKM automatically generates new key material
and a new key path. The caller cannot supply the key path
of pre-existing external key material.
- Destruction of external key material associated with this
<xref uid="google.cloud.kms.v1.EkmConnection">EkmConnection</xref> can be
requested by calling
`DestroyCryptoKeyVersion][EkmService.DestroyCryptoKeyVersion]`.
- Automatic rotation of key material is supported.
Enums |
|
|---|---|
| Name | Description |
KEY_MANAGEMENT_MODE_UNSPECIFIED |
Not specified. |
MANUAL |
EKM-side key management operations on CryptoKeys created with this EkmConnection must be initiated from the EKM directly and cannot be performed from Cloud KMS. This means that: |