Cloud Key Management Service (KMS) V1 API - Module Google::Cloud::Kms::V1::EkmConnection::KeyManagementMode (v0.18.1)

Reference documentation and code samples for the Cloud Key Management Service (KMS) V1 API module Google::Cloud::Kms::V1::EkmConnection::KeyManagementMode.

KeyManagementMode describes who can perform control plane cryptographic operations using this EkmConnection.

Constants

KEY_MANAGEMENT_MODE_UNSPECIFIED

value: 0
Not specified.

MANUAL

value: 1

EKM-side key management operations on CryptoKeys created with this EkmConnection must be initiated from the EKM directly and cannot be performed from Cloud KMS. This means that:

  • When creating a CryptoKeyVersion associated with this EkmConnection, the caller must supply the key path of pre-existing external key material that will be linked to the CryptoKeyVersion.
  • Destruction of external key material cannot be requested via the Cloud KMS API and must be performed directly in the EKM.
  • Automatic rotation of key material is not supported.

CLOUD_KMS

value: 2

All CryptoKeys created with this EkmConnection use EKM-side key management operations initiated from Cloud KMS. This means that:

  • When a CryptoKeyVersion associated with this EkmConnection is created, the EKM automatically generates new key material and a new key path. The caller cannot supply the key path of pre-existing external key material.
  • Destruction of external key material associated with this EkmConnection can be requested by calling [DestroyCryptoKeyVersion][EkmService.DestroyCryptoKeyVersion].
  • Automatic rotation of key material is supported.