Module: Google::Cloud::Kms::V1::EkmConnection::KeyManagementMode
- Defined in:
- proto_docs/google/cloud/kms/v1/ekm_service.rb
Overview
KeyManagementMode describes who can perform control plane cryptographic operations using this EkmConnection.
Constant Summary collapse
- KEY_MANAGEMENT_MODE_UNSPECIFIED =
Not specified.
0- MANUAL =
EKM-side key management operations on CryptoKeys created with this EkmConnection must be initiated from the EKM directly and cannot be performed from Cloud KMS. This means that:
- When creating a CryptoKeyVersion associated with this EkmConnection, the caller must supply the key path of pre-existing external key material that will be linked to the CryptoKeyVersion.
- Destruction of external key material cannot be requested via the Cloud KMS API and must be performed directly in the EKM.
- Automatic rotation of key material is not supported.
1- CLOUD_KMS =
All CryptoKeys created with this EkmConnection use EKM-side key management operations initiated from Cloud KMS. This means that:
- When a CryptoKeyVersion associated with this EkmConnection is created, the EKM automatically generates new key material and a new key path. The caller cannot supply the key path of pre-existing external key material.
- Destruction of external key material associated with this EkmConnection can be requested by calling [DestroyCryptoKeyVersion][EkmService.DestroyCryptoKeyVersion].
- Automatic rotation of key material is supported.
2