Create a key. Create a key in a given region specified by the region
parameter. Keys only support symmetric encryption. You can use keys to
encrypt or decrypt arbitrary payloads, or to generate data encryption keys
that can be used without being stored in Key Manager.
The request CreateKeyRequest
A Promise of Key
Decrypt data. Decrypt data using an existing key, specified by the key_id
parameter. The maximum payload size that can be decrypted is the result of
the encryption of 64KB of data (around 131KB).
The request DecryptRequest
A Promise of DecryptResponse
Delete a key. Delete an existing key specified by the region and key_id
parameters. Deleting a key is permanent and cannot be undone. All data
encrypted using this key, including data encryption keys, will become
unusable.
The request DeleteKeyRequest
Delete key material. Delete previously imported key material. This renders
the associated cryptographic key unusable for any operation. The key's
origin must be external.
The request DeleteKeyMaterialRequest
Disable key. Disable a given key to be used for cryptographic operations.
Disabling a key renders it unusable. You must specify the region and
key_id parameters.
The request DisableKeyRequest
A Promise of Key
Enable key. Enable a given key to be used for cryptographic operations.
Enabling a key allows you to make a disabled key usable again. You must
specify the region and key_id parameters.
The request EnableKeyRequest
A Promise of Key
Encrypt data. Encrypt data using an existing key, specified by the key_id
parameter. Only keys with a usage set to symmetric_encryption are
supported by this method. The maximum payload size that can be encrypted is
64KB of plaintext.
The request EncryptRequest
A Promise of EncryptResponse
Generate a data encryption key. Generate a new data encryption key to use for cryptographic operations outside of Key Manager. Note that Key Manager does not store your data encryption key. The data encryption key is encrypted and must be decrypted using the key you have created in Key Manager. The data encryption key's plaintext is returned in the response object, for immediate usage.
Always store the data encryption key's ciphertext, rather than its plaintext, which must not be stored. To retrieve your key's plaintext, call the Decrypt endpoint with your key's ID and ciphertext.
The request GenerateDataKeyRequest
A Promise of DataKey
Get key metadata. Retrieve the metadata of a key specified by the region
and key_id parameters.
The request GetKeyRequest
A Promise of Key
Import key material. Import key material to use to derive a new
cryptographic key. The key's origin must be external.
The request ImportKeyMaterialRequest
A Promise of Key
List keys. Retrieve the list of keys created within all Projects of an
Organization or in a given Project. You must specify the region, and
either the organization_id or the project_id.
The request ListKeysRequest
A Promise of ListKeysResponse
Apply key protection. Apply key protection to a given key specified by the
key_id parameter. Applying key protection means that your key can be used
and modified, but it cannot be deleted.
The request ProtectKeyRequest
A Promise of Key
Rotate a key. Generate a new version of an existing key with randomly generated key material. Rotated keys can still be used to decrypt previously encrypted data. The key's new material will be used for subsequent encryption operations and data key generation.
The request RotateKeyRequest
A Promise of Key
Remove key protection. Remove key protection from a given key specified by
the key_id parameter. Removing key protection means that your key can be
deleted anytime.
The request UnprotectKeyRequest
A Promise of Key
Update a key. Update a key's metadata (name, description and tags),
specified by the key_id and region parameters.
The request UpdateKeyRequest
A Promise of Key
Key Manager API.
This API allows you to create, manage and use cryptographic keys in a centralized and secure service.