scaleway.key_manager.v1alpha1 package

Submodules

scaleway.key_manager.v1alpha1.api module

class scaleway.key_manager.v1alpha1.api.KeyManagerV1Alpha1API(client: Client, *, bypass_validation: bool = False)

Bases: API

This API allows you to create, manage and use cryptographic keys in a centralized and secure service.

Create a key. Create a key in a given region specified by the region parameter. Keys only support symmetric encryption. You can use keys to encrypt or decrypt arbitrary payloads, or to generate data encryption keys. Data encryption keys are not stored in Key Manager. :param unprotected: Default value is false. :param region: Region to target. If none is passed will use default region from the config. :param project_id: ID of the Project containing the key. :param name: (Optional) Name of the key. :param usage: See the Key.Algorithm.SymmetricEncryption enum for a description of values. :param description: (Optional) Description of the key. :param tags: (Optional) List of the key’s tags. :param rotation_policy: If not specified, no rotation policy will be applied to the key. :param origin: Refer to the Key.Origin enum for a description of values. :return: Key

Usage:

result = api.create_key(
    unprotected=False,
)

decrypt(*, key_id: str, ciphertext: str, region: str | None = None, associated_data: str | None = None) → DecryptResponse

Decrypt an encrypted payload. Decrypt an encrypted payload using an existing key, specified by the key_id parameter. The maximum payload size that can be decrypted is equivalent to the encrypted output of 64 KB of data (around 131 KB). :param key_id: The key must have an usage set to symmetric_encryption or asymmetric_encryption. :param ciphertext: Data size must be between 1 and 131071 bytes. :param region: Region to target. If none is passed will use default region from the config. :param associated_data: The additional data must match the value passed in the encryption request. Only supported by keys with a usage set to symmetric_encryption. :return: DecryptResponse

Usage:

result = api.decrypt(
    key_id="example",
    ciphertext="example",
)

delete_key(*, key_id: str, region: str | None = None) → None

Delete a key. Permanently delete a key specified by the region and key_id parameters. This action is irreversible. Any data encrypted with this key, including data encryption keys, will no longer be decipherable. :param key_id: ID of the key to delete. :param region: Region to target. If none is passed will use default region from the config.

Usage:

result = api.delete_key(
    key_id="example",
)

delete_key_material(*, key_id: str, region: str | None = None) → None

Delete key material. Delete previously imported key material. This renders the associated cryptographic key unusable for any operation. The key’s origin must be external. :param key_id: ID of the key of which to delete the key material. :param region: Region to target. If none is passed will use default region from the config.

Usage:

result = api.delete_key_material(
    key_id="example",
)

disable_key(*, key_id: str, region: str | None = None) → Key

Disable key. Disable a given key, preventing it to be used for cryptographic operations. Disabling a key renders it unusable. You must specify the region and key_id parameters. :param key_id: ID of the key to disable. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.disable_key(
    key_id="example",
)

enable_key(*, key_id: str, region: str | None = None) → Key

Enable key. Enable a given key to be used for cryptographic operations. Enabling a key allows you to make a disabled key usable again. You must specify the region and key_id parameters. :param key_id: ID of the key to enable. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.enable_key(
    key_id="example",
)

encrypt(*, key_id: str, plaintext: str, region: str | None = None, associated_data: str | None = None) → EncryptResponse

Encrypt a payload. Encrypt a payload using an existing key, specified by the key_id parameter. The maximum payload size that can be encrypted is 64 KB of plaintext. :param key_id: The key must have an usage set to symmetric_encryption or asymmetric_encryption. :param plaintext: Data size must be between 1 and 65535 bytes. :param region: Region to target. If none is passed will use default region from the config. :param associated_data: Additional data which will not be encrypted, but authenticated and appended to the encrypted payload. Only supported by keys with a usage set to symmetric_encryption. :return: EncryptResponse

Usage:

result = api.encrypt(
    key_id="example",
    plaintext="example",
)

generate_data_key(*, key_id: str, without_plaintext: bool, region: str | None = None, algorithm: DataKeyAlgorithmSymmetricEncryption | None = None) → DataKey

Create a data encryption key. Create a new data encryption key for cryptographic operations outside of Key Manager. The data encryption key is encrypted and must be decrypted using the key you have created in Key Manager.

The data encryption key is returned in plaintext and ciphertext but it should only be stored in its encrypted form (ciphertext). Key Manager does not store your data encryption key. To retrieve your key’s plaintext, use the Decrypt method with your key’s ID and ciphertext. :param key_id: ID of the key. :param without_plaintext: Default value is false, meaning that the plaintext is returned. Set it to true if you do not wish the plaintext to be returned in the response object. :param region: Region to target. If none is passed will use default region from the config. :param algorithm: See the DataKey.Algorithm.SymmetricEncryption enum for a description of values. :return: DataKey

Usage:

result = api.generate_data_key(
    key_id="example",
    without_plaintext=False,
)

get_key(*, key_id: str, region: str | None = None) → Key

Get key metadata. Retrieve metadata for a specified key using the region and key_id parameters. :param key_id: ID of the key to target. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.get_key(
    key_id="example",
)

get_public_key(*, key_id: str, region: str | None = None) → PublicKey

Get the public key in PEM format. Retrieves the public portion of an asymmetric cryptographic key in PEM format. :param key_id: ID of the key. :param region: Region to target. If none is passed will use default region from the config. :return: PublicKey

Usage:

result = api.get_public_key(
    key_id="example",
)

import_key_material(*, key_id: str, key_material: str, region: str | None = None, salt: str | None = None) → Key

Import key material. Import externally generated key material into Key Manager to derive a new cryptographic key. The key’s origin must be external. :param key_id: The key’s origin must be external. :param key_material: The key material The key material is a random sequence of bytes used to derive a cryptographic key. :param region: Region to target. If none is passed will use default region from the config. :param salt: A salt is random data added to key material to ensure unique derived keys, even if the input is similar. It helps strengthen security when the key material has low randomness (low entropy). :return: Key

Usage:

result = api.import_key_material(
    key_id="example",
    key_material="example",
)

list_algorithms(*, region: str | None = None, usages: List[ListAlgorithmsRequestUsage] | None = None) → ListAlgorithmsResponse

List all available algorithms. Lists all cryptographic algorithms supported by the Key Manager service. :param region: Region to target. If none is passed will use default region from the config. :param usages: Filter by key usage. :return: ListAlgorithmsResponse

Usage:

result = api.list_algorithms()

List keys. Retrieve a list of keys across all Projects in an Organization or within a specific Project. You must specify the region, and either the organization_id or the project_id. :param scheduled_for_deletion: Filter keys based on their deletion status. By default, only keys not scheduled for deletion are returned in the output. :param region: Region to target. If none is passed will use default region from the config. :param organization_id: (Optional) Filter by Organization ID. :param project_id: (Optional) Filter by Project ID. :param order_by: :param page: :param page_size: :param tags: (Optional) List of tags to filter on. :param name: (Optional) Filter by key name. :param usage: Select from symmetric encryption, asymmetric encryption, or asymmetric signing. :return: ListKeysResponse

Usage:

result = api.list_keys(
    scheduled_for_deletion=False,
)

List keys. Retrieve a list of keys across all Projects in an Organization or within a specific Project. You must specify the region, and either the organization_id or the project_id. :param scheduled_for_deletion: Filter keys based on their deletion status. By default, only keys not scheduled for deletion are returned in the output. :param region: Region to target. If none is passed will use default region from the config. :param organization_id: (Optional) Filter by Organization ID. :param project_id: (Optional) Filter by Project ID. :param order_by: :param page: :param page_size: :param tags: (Optional) List of tags to filter on. :param name: (Optional) Filter by key name. :param usage: Select from symmetric encryption, asymmetric encryption, or asymmetric signing. :return: List[Key]

Usage:

result = api.list_keys_all(
    scheduled_for_deletion=False,
)

protect_key(*, key_id: str, region: str | None = None) → Key

Apply key protection. Apply protection to a given key specified by the key_id parameter. Applying key protection means that your key can be used and modified, but it cannot be deleted. :param key_id: ID of the key to apply key protection to. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.protect_key(
    key_id="example",
)

restore_key(*, key_id: str, region: str | None = None) → Key

Restore a key. Restore a key and all its rotations scheduled for deletion specified by the region and key_id parameters. :param key_id: :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.restore_key(
    key_id="example",
)

rotate_key(*, key_id: str, region: str | None = None) → Key

Rotate a key. Generate a new version of an existing key with new key material. Previous key versions remain usable to decrypt previously encrypted data, but the key’s new version will be used for subsequent encryption operations and data key generation. :param key_id: ID of the key to rotate. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.rotate_key(
    key_id="example",
)

sign(*, key_id: str, digest: str, region: str | None = None) → SignResponse

Sign a message digest. Use a given key to sign a message digest. The key must have its usage set to asymmetric_signing. The digest must be created using the same digest algorithm that is defined in the key’s algorithm configuration. :param key_id: ID of the key to use for signing. :param digest: The digest must be generated using the same algorithm defined in the key’s algorithm settings. :param region: Region to target. If none is passed will use default region from the config. :return: SignResponse

Usage:

result = api.sign(
    key_id="example",
    digest="example",
)

unprotect_key(*, key_id: str, region: str | None = None) → Key

Remove key protection. Remove key protection from a given key specified by the key_id parameter. Removing key protection means that your key can be deleted anytime. :param key_id: ID of the key to remove key protection from. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.unprotect_key(
    key_id="example",
)

Update a key. Modify a key’s metadata including name, description and tags, specified by the key_id and region parameters. :param key_id: ID of the key to update. :param region: Region to target. If none is passed will use default region from the config. :param name: (Optional) Updated name of the key. :param description: (Optional) Updated description of the key. :param tags: (Optional) Updated list of the key’s tags. :param rotation_policy: If not specified, the key’s existing rotation policy applies. :return: Key

Usage:

result = api.update_key(
    key_id="example",
)

verify(*, key_id: str, digest: str, signature: str, region: str | None = None) → VerifyResponse

Verify a message signature. Use a given key to verify a message signature against a message digest. The key must have its usage set to asymmetric_signing. The message digest must be generated using the same digest algorithm that is defined in the key’s algorithm configuration. :param key_id: ID of the key to use for signature verification. :param digest: Must be generated using the same algorithm specified in the key’s configuration. :param signature: The message signature to verify. :param region: Region to target. If none is passed will use default region from the config. :return: VerifyResponse

Usage:

result = api.verify(
    key_id="example",
    digest="example",
    signature="example",
)

scaleway.key_manager.v1alpha1.marshalling module

scaleway.key_manager.v1alpha1.marshalling.marshal_CreateKeyRequest(request: CreateKeyRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_DecryptRequest(request: DecryptRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_EncryptRequest(request: EncryptRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_GenerateDataKeyRequest(request: GenerateDataKeyRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_ImportKeyMaterialRequest(request: ImportKeyMaterialRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_KeyRotationPolicy(request: KeyRotationPolicy, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_KeyUsage(request: KeyUsage, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_SignRequest(request: SignRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_UpdateKeyRequest(request: UpdateKeyRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_VerifyRequest(request: VerifyRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.unmarshal_DataKey(data: Any) → DataKey

scaleway.key_manager.v1alpha1.marshalling.unmarshal_DecryptResponse(data: Any) → DecryptResponse

scaleway.key_manager.v1alpha1.marshalling.unmarshal_EncryptResponse(data: Any) → EncryptResponse

scaleway.key_manager.v1alpha1.marshalling.unmarshal_Key(data: Any) → Key

scaleway.key_manager.v1alpha1.marshalling.unmarshal_KeyRotationPolicy(data: Any) → KeyRotationPolicy

scaleway.key_manager.v1alpha1.marshalling.unmarshal_KeyUsage(data: Any) → KeyUsage

scaleway.key_manager.v1alpha1.marshalling.unmarshal_ListAlgorithmsResponse(data: Any) → ListAlgorithmsResponse

scaleway.key_manager.v1alpha1.marshalling.unmarshal_ListAlgorithmsResponseAlgorithm(data: Any) → ListAlgorithmsResponseAlgorithm

scaleway.key_manager.v1alpha1.marshalling.unmarshal_ListKeysResponse(data: Any) → ListKeysResponse

scaleway.key_manager.v1alpha1.marshalling.unmarshal_PublicKey(data: Any) → PublicKey

scaleway.key_manager.v1alpha1.marshalling.unmarshal_SignResponse(data: Any) → SignResponse

scaleway.key_manager.v1alpha1.marshalling.unmarshal_VerifyResponse(data: Any) → VerifyResponse

scaleway.key_manager.v1alpha1.types module

class scaleway.key_manager.v1alpha1.types.CreateKeyRequest(unprotected: 'bool', region: 'Optional[ScwRegion]' = None, project_id: 'Optional[str]' = None, name: 'Optional[str]' = None, usage: 'Optional[KeyUsage]' = None, description: 'Optional[str]' = None, tags: 'Optional[List[str]]' = <factory>, rotation_policy: 'Optional[KeyRotationPolicy]' = None, origin: 'Optional[KeyOrigin]' = <KeyOrigin.UNKNOWN_ORIGIN: 'unknown_origin'>)

Bases: object

description: str | None = None: (Optional) Description of the key.

name: str | None = None: (Optional) Name of the key.

origin: KeyOrigin | None = 'unknown_origin': Refer to the Key.Origin enum for a description of values.

project_id: str | None = None: ID of the Project containing the key.

region: str | None = None: Region to target. If none is passed will use default region from the config.

rotation_policy: KeyRotationPolicy | None = None: If not specified, no rotation policy will be applied to the key.

tags: List[str] | None: (Optional) List of the key’s tags.

unprotected: bool: Default value is false.

usage: KeyUsage | None = None: See the Key.Algorithm.SymmetricEncryption enum for a description of values.

class scaleway.key_manager.v1alpha1.types.DataKey(key_id: 'str', algorithm: 'DataKeyAlgorithmSymmetricEncryption', ciphertext: 'str', plaintext: 'Optional[str]' = None, created_at: 'Optional[datetime]' = None)

Bases: object

algorithm: DataKeyAlgorithmSymmetricEncryption: Symmetric encryption algorithm of the data encryption key (AES-256-GCM).

ciphertext: str: Your data encryption key’s ciphertext can be stored safely. It can only be decrypted through the keys you create in Key Manager, using the relevant key ID.

created_at: datetime | None = None: Data encryption key creation date.

key_id: str: ID of the data encryption key.

plaintext: str | None = None: (Optional) Your data encryption key’s plaintext allows you to use the key immediately upon creation. It must neither be stored or shared.

class scaleway.key_manager.v1alpha1.types.DataKeyAlgorithmSymmetricEncryption(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

AES_256_GCM = 'aes_256_gcm'

UNKNOWN_SYMMETRIC_ENCRYPTION = 'unknown_symmetric_encryption'

class scaleway.key_manager.v1alpha1.types.DecryptRequest(key_id: 'str', ciphertext: 'str', region: 'Optional[ScwRegion]' = None, associated_data: 'Optional[str]' = None)

Bases: object

associated_data: str | None = None: The additional data must match the value passed in the encryption request. Only supported by keys with a usage set to symmetric_encryption.

ciphertext: str: Data size must be between 1 and 131071 bytes.

key_id: str: The key must have an usage set to symmetric_encryption or asymmetric_encryption.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.DecryptResponse(key_id: 'str', plaintext: 'str', ciphertext: 'Optional[str]' = None)

Bases: object

ciphertext: str | None = None: If the data was already encrypted with the latest key rotation, no output will be returned in the response object.

key_id: str: ID of the key used for decryption.

plaintext: str: Key’s decrypted data.

class scaleway.key_manager.v1alpha1.types.DeleteKeyMaterialRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key of which to delete the key material.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.DeleteKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key to delete.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.DisableKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key to disable.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.EnableKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key to enable.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.EncryptRequest(key_id: 'str', plaintext: 'str', region: 'Optional[ScwRegion]' = None, associated_data: 'Optional[str]' = None)

Bases: object

associated_data: str | None = None: Additional data which will not be encrypted, but authenticated and appended to the encrypted payload. Only supported by keys with a usage set to symmetric_encryption.

key_id: str: The key must have an usage set to symmetric_encryption or asymmetric_encryption.

plaintext: str: Data size must be between 1 and 65535 bytes.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.EncryptResponse(key_id: 'str', ciphertext: 'str')

Bases: object

ciphertext: str: Key’s encrypted data.

key_id: str: ID of the key used for encryption.

class scaleway.key_manager.v1alpha1.types.GenerateDataKeyRequest(key_id: 'str', without_plaintext: 'bool', region: 'Optional[ScwRegion]' = None, algorithm: 'Optional[DataKeyAlgorithmSymmetricEncryption]' = <DataKeyAlgorithmSymmetricEncryption.UNKNOWN_SYMMETRIC_ENCRYPTION: 'unknown_symmetric_encryption'>)

Bases: object

algorithm: DataKeyAlgorithmSymmetricEncryption | None = 'unknown_symmetric_encryption': See the DataKey.Algorithm.SymmetricEncryption enum for a description of values.

key_id: str: ID of the key.

region: str | None = None: Region to target. If none is passed will use default region from the config.

without_plaintext: bool: Default value is false, meaning that the plaintext is returned.

Set it to true if you do not wish the plaintext to be returned in the response object.

class scaleway.key_manager.v1alpha1.types.GetKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key to target.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.GetPublicKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.ImportKeyMaterialRequest(key_id: 'str', key_material: 'str', region: 'Optional[ScwRegion]' = None, salt: 'Optional[str]' = None)

Bases: object

key_id: str: The key’s origin must be external.

key_material: str: The key material The key material is a random sequence of bytes used to derive a cryptographic key.

region: str | None = None: Region to target. If none is passed will use default region from the config.

salt: str | None = None: A salt is random data added to key material to ensure unique derived keys, even if the input is similar. It helps strengthen security when the key material has low randomness (low entropy).

class scaleway.key_manager.v1alpha1.types.Key(id: 'str', project_id: 'str', name: 'str', state: 'KeyState', rotation_count: 'int', protected: 'bool', locked: 'bool', tags: 'List[str]', origin: 'KeyOrigin', region: 'ScwRegion', usage: 'Optional[KeyUsage]' = None, created_at: 'Optional[datetime]' = None, updated_at: 'Optional[datetime]' = None, description: 'Optional[str]' = None, rotated_at: 'Optional[datetime]' = None, rotation_policy: 'Optional[KeyRotationPolicy]' = None, deletion_requested_at: 'Optional[datetime]' = None)

Bases: object

created_at: datetime | None = None: Key creation date.

deletion_requested_at: datetime | None = None: Returns the time at which deletion was requested.

description: str | None = None: Description of the key.

id: str: ID of the key.

locked: bool: Returns true if the key is locked.

name: str: Name of the key.

origin: KeyOrigin: Refer to the Key.Origin enum for a description of values.

project_id: str: ID of the Project containing the key.

protected: bool: Returns true if key protection is applied to the key.

region: str: Region where the key is stored.

rotated_at: datetime | None = None: Key last rotation date.

rotation_count: int: The rotation count tracks the number of times the key has been rotated.

rotation_policy: KeyRotationPolicy | None = None: Key rotation policy.

state: KeyState: See the Key.State enum for a description of possible values.

tags: List[str]: List of the key’s tags.

updated_at: datetime | None = None: Key last modification date.

usage: KeyUsage | None = None: Keys with a usage set to symmetric_encryption can encrypt and decrypt data using the AES-256-GCM key algorithm. Key Manager currently only supports AES-256-GCM.

class scaleway.key_manager.v1alpha1.types.KeyAlgorithmAsymmetricEncryption(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

RSA_OAEP_2048_SHA256 = 'rsa_oaep_2048_sha256'

RSA_OAEP_3072_SHA256 = 'rsa_oaep_3072_sha256'

RSA_OAEP_4096_SHA256 = 'rsa_oaep_4096_sha256'

UNKNOWN_ASYMMETRIC_ENCRYPTION = 'unknown_asymmetric_encryption'

class scaleway.key_manager.v1alpha1.types.KeyAlgorithmAsymmetricSigning(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

EC_P256_SHA256 = 'ec_p256_sha256'

EC_P384_SHA384 = 'ec_p384_sha384'

RSA_PKCS1_2048_SHA256 = 'rsa_pkcs1_2048_sha256'

RSA_PKCS1_3072_SHA256 = 'rsa_pkcs1_3072_sha256'

RSA_PKCS1_4096_SHA256 = 'rsa_pkcs1_4096_sha256'

RSA_PSS_2048_SHA256 = 'rsa_pss_2048_sha256'

RSA_PSS_3072_SHA256 = 'rsa_pss_3072_sha256'

RSA_PSS_4096_SHA256 = 'rsa_pss_4096_sha256'

UNKNOWN_ASYMMETRIC_SIGNING = 'unknown_asymmetric_signing'

class scaleway.key_manager.v1alpha1.types.KeyAlgorithmSymmetricEncryption(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

AES_256_GCM = 'aes_256_gcm'

UNKNOWN_SYMMETRIC_ENCRYPTION = 'unknown_symmetric_encryption'

class scaleway.key_manager.v1alpha1.types.KeyOrigin(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

EXTERNAL = 'external'

SCALEWAY_KMS = 'scaleway_kms'

UNKNOWN_ORIGIN = 'unknown_origin'

class scaleway.key_manager.v1alpha1.types.KeyRotationPolicy(rotation_period: 'Optional[str]' = None, next_rotation_at: 'Optional[datetime]' = None)

Bases: object

next_rotation_at: datetime | None = None: Timestamp indicating the next scheduled rotation.

rotation_period: str | None = None: Time interval between two key rotations. The minimum duration is 24 hours and the maximum duration is 1 year (876000 hours).

class scaleway.key_manager.v1alpha1.types.KeyState(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

DISABLED = 'disabled'

ENABLED = 'enabled'

PENDING_KEY_MATERIAL = 'pending_key_material'

SCHEDULED_FOR_DELETION = 'scheduled_for_deletion'

UNKNOWN_STATE = 'unknown_state'

class scaleway.key_manager.v1alpha1.types.KeyUsage(symmetric_encryption: 'Optional[KeyAlgorithmSymmetricEncryption]' = <KeyAlgorithmSymmetricEncryption.UNKNOWN_SYMMETRIC_ENCRYPTION: 'unknown_symmetric_encryption'>, asymmetric_encryption: 'Optional[KeyAlgorithmAsymmetricEncryption]' = None, asymmetric_signing: 'Optional[KeyAlgorithmAsymmetricSigning]' = None)

Bases: object

asymmetric_encryption: KeyAlgorithmAsymmetricEncryption | None = None

asymmetric_signing: KeyAlgorithmAsymmetricSigning | None = None

symmetric_encryption: KeyAlgorithmSymmetricEncryption | None = 'unknown_symmetric_encryption'

class scaleway.key_manager.v1alpha1.types.ListAlgorithmsRequest(region: 'Optional[ScwRegion]' = None, usages: 'Optional[List[ListAlgorithmsRequestUsage]]' = <factory>)

Bases: object

region: str | None = None: Region to target. If none is passed will use default region from the config.

usages: List[ListAlgorithmsRequestUsage] | None: Filter by key usage.

class scaleway.key_manager.v1alpha1.types.ListAlgorithmsRequestUsage(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

ASYMMETRIC_ENCRYPTION = 'asymmetric_encryption'

ASYMMETRIC_SIGNING = 'asymmetric_signing'

SYMMETRIC_ENCRYPTION = 'symmetric_encryption'

UNKNOWN_USAGE = 'unknown_usage'

class scaleway.key_manager.v1alpha1.types.ListAlgorithmsResponse(algorithms: 'List[ListAlgorithmsResponseAlgorithm]')

Bases: object

algorithms: List[ListAlgorithmsResponseAlgorithm]: Returns a list of algorithms matching the requested criteria.

class scaleway.key_manager.v1alpha1.types.ListAlgorithmsResponseAlgorithm(usage: 'str', name: 'str', recommended: 'bool')

Bases: object

name: str

recommended: bool

usage: str

class scaleway.key_manager.v1alpha1.types.ListKeysRequest(scheduled_for_deletion: 'bool', region: 'Optional[ScwRegion]' = None, organization_id: 'Optional[str]' = None, project_id: 'Optional[str]' = None, order_by: 'Optional[ListKeysRequestOrderBy]' = <ListKeysRequestOrderBy.NAME_ASC: 'name_asc'>, page: 'Optional[int]' = 0, page_size: 'Optional[int]' = 0, tags: 'Optional[List[str]]' = <factory>, name: 'Optional[str]' = None, usage: 'Optional[ListKeysRequestUsage]' = <ListKeysRequestUsage.UNKNOWN_USAGE: 'unknown_usage'>)

Bases: object

name: str | None = None: (Optional) Filter by key name.

order_by: ListKeysRequestOrderBy | None = 'name_asc'

organization_id: str | None = None: (Optional) Filter by Organization ID.

page: int | None = 0

page_size: int | None = 0

project_id: str | None = None: (Optional) Filter by Project ID.

region: str | None = None: Region to target. If none is passed will use default region from the config.

scheduled_for_deletion: bool: Filter keys based on their deletion status. By default, only keys not scheduled for deletion are returned in the output.

tags: List[str] | None: (Optional) List of tags to filter on.

usage: ListKeysRequestUsage | None = 'unknown_usage': Select from symmetric encryption, asymmetric encryption, or asymmetric signing.

class scaleway.key_manager.v1alpha1.types.ListKeysRequestOrderBy(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

CREATED_AT_ASC = 'created_at_asc'

CREATED_AT_DESC = 'created_at_desc'

NAME_ASC = 'name_asc'

NAME_DESC = 'name_desc'

UPDATED_AT_ASC = 'updated_at_asc'

UPDATED_AT_DESC = 'updated_at_desc'

class scaleway.key_manager.v1alpha1.types.ListKeysRequestUsage(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

ASYMMETRIC_ENCRYPTION = 'asymmetric_encryption'

ASYMMETRIC_SIGNING = 'asymmetric_signing'

SYMMETRIC_ENCRYPTION = 'symmetric_encryption'

UNKNOWN_USAGE = 'unknown_usage'

class scaleway.key_manager.v1alpha1.types.ListKeysResponse(keys: 'List[Key]', total_count: 'int')

Bases: object

keys: List[Key]: Single page of keys matching the requested criteria.

total_count: int: Total count of keys matching the requested criteria.

class scaleway.key_manager.v1alpha1.types.ProtectKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key to apply key protection to.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.PublicKey(pem: 'str')

Bases: object

pem: str

class scaleway.key_manager.v1alpha1.types.RestoreKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.RotateKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key to rotate.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.SignRequest(key_id: 'str', digest: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

digest: str: The digest must be generated using the same algorithm defined in the key’s algorithm settings.

key_id: str: ID of the key to use for signing.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.SignResponse(key_id: 'str', signature: 'str')

Bases: object

key_id: str: ID of the key used to generate the signature.

signature: str: The message signature.

class scaleway.key_manager.v1alpha1.types.UnprotectKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key to remove key protection from.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.UpdateKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None, name: 'Optional[str]' = None, description: 'Optional[str]' = None, tags: 'Optional[List[str]]' = <factory>, rotation_policy: 'Optional[KeyRotationPolicy]' = None)

Bases: object

description: str | None = None: (Optional) Updated description of the key.

key_id: str: ID of the key to update.

name: str | None = None: (Optional) Updated name of the key.

region: str | None = None: Region to target. If none is passed will use default region from the config.

rotation_policy: KeyRotationPolicy | None = None: If not specified, the key’s existing rotation policy applies.

tags: List[str] | None: (Optional) Updated list of the key’s tags.

class scaleway.key_manager.v1alpha1.types.VerifyRequest(key_id: 'str', digest: 'str', signature: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

digest: str: Must be generated using the same algorithm specified in the key’s configuration.

key_id: str: ID of the key to use for signature verification.

region: str | None = None: Region to target. If none is passed will use default region from the config.

signature: str: The message signature to verify.

class scaleway.key_manager.v1alpha1.types.VerifyResponse(key_id: 'str', valid: 'bool')

Bases: object

key_id: str: ID of the key used for verification.

valid: bool: Returns true if the signature is valid for the digest and key, false otherwise.

Module contents

class scaleway.key_manager.v1alpha1.CreateKeyRequest(unprotected: 'bool', region: 'Optional[ScwRegion]' = None, project_id: 'Optional[str]' = None, name: 'Optional[str]' = None, usage: 'Optional[KeyUsage]' = None, description: 'Optional[str]' = None, tags: 'Optional[List[str]]' = <factory>, rotation_policy: 'Optional[KeyRotationPolicy]' = None, origin: 'Optional[KeyOrigin]' = <KeyOrigin.UNKNOWN_ORIGIN: 'unknown_origin'>)

Bases: object

description: str | None = None: (Optional) Description of the key.

name: str | None = None: (Optional) Name of the key.

origin: KeyOrigin | None = 'unknown_origin': Refer to the Key.Origin enum for a description of values.

project_id: str | None = None: ID of the Project containing the key.

region: str | None = None: Region to target. If none is passed will use default region from the config.

rotation_policy: KeyRotationPolicy | None = None: If not specified, no rotation policy will be applied to the key.

tags: List[str] | None: (Optional) List of the key’s tags.

unprotected: bool: Default value is false.

usage: KeyUsage | None = None: See the Key.Algorithm.SymmetricEncryption enum for a description of values.

class scaleway.key_manager.v1alpha1.DataKey(key_id: 'str', algorithm: 'DataKeyAlgorithmSymmetricEncryption', ciphertext: 'str', plaintext: 'Optional[str]' = None, created_at: 'Optional[datetime]' = None)

Bases: object

algorithm: DataKeyAlgorithmSymmetricEncryption: Symmetric encryption algorithm of the data encryption key (AES-256-GCM).

ciphertext: str: Your data encryption key’s ciphertext can be stored safely. It can only be decrypted through the keys you create in Key Manager, using the relevant key ID.

created_at: datetime | None = None: Data encryption key creation date.

key_id: str: ID of the data encryption key.

plaintext: str | None = None: (Optional) Your data encryption key’s plaintext allows you to use the key immediately upon creation. It must neither be stored or shared.

class scaleway.key_manager.v1alpha1.DataKeyAlgorithmSymmetricEncryption(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

AES_256_GCM = 'aes_256_gcm'

UNKNOWN_SYMMETRIC_ENCRYPTION = 'unknown_symmetric_encryption'

class scaleway.key_manager.v1alpha1.DecryptRequest(key_id: 'str', ciphertext: 'str', region: 'Optional[ScwRegion]' = None, associated_data: 'Optional[str]' = None)

Bases: object

associated_data: str | None = None: The additional data must match the value passed in the encryption request. Only supported by keys with a usage set to symmetric_encryption.

ciphertext: str: Data size must be between 1 and 131071 bytes.

key_id: str: The key must have an usage set to symmetric_encryption or asymmetric_encryption.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.DecryptResponse(key_id: 'str', plaintext: 'str', ciphertext: 'Optional[str]' = None)

Bases: object

ciphertext: str | None = None: If the data was already encrypted with the latest key rotation, no output will be returned in the response object.

key_id: str: ID of the key used for decryption.

plaintext: str: Key’s decrypted data.

class scaleway.key_manager.v1alpha1.DeleteKeyMaterialRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key of which to delete the key material.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.DeleteKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key to delete.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.DisableKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key to disable.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.EnableKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key to enable.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.EncryptRequest(key_id: 'str', plaintext: 'str', region: 'Optional[ScwRegion]' = None, associated_data: 'Optional[str]' = None)

Bases: object

associated_data: str | None = None: Additional data which will not be encrypted, but authenticated and appended to the encrypted payload. Only supported by keys with a usage set to symmetric_encryption.

key_id: str: The key must have an usage set to symmetric_encryption or asymmetric_encryption.

plaintext: str: Data size must be between 1 and 65535 bytes.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.EncryptResponse(key_id: 'str', ciphertext: 'str')

Bases: object

ciphertext: str: Key’s encrypted data.

key_id: str: ID of the key used for encryption.

class scaleway.key_manager.v1alpha1.GenerateDataKeyRequest(key_id: 'str', without_plaintext: 'bool', region: 'Optional[ScwRegion]' = None, algorithm: 'Optional[DataKeyAlgorithmSymmetricEncryption]' = <DataKeyAlgorithmSymmetricEncryption.UNKNOWN_SYMMETRIC_ENCRYPTION: 'unknown_symmetric_encryption'>)

Bases: object

algorithm: DataKeyAlgorithmSymmetricEncryption | None = 'unknown_symmetric_encryption': See the DataKey.Algorithm.SymmetricEncryption enum for a description of values.

key_id: str: ID of the key.

region: str | None = None: Region to target. If none is passed will use default region from the config.

without_plaintext: bool: Default value is false, meaning that the plaintext is returned.

Set it to true if you do not wish the plaintext to be returned in the response object.

class scaleway.key_manager.v1alpha1.GetKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key to target.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.GetPublicKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.ImportKeyMaterialRequest(key_id: 'str', key_material: 'str', region: 'Optional[ScwRegion]' = None, salt: 'Optional[str]' = None)

Bases: object

key_id: str: The key’s origin must be external.

key_material: str: The key material The key material is a random sequence of bytes used to derive a cryptographic key.

region: str | None = None: Region to target. If none is passed will use default region from the config.

salt: str | None = None: A salt is random data added to key material to ensure unique derived keys, even if the input is similar. It helps strengthen security when the key material has low randomness (low entropy).

class scaleway.key_manager.v1alpha1.Key(id: 'str', project_id: 'str', name: 'str', state: 'KeyState', rotation_count: 'int', protected: 'bool', locked: 'bool', tags: 'List[str]', origin: 'KeyOrigin', region: 'ScwRegion', usage: 'Optional[KeyUsage]' = None, created_at: 'Optional[datetime]' = None, updated_at: 'Optional[datetime]' = None, description: 'Optional[str]' = None, rotated_at: 'Optional[datetime]' = None, rotation_policy: 'Optional[KeyRotationPolicy]' = None, deletion_requested_at: 'Optional[datetime]' = None)

Bases: object

created_at: datetime | None = None: Key creation date.

deletion_requested_at: datetime | None = None: Returns the time at which deletion was requested.

description: str | None = None: Description of the key.

id: str: ID of the key.

locked: bool: Returns true if the key is locked.

name: str: Name of the key.

origin: KeyOrigin: Refer to the Key.Origin enum for a description of values.

project_id: str: ID of the Project containing the key.

protected: bool: Returns true if key protection is applied to the key.

region: str: Region where the key is stored.

rotated_at: datetime | None = None: Key last rotation date.

rotation_count: int: The rotation count tracks the number of times the key has been rotated.

rotation_policy: KeyRotationPolicy | None = None: Key rotation policy.

state: KeyState: See the Key.State enum for a description of possible values.

tags: List[str]: List of the key’s tags.

updated_at: datetime | None = None: Key last modification date.

usage: KeyUsage | None = None: Keys with a usage set to symmetric_encryption can encrypt and decrypt data using the AES-256-GCM key algorithm. Key Manager currently only supports AES-256-GCM.

class scaleway.key_manager.v1alpha1.KeyAlgorithmAsymmetricEncryption(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

RSA_OAEP_2048_SHA256 = 'rsa_oaep_2048_sha256'

RSA_OAEP_3072_SHA256 = 'rsa_oaep_3072_sha256'

RSA_OAEP_4096_SHA256 = 'rsa_oaep_4096_sha256'

UNKNOWN_ASYMMETRIC_ENCRYPTION = 'unknown_asymmetric_encryption'

class scaleway.key_manager.v1alpha1.KeyAlgorithmAsymmetricSigning(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

EC_P256_SHA256 = 'ec_p256_sha256'

EC_P384_SHA384 = 'ec_p384_sha384'

RSA_PKCS1_2048_SHA256 = 'rsa_pkcs1_2048_sha256'

RSA_PKCS1_3072_SHA256 = 'rsa_pkcs1_3072_sha256'

RSA_PKCS1_4096_SHA256 = 'rsa_pkcs1_4096_sha256'

RSA_PSS_2048_SHA256 = 'rsa_pss_2048_sha256'

RSA_PSS_3072_SHA256 = 'rsa_pss_3072_sha256'

RSA_PSS_4096_SHA256 = 'rsa_pss_4096_sha256'

UNKNOWN_ASYMMETRIC_SIGNING = 'unknown_asymmetric_signing'

class scaleway.key_manager.v1alpha1.KeyAlgorithmSymmetricEncryption(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

AES_256_GCM = 'aes_256_gcm'

UNKNOWN_SYMMETRIC_ENCRYPTION = 'unknown_symmetric_encryption'

class scaleway.key_manager.v1alpha1.KeyManagerV1Alpha1API(client: Client, *, bypass_validation: bool = False)

Bases: API

This API allows you to create, manage and use cryptographic keys in a centralized and secure service.

Create a key. Create a key in a given region specified by the region parameter. Keys only support symmetric encryption. You can use keys to encrypt or decrypt arbitrary payloads, or to generate data encryption keys. Data encryption keys are not stored in Key Manager. :param unprotected: Default value is false. :param region: Region to target. If none is passed will use default region from the config. :param project_id: ID of the Project containing the key. :param name: (Optional) Name of the key. :param usage: See the Key.Algorithm.SymmetricEncryption enum for a description of values. :param description: (Optional) Description of the key. :param tags: (Optional) List of the key’s tags. :param rotation_policy: If not specified, no rotation policy will be applied to the key. :param origin: Refer to the Key.Origin enum for a description of values. :return: Key

Usage:

result = api.create_key(
    unprotected=False,
)

decrypt(*, key_id: str, ciphertext: str, region: str | None = None, associated_data: str | None = None) → DecryptResponse

Decrypt an encrypted payload. Decrypt an encrypted payload using an existing key, specified by the key_id parameter. The maximum payload size that can be decrypted is equivalent to the encrypted output of 64 KB of data (around 131 KB). :param key_id: The key must have an usage set to symmetric_encryption or asymmetric_encryption. :param ciphertext: Data size must be between 1 and 131071 bytes. :param region: Region to target. If none is passed will use default region from the config. :param associated_data: The additional data must match the value passed in the encryption request. Only supported by keys with a usage set to symmetric_encryption. :return: DecryptResponse

Usage:

result = api.decrypt(
    key_id="example",
    ciphertext="example",
)

delete_key(*, key_id: str, region: str | None = None) → None

Delete a key. Permanently delete a key specified by the region and key_id parameters. This action is irreversible. Any data encrypted with this key, including data encryption keys, will no longer be decipherable. :param key_id: ID of the key to delete. :param region: Region to target. If none is passed will use default region from the config.

Usage:

result = api.delete_key(
    key_id="example",
)

delete_key_material(*, key_id: str, region: str | None = None) → None

Delete key material. Delete previously imported key material. This renders the associated cryptographic key unusable for any operation. The key’s origin must be external. :param key_id: ID of the key of which to delete the key material. :param region: Region to target. If none is passed will use default region from the config.

Usage:

result = api.delete_key_material(
    key_id="example",
)

disable_key(*, key_id: str, region: str | None = None) → Key

Disable key. Disable a given key, preventing it to be used for cryptographic operations. Disabling a key renders it unusable. You must specify the region and key_id parameters. :param key_id: ID of the key to disable. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.disable_key(
    key_id="example",
)

enable_key(*, key_id: str, region: str | None = None) → Key

Enable key. Enable a given key to be used for cryptographic operations. Enabling a key allows you to make a disabled key usable again. You must specify the region and key_id parameters. :param key_id: ID of the key to enable. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.enable_key(
    key_id="example",
)

encrypt(*, key_id: str, plaintext: str, region: str | None = None, associated_data: str | None = None) → EncryptResponse

Encrypt a payload. Encrypt a payload using an existing key, specified by the key_id parameter. The maximum payload size that can be encrypted is 64 KB of plaintext. :param key_id: The key must have an usage set to symmetric_encryption or asymmetric_encryption. :param plaintext: Data size must be between 1 and 65535 bytes. :param region: Region to target. If none is passed will use default region from the config. :param associated_data: Additional data which will not be encrypted, but authenticated and appended to the encrypted payload. Only supported by keys with a usage set to symmetric_encryption. :return: EncryptResponse

Usage:

result = api.encrypt(
    key_id="example",
    plaintext="example",
)

generate_data_key(*, key_id: str, without_plaintext: bool, region: str | None = None, algorithm: DataKeyAlgorithmSymmetricEncryption | None = None) → DataKey

Create a data encryption key. Create a new data encryption key for cryptographic operations outside of Key Manager. The data encryption key is encrypted and must be decrypted using the key you have created in Key Manager.

The data encryption key is returned in plaintext and ciphertext but it should only be stored in its encrypted form (ciphertext). Key Manager does not store your data encryption key. To retrieve your key’s plaintext, use the Decrypt method with your key’s ID and ciphertext. :param key_id: ID of the key. :param without_plaintext: Default value is false, meaning that the plaintext is returned. Set it to true if you do not wish the plaintext to be returned in the response object. :param region: Region to target. If none is passed will use default region from the config. :param algorithm: See the DataKey.Algorithm.SymmetricEncryption enum for a description of values. :return: DataKey

Usage:

result = api.generate_data_key(
    key_id="example",
    without_plaintext=False,
)

get_key(*, key_id: str, region: str | None = None) → Key

Get key metadata. Retrieve metadata for a specified key using the region and key_id parameters. :param key_id: ID of the key to target. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.get_key(
    key_id="example",
)

get_public_key(*, key_id: str, region: str | None = None) → PublicKey

Get the public key in PEM format. Retrieves the public portion of an asymmetric cryptographic key in PEM format. :param key_id: ID of the key. :param region: Region to target. If none is passed will use default region from the config. :return: PublicKey

Usage:

result = api.get_public_key(
    key_id="example",
)

import_key_material(*, key_id: str, key_material: str, region: str | None = None, salt: str | None = None) → Key

Import key material. Import externally generated key material into Key Manager to derive a new cryptographic key. The key’s origin must be external. :param key_id: The key’s origin must be external. :param key_material: The key material The key material is a random sequence of bytes used to derive a cryptographic key. :param region: Region to target. If none is passed will use default region from the config. :param salt: A salt is random data added to key material to ensure unique derived keys, even if the input is similar. It helps strengthen security when the key material has low randomness (low entropy). :return: Key

Usage:

result = api.import_key_material(
    key_id="example",
    key_material="example",
)

list_algorithms(*, region: str | None = None, usages: List[ListAlgorithmsRequestUsage] | None = None) → ListAlgorithmsResponse

List all available algorithms. Lists all cryptographic algorithms supported by the Key Manager service. :param region: Region to target. If none is passed will use default region from the config. :param usages: Filter by key usage. :return: ListAlgorithmsResponse

Usage:

result = api.list_algorithms()

List keys. Retrieve a list of keys across all Projects in an Organization or within a specific Project. You must specify the region, and either the organization_id or the project_id. :param scheduled_for_deletion: Filter keys based on their deletion status. By default, only keys not scheduled for deletion are returned in the output. :param region: Region to target. If none is passed will use default region from the config. :param organization_id: (Optional) Filter by Organization ID. :param project_id: (Optional) Filter by Project ID. :param order_by: :param page: :param page_size: :param tags: (Optional) List of tags to filter on. :param name: (Optional) Filter by key name. :param usage: Select from symmetric encryption, asymmetric encryption, or asymmetric signing. :return: ListKeysResponse

Usage:

result = api.list_keys(
    scheduled_for_deletion=False,
)

List keys. Retrieve a list of keys across all Projects in an Organization or within a specific Project. You must specify the region, and either the organization_id or the project_id. :param scheduled_for_deletion: Filter keys based on their deletion status. By default, only keys not scheduled for deletion are returned in the output. :param region: Region to target. If none is passed will use default region from the config. :param organization_id: (Optional) Filter by Organization ID. :param project_id: (Optional) Filter by Project ID. :param order_by: :param page: :param page_size: :param tags: (Optional) List of tags to filter on. :param name: (Optional) Filter by key name. :param usage: Select from symmetric encryption, asymmetric encryption, or asymmetric signing. :return: List[Key]

Usage:

result = api.list_keys_all(
    scheduled_for_deletion=False,
)

protect_key(*, key_id: str, region: str | None = None) → Key

Apply key protection. Apply protection to a given key specified by the key_id parameter. Applying key protection means that your key can be used and modified, but it cannot be deleted. :param key_id: ID of the key to apply key protection to. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.protect_key(
    key_id="example",
)

restore_key(*, key_id: str, region: str | None = None) → Key

Restore a key. Restore a key and all its rotations scheduled for deletion specified by the region and key_id parameters. :param key_id: :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.restore_key(
    key_id="example",
)

rotate_key(*, key_id: str, region: str | None = None) → Key

Rotate a key. Generate a new version of an existing key with new key material. Previous key versions remain usable to decrypt previously encrypted data, but the key’s new version will be used for subsequent encryption operations and data key generation. :param key_id: ID of the key to rotate. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.rotate_key(
    key_id="example",
)

sign(*, key_id: str, digest: str, region: str | None = None) → SignResponse

Sign a message digest. Use a given key to sign a message digest. The key must have its usage set to asymmetric_signing. The digest must be created using the same digest algorithm that is defined in the key’s algorithm configuration. :param key_id: ID of the key to use for signing. :param digest: The digest must be generated using the same algorithm defined in the key’s algorithm settings. :param region: Region to target. If none is passed will use default region from the config. :return: SignResponse

Usage:

result = api.sign(
    key_id="example",
    digest="example",
)

unprotect_key(*, key_id: str, region: str | None = None) → Key

Remove key protection. Remove key protection from a given key specified by the key_id parameter. Removing key protection means that your key can be deleted anytime. :param key_id: ID of the key to remove key protection from. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.unprotect_key(
    key_id="example",
)

Update a key. Modify a key’s metadata including name, description and tags, specified by the key_id and region parameters. :param key_id: ID of the key to update. :param region: Region to target. If none is passed will use default region from the config. :param name: (Optional) Updated name of the key. :param description: (Optional) Updated description of the key. :param tags: (Optional) Updated list of the key’s tags. :param rotation_policy: If not specified, the key’s existing rotation policy applies. :return: Key

Usage:

result = api.update_key(
    key_id="example",
)

verify(*, key_id: str, digest: str, signature: str, region: str | None = None) → VerifyResponse

Verify a message signature. Use a given key to verify a message signature against a message digest. The key must have its usage set to asymmetric_signing. The message digest must be generated using the same digest algorithm that is defined in the key’s algorithm configuration. :param key_id: ID of the key to use for signature verification. :param digest: Must be generated using the same algorithm specified in the key’s configuration. :param signature: The message signature to verify. :param region: Region to target. If none is passed will use default region from the config. :return: VerifyResponse

Usage:

result = api.verify(
    key_id="example",
    digest="example",
    signature="example",
)

class scaleway.key_manager.v1alpha1.KeyOrigin(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

EXTERNAL = 'external'

SCALEWAY_KMS = 'scaleway_kms'

UNKNOWN_ORIGIN = 'unknown_origin'

class scaleway.key_manager.v1alpha1.KeyRotationPolicy(rotation_period: 'Optional[str]' = None, next_rotation_at: 'Optional[datetime]' = None)

Bases: object

next_rotation_at: datetime | None = None: Timestamp indicating the next scheduled rotation.

rotation_period: str | None = None: Time interval between two key rotations. The minimum duration is 24 hours and the maximum duration is 1 year (876000 hours).

class scaleway.key_manager.v1alpha1.KeyState(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

DISABLED = 'disabled'

ENABLED = 'enabled'

PENDING_KEY_MATERIAL = 'pending_key_material'

SCHEDULED_FOR_DELETION = 'scheduled_for_deletion'

UNKNOWN_STATE = 'unknown_state'

class scaleway.key_manager.v1alpha1.KeyUsage(symmetric_encryption: 'Optional[KeyAlgorithmSymmetricEncryption]' = <KeyAlgorithmSymmetricEncryption.UNKNOWN_SYMMETRIC_ENCRYPTION: 'unknown_symmetric_encryption'>, asymmetric_encryption: 'Optional[KeyAlgorithmAsymmetricEncryption]' = None, asymmetric_signing: 'Optional[KeyAlgorithmAsymmetricSigning]' = None)

Bases: object

asymmetric_encryption: KeyAlgorithmAsymmetricEncryption | None = None

asymmetric_signing: KeyAlgorithmAsymmetricSigning | None = None

symmetric_encryption: KeyAlgorithmSymmetricEncryption | None = 'unknown_symmetric_encryption'

class scaleway.key_manager.v1alpha1.ListAlgorithmsRequest(region: 'Optional[ScwRegion]' = None, usages: 'Optional[List[ListAlgorithmsRequestUsage]]' = <factory>)

Bases: object

region: str | None = None: Region to target. If none is passed will use default region from the config.

usages: List[ListAlgorithmsRequestUsage] | None: Filter by key usage.

class scaleway.key_manager.v1alpha1.ListAlgorithmsRequestUsage(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

ASYMMETRIC_ENCRYPTION = 'asymmetric_encryption'

ASYMMETRIC_SIGNING = 'asymmetric_signing'

SYMMETRIC_ENCRYPTION = 'symmetric_encryption'

UNKNOWN_USAGE = 'unknown_usage'

class scaleway.key_manager.v1alpha1.ListAlgorithmsResponse(algorithms: 'List[ListAlgorithmsResponseAlgorithm]')

Bases: object

algorithms: List[ListAlgorithmsResponseAlgorithm]: Returns a list of algorithms matching the requested criteria.

class scaleway.key_manager.v1alpha1.ListAlgorithmsResponseAlgorithm(usage: 'str', name: 'str', recommended: 'bool')

Bases: object

name: str

recommended: bool

usage: str

class scaleway.key_manager.v1alpha1.ListKeysRequest(scheduled_for_deletion: 'bool', region: 'Optional[ScwRegion]' = None, organization_id: 'Optional[str]' = None, project_id: 'Optional[str]' = None, order_by: 'Optional[ListKeysRequestOrderBy]' = <ListKeysRequestOrderBy.NAME_ASC: 'name_asc'>, page: 'Optional[int]' = 0, page_size: 'Optional[int]' = 0, tags: 'Optional[List[str]]' = <factory>, name: 'Optional[str]' = None, usage: 'Optional[ListKeysRequestUsage]' = <ListKeysRequestUsage.UNKNOWN_USAGE: 'unknown_usage'>)

Bases: object

name: str | None = None: (Optional) Filter by key name.

order_by: ListKeysRequestOrderBy | None = 'name_asc'

organization_id: str | None = None: (Optional) Filter by Organization ID.

page: int | None = 0

page_size: int | None = 0

project_id: str | None = None: (Optional) Filter by Project ID.

region: str | None = None: Region to target. If none is passed will use default region from the config.

scheduled_for_deletion: bool: Filter keys based on their deletion status. By default, only keys not scheduled for deletion are returned in the output.

tags: List[str] | None: (Optional) List of tags to filter on.

usage: ListKeysRequestUsage | None = 'unknown_usage': Select from symmetric encryption, asymmetric encryption, or asymmetric signing.

class scaleway.key_manager.v1alpha1.ListKeysRequestOrderBy(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

CREATED_AT_ASC = 'created_at_asc'

CREATED_AT_DESC = 'created_at_desc'

NAME_ASC = 'name_asc'

NAME_DESC = 'name_desc'

UPDATED_AT_ASC = 'updated_at_asc'

UPDATED_AT_DESC = 'updated_at_desc'

class scaleway.key_manager.v1alpha1.ListKeysRequestUsage(value: str, names: Any | None = None, *args: Any, **kwargs: Any)

Bases: str, Enum

ASYMMETRIC_ENCRYPTION = 'asymmetric_encryption'

ASYMMETRIC_SIGNING = 'asymmetric_signing'

SYMMETRIC_ENCRYPTION = 'symmetric_encryption'

UNKNOWN_USAGE = 'unknown_usage'

class scaleway.key_manager.v1alpha1.ListKeysResponse(keys: 'List[Key]', total_count: 'int')

Bases: object

keys: List[Key]: Single page of keys matching the requested criteria.

total_count: int: Total count of keys matching the requested criteria.

class scaleway.key_manager.v1alpha1.ProtectKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key to apply key protection to.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.PublicKey(pem: 'str')

Bases: object

pem: str

class scaleway.key_manager.v1alpha1.RestoreKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.RotateKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key to rotate.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.SignRequest(key_id: 'str', digest: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

digest: str: The digest must be generated using the same algorithm defined in the key’s algorithm settings.

key_id: str: ID of the key to use for signing.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.SignResponse(key_id: 'str', signature: 'str')

Bases: object

key_id: str: ID of the key used to generate the signature.

signature: str: The message signature.

class scaleway.key_manager.v1alpha1.UnprotectKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

key_id: str: ID of the key to remove key protection from.

region: str | None = None: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.UpdateKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]' = None, name: 'Optional[str]' = None, description: 'Optional[str]' = None, tags: 'Optional[List[str]]' = <factory>, rotation_policy: 'Optional[KeyRotationPolicy]' = None)

Bases: object

description: str | None = None: (Optional) Updated description of the key.

key_id: str: ID of the key to update.

name: str | None = None: (Optional) Updated name of the key.

region: str | None = None: Region to target. If none is passed will use default region from the config.

rotation_policy: KeyRotationPolicy | None = None: If not specified, the key’s existing rotation policy applies.

tags: List[str] | None: (Optional) Updated list of the key’s tags.

class scaleway.key_manager.v1alpha1.VerifyRequest(key_id: 'str', digest: 'str', signature: 'str', region: 'Optional[ScwRegion]' = None)

Bases: object

digest: str: Must be generated using the same algorithm specified in the key’s configuration.

key_id: str: ID of the key to use for signature verification.

region: str | None = None: Region to target. If none is passed will use default region from the config.

signature: str: The message signature to verify.

class scaleway.key_manager.v1alpha1.VerifyResponse(key_id: 'str', valid: 'bool')

Bases: object

key_id: str: ID of the key used for verification.

valid: bool: Returns true if the signature is valid for the digest and key, false otherwise.