如何使用 java KMS API 设置密钥环的保护级别?
How to set protection level for key ring using java KMS API?
我需要将 ProtectionLevel 设置为 HSM,以便在创建期间和现有密钥环的两种情况下使用。
我正在尝试使用与任何其他选项相同的方式来设置此选项:
CreateKeyRingRequest.newBuilder().//I see nothing to set ProtectionLevel here.
我如何使用这个 API 来做到这一点?
密钥环级别上未指定 HSM 保护级别。
创建密钥环(即具有 HSM 密钥)时,您只需要考虑 regions supported by the HSM ProtectionLevel
对于 Key Ring 创建,您只需要父级(位置)、keyring_id(名称)和 keyRing 对象,the documentation 为 Java 提供以下示例:
/**
* Creates a new key ring with the given id.
*/
public static KeyRing createKeyRing(String projectId, String locationId, String keyRingId)
throws IOException {
// Create the Cloud KMS client.
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
// The resource name of the location associated with the KeyRing.
String parent = LocationName.format(projectId, locationId);
// Create the KeyRing for your project.
KeyRing keyRing = client.createKeyRing(parent, keyRingId, KeyRing.newBuilder().build());
return keyRing;
}
}
然后继续创建 KMS 密钥,要添加 HSM 保护级别,您需要创建一个新的加密密钥版本模板并将该模板设置为加密密钥生成器。这是我已经尝试并确认它有效的示例代码:
/**
* Creates a new crypto key with the given id.
*/
public static CryptoKey createCryptoKey(String projectId, String locationId, String keyRingId,
String cryptoKeyId)
throws IOException {
// Create the Cloud KMS client.
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
// The resource name of the location associated with the KeyRing.
String parent = KeyRingName.format(projectId, locationId, keyRingId);
ProtectionLevel protectionLevel = ProtectionLevel.HSM;
// creating the template with the right protection level
CryptoKeyVersionTemplate template = CryptoKeyVersionTemplate.newBuilder()
.setProtectionLevel(protectionLevel)
.build();
// This will allow the API access to the key for encryption and decryption and also the HSM PL.
CryptoKey cryptoKey = CryptoKey.newBuilder()
.setPurpose(CryptoKeyPurpose.ENCRYPT_DECRYPT)
.setVersionTemplate(template)
.build();
// Create the CryptoKey for your project.
CryptoKey createdKey = client.createCryptoKey(parent, cryptoKeyId, cryptoKey);
return createdKey;
}
}
您需要的依赖项:
import com.google.cloud.kms.v1.CryptoKey;
import com.google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose;
import com.google.cloud.kms.v1.ProtectionLevel;
import com.google.cloud.kms.v1.CryptoKeyName;
import com.google.cloud.kms.v1.CryptoKeyVersionTemplate;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.LocationName;
我需要将 ProtectionLevel 设置为 HSM,以便在创建期间和现有密钥环的两种情况下使用。
我正在尝试使用与任何其他选项相同的方式来设置此选项:
CreateKeyRingRequest.newBuilder().//I see nothing to set ProtectionLevel here.
我如何使用这个 API 来做到这一点?
密钥环级别上未指定 HSM 保护级别。
创建密钥环(即具有 HSM 密钥)时,您只需要考虑 regions supported by the HSM ProtectionLevel
对于 Key Ring 创建,您只需要父级(位置)、keyring_id(名称)和 keyRing 对象,the documentation 为 Java 提供以下示例:
/**
* Creates a new key ring with the given id.
*/
public static KeyRing createKeyRing(String projectId, String locationId, String keyRingId)
throws IOException {
// Create the Cloud KMS client.
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
// The resource name of the location associated with the KeyRing.
String parent = LocationName.format(projectId, locationId);
// Create the KeyRing for your project.
KeyRing keyRing = client.createKeyRing(parent, keyRingId, KeyRing.newBuilder().build());
return keyRing;
}
}
然后继续创建 KMS 密钥,要添加 HSM 保护级别,您需要创建一个新的加密密钥版本模板并将该模板设置为加密密钥生成器。这是我已经尝试并确认它有效的示例代码:
/**
* Creates a new crypto key with the given id.
*/
public static CryptoKey createCryptoKey(String projectId, String locationId, String keyRingId,
String cryptoKeyId)
throws IOException {
// Create the Cloud KMS client.
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
// The resource name of the location associated with the KeyRing.
String parent = KeyRingName.format(projectId, locationId, keyRingId);
ProtectionLevel protectionLevel = ProtectionLevel.HSM;
// creating the template with the right protection level
CryptoKeyVersionTemplate template = CryptoKeyVersionTemplate.newBuilder()
.setProtectionLevel(protectionLevel)
.build();
// This will allow the API access to the key for encryption and decryption and also the HSM PL.
CryptoKey cryptoKey = CryptoKey.newBuilder()
.setPurpose(CryptoKeyPurpose.ENCRYPT_DECRYPT)
.setVersionTemplate(template)
.build();
// Create the CryptoKey for your project.
CryptoKey createdKey = client.createCryptoKey(parent, cryptoKeyId, cryptoKey);
return createdKey;
}
}
您需要的依赖项:
import com.google.cloud.kms.v1.CryptoKey;
import com.google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose;
import com.google.cloud.kms.v1.ProtectionLevel;
import com.google.cloud.kms.v1.CryptoKeyName;
import com.google.cloud.kms.v1.CryptoKeyVersionTemplate;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.LocationName;