Uploading a New Key to Google Cloud
Use the post /v1/cckm/google/upload-key
API to create a new key on a key source (CipherTrust Manager, DSM, or Luna HSM) and upload it to Google Cloud.
Syntax
curl -k '<IP>/api/v1/cckm/google/upload-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "key_ring": "<key_ring>",\n "source_key_id": "<source_key_id>",\n "source_key_tier": "<source_key_tier>",\n "gcp_key_params": {\n "key_name": "<key_name>",\n "purpose": "<purpose>",\n "protection_level": "<protection_level>",\n "import_only": <true|false>,\n "algorithm": "<algorithm>",\n "labels": {\n "<key>": "<value>"\n }\n }\n}' --compressed
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
gcp_key_params | JSON | Parameters to specify properties of the Google Cloud key. Refer to Google Cloud Key Parameters for details. |
key_ring | string | ID or resource URL of the Google Cloud key ring where the key is to be created. |
source_key_id | string | ID of the key that will be uploaded from a key source. |
source_key_tier | string | Key source from where the key will be uploaded. The key source can be: • local for CipherTrust Manager (default)• dsm for Data Security Manager (DSM)• hsm-luna for Luna HSM (FM-enabled Luna HSM is not supported as a key source)• external-cm for external CipherTrust Manager |
Google Key Parameters
Parameter | Type | Description |
---|---|---|
algorithm | string | Algorithm for the Google Cloud key. The supported algorithms are: • RSA_SIGN_PSS_2048_SHA256 • RSA_SIGN_PSS_3072_SHA256 • RSA_SIGN_PSS_4096_SHA256 • RSA_SIGN_PSS_4096_SHA512 • RSA_SIGN_PKCS1_2048_SHA256 • RSA_SIGN_PKCS1_3072_SHA256 • RSA_SIGN_PKCS1_4096_SHA256 • RSA_SIGN_PKCS1_4096_SHA512 • RSA_DECRYPT_OAEP_2048_SHA256 • RSA_DECRYPT_OAEP_3072_SHA256 • RSA_DECRYPT_OAEP_4096_SHA256 • RSA_DECRYPT_OAEP_4096_SHA512 • EC_SIGN_P256_SHA256 • EC_SIGN_P384_SHA384 • GOOGLE_SYMMETRIC_ENCRYPTION • HMAC_SHA256 |
key_name | string | Name for the Google Cloud key. |
protection_level | string | Protection level for the Google Cloud key. The options are: • SOFTWARE • HSM |
purpose | string | Purpose of the Google Cloud key. A key purpose specifies the operation that the key can be used to perform. The options are: • ASYMMETRIC_SIGN (for asymmetric keys) • ASYMMETRIC_DECRYPT (for asymmetric keys) • ENCRYPT_DECRYPT (for symmetric keys) • MAC (for symmetric keys) Refer to Key purposes and algorithms for details. |
labels | string of JSON | Labels (tags) attached to the Google Cloud key in the form of key-value JSON pairs, for example, "isakey": "yes" . For Google label requirements, refer to [Labeling keys |
next_rotation_time | string | Time when the Google Cloud key will be automatically rotated by Google Cloud KMS (symmetric key only). The time must be in the RFC3339 format, for example, "2022-07-31T17:18:37.085Z" . |
rotation_period | string | (Symmetric keys only) Frequency at which the Google Cloud key will be automatically rotated by Google Cloud KMS. The frequency must be in the format "<duration>s" , that is, duration in seconds terminated by s , for example, "360000s" . |
import_only | boolean | Whether to restrict key versions to import only. If set to true , new key versions can only be imported. The default value is false . |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/google/upload-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhOGY3N2IxZS1lOTY2LTQwMjEtODRjMC01YjZiNjAzMTBmOWEiLCJzdWIiOiJsb2NhbHwzM2Y5ZDFmNi04MjJiLTQ0NTItOGM4MC1mYzM0ZGYyZTI3OGQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNjcyMjMzMDAtYjU2ZC00ZmVmLTkwMDEtZGE1NGY2ZDdiMzY4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImFlZWY5ZmY4LThhYjctNDUyZS04YTE4LTQ3YTYxZDg0MzAwZSIsImlhdCI6MTYyMDIwMzYxMCwiZXhwIjoxNjIwMjAzOTEwfQ.eGWVMC1yUBYbUSxr22aBPdP2Tg257k7D_5galuus2qg' -H 'Content-Type: application/json' --data-binary $'{\n "key_ring": "projects/gemalto-kyloeng/locations/global/keyRings/demo-key-ring",\n "source_key_id": "db48136526724811ad707b1eba3955e66c51ef5b91d440e2b85b6deff33308cd",\n "source_key_tier": "local",\n "gcp_key_params": {\n "key_name": "KeyUploadImportOnly",\n "purpose": "ENCRYPT_DECRYPT",\n "import_only": true,\n "protection_level": "SOFTWARE",\n "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",\n "labels": {\n "isakey": "yesabel"\n }\n }\n}' --compressed
Example Response
{
"id": "673c28bf-0b71-4473-bf90-a431e019df20",
"uri": "kylo:kylo:cckm:gcp-keys:673c28bf-0b71-4473-bf90-a431e019df20",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-01-25T06:14:36.806692Z",
"updatedAt": "2023-01-25T06:14:36.804818Z",
"cloud_name": "",
"key_id": "",
"project_id": "vp-cckm-dev",
"location_id": "",
"key_ring_id": "",
"key_ring_name": "projects/gemalto-kyloeng/locations/global/keyRings/demo-key-ring",
"gone": false,
"auto_rotate": false,
"create_status": "IN_PROGRESS",
"gcp_cloud_resource_name": "",
"gcp_params": {
"name": "",
"primary": "",
"createTime": null,
"purpose": "",
"next_rotation_time": null,
"import_only": false,
"protectionLevel": "",
"algorithm": ""
}
}
The sample output displays that a new Google Cloud key with the ID 673c28bf-0b71-4473-bf90-a431e019df20
is created and its upload is in "IN_PROGRESS"
.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.