Uploading a New Key to Google Cloud
Use the post /v1/cckm/google/upload-key API to create a new key on a key source (CipherTrust Manager, DSM, or Luna HSM) and upload it to Google Cloud.
Syntax
curl -k '<IP>/api/v1/cckm/google/upload-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "key_ring": "<key_ring>",\n "source_key_id": "<source_key_id>",\n "source_key_tier": "<source_key_tier>",\n "gcp_key_params": {\n "key_name": "<key_name>",\n "purpose": "<purpose>",\n "protection_level": "<protection_level>",\n "import_only": <true|false>,\n "algorithm": "<algorithm>",\n "labels": {\n "<key>": "<value>"\n }\n }\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| gcp_key_params | JSON | Parameters to specify properties of the Google Cloud key. Refer to Google Cloud Key Parameters for details. |
| key_ring | string | ID or resource URL of the Google Cloud key ring where the key is to be created. |
| source_key_id | string | ID of the key that will be uploaded from a key source. |
| source_key_tier | string | Key source from where the key will be uploaded. The key source can be: • local for CipherTrust Manager (default)• dsm for Data Security Manager (DSM)• hsm-luna for Luna HSM (FM-enabled Luna HSM is not supported as a key source)• external-cm for external CipherTrust Manager |
Google Key Parameters
| Parameter | Type | Description |
|---|---|---|
| algorithm | string | Algorithm for the Google Cloud key. The supported algorithms are: • RSA_SIGN_PSS_2048_SHA256 • RSA_SIGN_PSS_3072_SHA256 • RSA_SIGN_PSS_4096_SHA256 • RSA_SIGN_PSS_4096_SHA512 • RSA_SIGN_PKCS1_2048_SHA256 • RSA_SIGN_PKCS1_3072_SHA256 • RSA_SIGN_PKCS1_4096_SHA256 • RSA_SIGN_PKCS1_4096_SHA512 • RSA_DECRYPT_OAEP_2048_SHA256 • RSA_DECRYPT_OAEP_3072_SHA256 • RSA_DECRYPT_OAEP_4096_SHA256 • RSA_DECRYPT_OAEP_4096_SHA512 • EC_SIGN_P256_SHA256 • EC_SIGN_P384_SHA384 • GOOGLE_SYMMETRIC_ENCRYPTION • HMAC_SHA256 |
| key_name | string | Name for the Google Cloud key. |
| protection_level | string | Protection level for the Google Cloud key. The options are: • SOFTWARE • HSM |
| purpose | string | Purpose of the Google Cloud key. A key purpose specifies the operation that the key can be used to perform. The options are: • ASYMMETRIC_SIGN (for asymmetric keys) • ASYMMETRIC_DECRYPT (for asymmetric keys) • ENCRYPT_DECRYPT (for symmetric keys) • MAC (for symmetric keys) Refer to Key purposes and algorithms for details. |
| labels | string of JSON | Labels (tags) attached to the Google Cloud key in the form of key-value JSON pairs, for example, "isakey": "yes". For Google label requirements, refer to [Labeling keys |
| next_rotation_time | string | Time when the Google Cloud key will be automatically rotated by Google Cloud KMS (symmetric key only). The time must be in the RFC3339 format, for example, "2022-07-31T17:18:37.085Z". |
| rotation_period | string | (Symmetric keys only) Frequency at which the Google Cloud key will be automatically rotated by Google Cloud KMS. The frequency must be in the format "<duration>s", that is, duration in seconds terminated by s, for example, "360000s". |
| import_only | boolean | Whether to restrict key versions to import only. If set to true, new key versions can only be imported. The default value is false. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/google/upload-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhOGY3N2IxZS1lOTY2LTQwMjEtODRjMC01YjZiNjAzMTBmOWEiLCJzdWIiOiJsb2NhbHwzM2Y5ZDFmNi04MjJiLTQ0NTItOGM4MC1mYzM0ZGYyZTI3OGQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNjcyMjMzMDAtYjU2ZC00ZmVmLTkwMDEtZGE1NGY2ZDdiMzY4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImFlZWY5ZmY4LThhYjctNDUyZS04YTE4LTQ3YTYxZDg0MzAwZSIsImlhdCI6MTYyMDIwMzYxMCwiZXhwIjoxNjIwMjAzOTEwfQ.eGWVMC1yUBYbUSxr22aBPdP2Tg257k7D_5galuus2qg' -H 'Content-Type: application/json' --data-binary $'{\n "key_ring": "projects/gemalto-kyloeng/locations/global/keyRings/demo-key-ring",\n "source_key_id": "db48136526724811ad707b1eba3955e66c51ef5b91d440e2b85b6deff33308cd",\n "source_key_tier": "local",\n "gcp_key_params": {\n "key_name": "KeyUploadImportOnly",\n "purpose": "ENCRYPT_DECRYPT",\n "import_only": true,\n "protection_level": "SOFTWARE",\n "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",\n "labels": {\n "isakey": "yesabel"\n }\n }\n}' --compressed
Example Response
{
"id": "673c28bf-0b71-4473-bf90-a431e019df20",
"uri": "kylo:kylo:cckm:gcp-keys:673c28bf-0b71-4473-bf90-a431e019df20",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-01-25T06:14:36.806692Z",
"updatedAt": "2023-01-25T06:14:36.804818Z",
"cloud_name": "",
"key_id": "",
"project_id": "vp-cckm-dev",
"location_id": "",
"key_ring_id": "",
"key_ring_name": "projects/gemalto-kyloeng/locations/global/keyRings/demo-key-ring",
"gone": false,
"auto_rotate": false,
"create_status": "IN_PROGRESS",
"gcp_cloud_resource_name": "",
"gcp_params": {
"name": "",
"primary": "",
"createTime": null,
"purpose": "",
"next_rotation_time": null,
"import_only": false,
"protectionLevel": "",
"algorithm": ""
}
}
The sample output displays that a new Google Cloud key with the ID 673c28bf-0b71-4473-bf90-a431e019df20 is created and its upload is in "IN_PROGRESS".
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
