如何使用 java KMS API 设置密钥环的保护级别?
[英]How to set protection level for key ring using java KMS API?
问题描述
I need to set ProtectionLevel to HSM for a key ring for both cases during creation and for an existing one.
我需要将 ProtectionLevel 设置为 HSM,以便在创建期间和现有情况下为密钥环设置密钥环。
I am trying to use the same way to set this option as any other option:我正在尝试使用与任何其他选项相同的方式将此选项设置为:
CreateKeyRingRequest.newBuilder().//I see nothing to set ProtectionLevel here.
How can I do this using this API?如何使用此 API 执行此操作?
1 个解决方案
解决方案1
0 已采纳 2019-11-12 11:38:37
The HSM ProtectionLevel is not specified on the Key Ring level. HSM ProtectionLevel 未在密钥环级别上指定。
When creating a Key Ring (that is meant to have HSM keys) you just need to take in consideration the regions supported by the HSM ProtectionLevel创建密钥环(即具有 HSM 密钥)时,您只需要考虑HSM ProtectionLevel 支持的区域
For the Key Ring creation you just need a parent (location), keyring_id (the name), and the keyRing object, the documentation gives the following example for Java:对于密钥环创建,您只需要一个父项(位置)、keyring_id(名称)和密钥环 object, 文档为 Java 提供了以下示例:
/**
* Creates a new key ring with the given id.
*/
public static KeyRing createKeyRing(String projectId, String locationId, String keyRingId)
throws IOException {
// Create the Cloud KMS client.
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
// The resource name of the location associated with the KeyRing.
String parent = LocationName.format(projectId, locationId);
// Create the KeyRing for your project.
KeyRing keyRing = client.createKeyRing(parent, keyRingId, KeyRing.newBuilder().build());
return keyRing;
}
}
And then you proceed to create your KMS key, to add the HSM Protection Level you will need to create a new CryptoKey Version Template and set the template to the Crypto Key Builder.然后您继续创建您的 KMS 密钥,添加 HSM 保护级别,您需要创建一个新的 CryptoKey 版本模板并将该模板设置为 Crypto Key Builder。 This is a sample code which I have already tried and confirmed that it works:这是我已经尝试过并确认它有效的示例代码:
/**
* Creates a new crypto key with the given id.
*/
public static CryptoKey createCryptoKey(String projectId, String locationId, String keyRingId,
String cryptoKeyId)
throws IOException {
// Create the Cloud KMS client.
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
// The resource name of the location associated with the KeyRing.
String parent = KeyRingName.format(projectId, locationId, keyRingId);
ProtectionLevel protectionLevel = ProtectionLevel.HSM;
// creating the template with the right protection level
CryptoKeyVersionTemplate template = CryptoKeyVersionTemplate.newBuilder()
.setProtectionLevel(protectionLevel)
.build();
// This will allow the API access to the key for encryption and decryption and also the HSM PL.
CryptoKey cryptoKey = CryptoKey.newBuilder()
.setPurpose(CryptoKeyPurpose.ENCRYPT_DECRYPT)
.setVersionTemplate(template)
.build();
// Create the CryptoKey for your project.
CryptoKey createdKey = client.createCryptoKey(parent, cryptoKeyId, cryptoKey);
return createdKey;
}
}
The dependencies you will need:您将需要的依赖项:
import com.google.cloud.kms.v1.CryptoKey;
import com.google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose;
import com.google.cloud.kms.v1.ProtectionLevel;
import com.google.cloud.kms.v1.CryptoKeyName;
import com.google.cloud.kms.v1.CryptoKeyVersionTemplate;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.LocationName;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.