Java Code Examples for com.google.cloud.kms.v1.KeyManagementServiceClient#create()

public void createKeySymmetricEncryptDecrypt(
    String projectId, String locationId, String keyRingId, String id) throws IOException {
  // Initialize client that will be used to send requests. This client only
  // needs to be created once, and can be reused for multiple requests. After
  // completing all of your requests, call the "close" method on the client to
  // safely clean up any remaining background resources.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    // Build the parent name from the project, location, and key ring.
    KeyRingName keyRingName = KeyRingName.of(projectId, locationId, keyRingId);

    // Build the symmetric key to create.
    CryptoKey key =
        CryptoKey.newBuilder()
            .setPurpose(CryptoKeyPurpose.ENCRYPT_DECRYPT)
            .setVersionTemplate(
                CryptoKeyVersionTemplate.newBuilder()
                    .setAlgorithm(CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION))
            .build();

    // Create the key.
    CryptoKey createdKey = client.createCryptoKey(keyRingName, id, key);
    System.out.printf("Created symmetric key %s%n", createdKey.getName());
  }
}
 

private static CryptoKey createHsmKey(String keyId) throws IOException {
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    CryptoKey key =
        CryptoKey.newBuilder()
            .setPurpose(CryptoKeyPurpose.ENCRYPT_DECRYPT)
            .setVersionTemplate(
                CryptoKeyVersionTemplate.newBuilder()
                    .setAlgorithm(CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION)
                    .setProtectionLevel(ProtectionLevel.HSM)
                    .build())
            .putLabels("foo", "bar")
            .putLabels("zip", "zap")
            .build();
    CryptoKey createdKey = client.createCryptoKey(getKeyRingName(), keyId, key);
    return createdKey;
  }
}
 

private static CryptoKey createAsymmetricSignEcKey(String keyId) throws IOException {
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    CryptoKey key =
        CryptoKey.newBuilder()
            .setPurpose(CryptoKeyPurpose.ASYMMETRIC_SIGN)
            .setVersionTemplate(
                CryptoKeyVersionTemplate.newBuilder()
                    .setAlgorithm(CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256)
                    .build())
            .putLabels("foo", "bar")
            .putLabels("zip", "zap")
            .build();
    CryptoKey createdKey = client.createCryptoKey(getKeyRingName(), keyId, key);
    return createdKey;
  }
}
 

private static CryptoKey createAsymmetricSignRsaKey(String keyId) throws IOException {
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    CryptoKey key =
        CryptoKey.newBuilder()
            .setPurpose(CryptoKeyPurpose.ASYMMETRIC_SIGN)
            .setVersionTemplate(
                CryptoKeyVersionTemplate.newBuilder()
                    .setAlgorithm(CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256)
                    .build())
            .putLabels("foo", "bar")
            .putLabels("zip", "zap")
            .build();
    CryptoKey createdKey = client.createCryptoKey(getKeyRingName(), keyId, key);
    return createdKey;
  }
}
 

private static CryptoKeyVersion createKeyVersion(String keyId)
    throws IOException, InterruptedException, TimeoutException {
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    CryptoKeyName keyName = CryptoKeyName.of(PROJECT_ID, LOCATION_ID, KEY_RING_ID, keyId);
    CryptoKeyVersion keyVersion = CryptoKeyVersion.newBuilder().build();
    CryptoKeyVersion createdVersion = client.createCryptoKeyVersion(keyName, keyVersion);

    for (int i = 1; i <= 5; i++) {
      CryptoKeyVersion gotVersion = client.getCryptoKeyVersion(createdVersion.getName());
      if (gotVersion.getState() == CryptoKeyVersionState.ENABLED) {
        return gotVersion;
      }

      Thread.sleep(500 * i);
    }

    throw new TimeoutException("key version not ready in timeout");
  }
}
 

public void createKeyVersion(String projectId, String locationId, String keyRingId, String keyId)
    throws IOException {
  // Initialize client that will be used to send requests. This client only
  // needs to be created once, and can be reused for multiple requests. After
  // completing all of your requests, call the "close" method on the client to
  // safely clean up any remaining background resources.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    // Build the parent name from the project, location, and key ring.
    CryptoKeyName cryptoKeyName = CryptoKeyName.of(projectId, locationId, keyRingId, keyId);

    // Build the key version to create.
    CryptoKeyVersion keyVersion = CryptoKeyVersion.newBuilder().build();

    // Create the key.
    CryptoKeyVersion createdVersion = client.createCryptoKeyVersion(cryptoKeyName, keyVersion);
    System.out.printf("Created key version %s%n", createdVersion.getName());
  }
}
 

public void createKeyAsymmetricDecrypt(
    String projectId, String locationId, String keyRingId, String id) throws IOException {
  // Initialize client that will be used to send requests. This client only
  // needs to be created once, and can be reused for multiple requests. After
  // completing all of your requests, call the "close" method on the client to
  // safely clean up any remaining background resources.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    // Build the parent name from the project, location, and key ring.
    KeyRingName keyRingName = KeyRingName.of(projectId, locationId, keyRingId);

    // Build the asymmetric key to create.
    CryptoKey key =
        CryptoKey.newBuilder()
            .setPurpose(CryptoKeyPurpose.ASYMMETRIC_DECRYPT)
            .setVersionTemplate(
                CryptoKeyVersionTemplate.newBuilder()
                    .setAlgorithm(CryptoKeyVersionAlgorithm.RSA_DECRYPT_OAEP_2048_SHA256))
            .build();

    // Create the key.
    CryptoKey createdKey = client.createCryptoKey(keyRingName, id, key);
    System.out.printf("Created asymmetric key %s%n", createdKey.getName());
  }
}
 

public void quickstart(String projectId, String locationId) throws IOException {
  // Initialize client that will be used to send requests. This client only
  // needs to be created once, and can be reused for multiple requests. After
  // completing all of your requests, call the "close" method on the client to
  // safely clean up any remaining background resources.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    // Build the parent from the project and location.
    LocationName parent = LocationName.of(projectId, locationId);

    // Call the API.
    ListKeyRingsPagedResponse response = client.listKeyRings(parent);

    // Iterate over each key ring and print its name.
    System.out.println("key rings:");
    for (KeyRing keyRing : response.iterateAll()) {
      System.out.printf("%s%n", keyRing.getName());
    }
  }
}
 

public void restoreKeyVersion(
    String projectId, String locationId, String keyRingId, String keyId, String keyVersionId)
    throws IOException {
  // Initialize client that will be used to send requests. This client only
  // needs to be created once, and can be reused for multiple requests. After
  // completing all of your requests, call the "close" method on the client to
  // safely clean up any remaining background resources.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    // Build the key version name from the project, location, key ring, key,
    // and key version.
    CryptoKeyVersionName keyVersionName =
        CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);

    // Restore the key version.
    CryptoKeyVersion response = client.restoreCryptoKeyVersion(keyVersionName);
    System.out.printf("Restored key version: %s%n", response.getName());
  }
}
 

public void getKeyLabels(String projectId, String locationId, String keyRingId, String keyId)
    throws IOException {
  // Initialize client that will be used to send requests. This client only
  // needs to be created once, and can be reused for multiple requests. After
  // completing all of your requests, call the "close" method on the client to
  // safely clean up any remaining background resources.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    // Build the name from the project, location, key ring, and keyId.
    CryptoKeyName keyName = CryptoKeyName.of(projectId, locationId, keyRingId, keyId);

    // Get the key.
    CryptoKey key = client.getCryptoKey(keyName);

    // Print out each label.
    key.getLabelsMap().forEach((k, v) -> System.out.printf("%s=%s%n", k, v));
  }
}
 

public void decryptSymmetric(
    String projectId, String locationId, String keyRingId, String keyId, byte[] ciphertext)
    throws IOException {
  // Initialize client that will be used to send requests. This client only
  // needs to be created once, and can be reused for multiple requests. After
  // completing all of your requests, call the "close" method on the client to
  // safely clean up any remaining background resources.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    // Build the key version name from the project, location, key ring, and
    // key.
    CryptoKeyName keyName = CryptoKeyName.of(projectId, locationId, keyRingId, keyId);

    // Decrypt the response.
    DecryptResponse response = client.decrypt(keyName, ByteString.copyFrom(ciphertext));
    System.out.printf("Plaintext: %s%n", response.getPlaintext().toStringUtf8());
  }
}
 

/** Uses the GCP KMS client to decrypt an encrypted value using a KMS key of the form
 *  projects/{gcp_project}/locations/{key_region}/keyRings/{key_ring}/cryptoKeys/{kms_key_name}
 *  The encrypted value should be a base64 encrypted string which has been encrypted using
 *  the KMS encrypt API call.
 *  See <a href="https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys/encrypt">
 *  this KMS API Encrypt Link</a>.
 */
private static String decryptWithKMS(String encryptedValue, String kmsKey) throws IOException {
  /*
  kmsKey should be in the following format:
  projects/{gcp_project}/locations/{key_region}/keyRings/{key_ring}/cryptoKeys/{kms_key_name}
   */

  byte[] cipherText = Base64.getDecoder().decode(encryptedValue.getBytes("UTF-8"));


  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {

    // Decrypt the ciphertext with Cloud KMS.
    DecryptResponse response = client.decrypt(kmsKey, ByteString.copyFrom(cipherText));

    // Extract the plaintext from the response.
    return new String(response.getPlaintext().toByteArray());
  }
}
 

public void updateKeyRemoveRotation(
    String projectId, String locationId, String keyRingId, String keyId) throws IOException {
  // Initialize client that will be used to send requests. This client only
  // needs to be created once, and can be reused for multiple requests. After
  // completing all of your requests, call the "close" method on the client to
  // safely clean up any remaining background resources.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    // Build the name from the project, location, key ring, and keyId.
    CryptoKeyName cryptoKeyName = CryptoKeyName.of(projectId, locationId, keyRingId, keyId);

    // Build an empty key with no labels.
    CryptoKey key =
        CryptoKey.newBuilder()
            .setName(cryptoKeyName.toString())
            .clearRotationPeriod()
            .clearNextRotationTime()
            .build();

    // Construct the field mask.
    FieldMask fieldMask = FieldMaskUtil.fromString("rotation_period,next_rotation_time");

    // Create the key.
    CryptoKey createdKey = client.updateCryptoKey(key, fieldMask);
    System.out.printf("Updated key %s%n", createdKey.getName());
  }
}
 

private static KeyRing createKeyRing(String keyRingId) throws IOException {
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    KeyRing keyRing = KeyRing.newBuilder().build();
    KeyRing createdKeyRing = client.createKeyRing(getLocationName(), keyRingId, keyRing);
    return createdKeyRing;
  }
}
 

public void updateKeyAddRotation(
    String projectId, String locationId, String keyRingId, String keyId) throws IOException {
  // Initialize client that will be used to send requests. This client only
  // needs to be created once, and can be reused for multiple requests. After
  // completing all of your requests, call the "close" method on the client to
  // safely clean up any remaining background resources.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    // Build the name from the project, location, and key ring.
    CryptoKeyName cryptoKeyName = CryptoKeyName.of(projectId, locationId, keyRingId, keyId);

    // Calculate the date 24 hours from now (this is used below).
    long tomorrow = java.time.Instant.now().plus(24, ChronoUnit.HOURS).getEpochSecond();

    // Build the key to update with a rotation schedule.
    CryptoKey key =
        CryptoKey.newBuilder()
            .setName(cryptoKeyName.toString())
            .setPurpose(CryptoKeyPurpose.ENCRYPT_DECRYPT)
            .setVersionTemplate(
                CryptoKeyVersionTemplate.newBuilder()
                    .setAlgorithm(CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION))

            // Rotate every 30 days.
            .setRotationPeriod(
                Duration.newBuilder().setSeconds(java.time.Duration.ofDays(30).getSeconds()))

            // Start the first rotation in 24 hours.
            .setNextRotationTime(Timestamp.newBuilder().setSeconds(tomorrow))
            .build();

    // Construct the field mask.
    FieldMask fieldMask = FieldMaskUtil.fromString("rotation_period,next_rotation_time");

    // Update the key.
    CryptoKey updatedKey = client.updateCryptoKey(key, fieldMask);
    System.out.printf("Updated key %s%n", updatedKey.getName());
  }
}
 

public void createKeyRotationSchedule(
    String projectId, String locationId, String keyRingId, String id) throws IOException {
  // Initialize client that will be used to send requests. This client only
  // needs to be created once, and can be reused for multiple requests. After
  // completing all of your requests, call the "close" method on the client to
  // safely clean up any remaining background resources.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    // Build the parent name from the project, location, and key ring.
    KeyRingName keyRingName = KeyRingName.of(projectId, locationId, keyRingId);

    // Calculate the date 24 hours from now (this is used below).
    long tomorrow = java.time.Instant.now().plus(24, ChronoUnit.HOURS).getEpochSecond();

    // Build the key to create with a rotation schedule.
    CryptoKey key =
        CryptoKey.newBuilder()
            .setPurpose(CryptoKeyPurpose.ENCRYPT_DECRYPT)
            .setVersionTemplate(
                CryptoKeyVersionTemplate.newBuilder()
                    .setAlgorithm(CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION))

            // Rotate every 30 days.
            .setRotationPeriod(
                Duration.newBuilder().setSeconds(java.time.Duration.ofDays(30).getSeconds()))

            // Start the first rotation in 24 hours.
            .setNextRotationTime(Timestamp.newBuilder().setSeconds(tomorrow))
            .build();

    // Create the key.
    CryptoKey createdKey = client.createCryptoKey(keyRingName, id, key);
    System.out.printf("Created key with rotation schedule %s%n", createdKey.getName());
  }
}
 

public void iamGetPolicy(String projectId, String locationId, String keyRingId, String keyId)
    throws IOException {
  // Initialize client that will be used to send requests. This client only
  // needs to be created once, and can be reused for multiple requests. After
  // completing all of your requests, call the "close" method on the client to
  // safely clean up any remaining background resources.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    // Build the key version name from the project, location, key ring, key,
    // and key version.
    CryptoKeyName resourceName = CryptoKeyName.of(projectId, locationId, keyRingId, keyId);

    // The resource name could also be a key ring.
    // KeyRingName resourceName = KeyRingName.of(projectId, locationId, keyRingId);

    // Get the current policy.
    Policy policy = client.getIamPolicy(resourceName);

    // Print the policy.
    System.out.printf("IAM policy:%n");
    for (Binding binding : policy.getBindingsList()) {
      System.out.printf("%s%n", binding.getRole());
      for (String member : binding.getMembersList()) {
        System.out.printf("- %s%n", member);
      }
    }
  }
}
 

public void updateKeyUpdateLabels(
    String projectId, String locationId, String keyRingId, String keyId) throws IOException {
  // Initialize client that will be used to send requests. This client only
  // needs to be created once, and can be reused for multiple requests. After
  // completing all of your requests, call the "close" method on the client to
  // safely clean up any remaining background resources.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    // Build the parent name from the project, location, and key ring.
    CryptoKeyName cryptoKeyName = CryptoKeyName.of(projectId, locationId, keyRingId, keyId);

    //
    // Step 1 - get the current set of labels on the key
    //

    // Get the current key.
    CryptoKey key = client.getCryptoKey(cryptoKeyName);

    //
    // Step 2 - add a label to the list of labels
    //

    // Add a new label.
    key = key.toBuilder().putLabels("new_label", "new_value").build();

    // Construct the field mask.
    FieldMask fieldMask = FieldMaskUtil.fromString("labels");

    // Update the key.
    CryptoKey updatedKey = client.updateCryptoKey(key, fieldMask);
    System.out.printf("Updated key %s%n", updatedKey.getName());
  }
}
 

public void iamRemoveMember(
    String projectId, String locationId, String keyRingId, String keyId, String member)
    throws IOException {
  // Initialize client that will be used to send requests. This client only
  // needs to be created once, and can be reused for multiple requests. After
  // completing all of your requests, call the "close" method on the client to
  // safely clean up any remaining background resources.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    // Build the key version name from the project, location, key ring, key,
    // and key version.
    CryptoKeyName resourceName = CryptoKeyName.of(projectId, locationId, keyRingId, keyId);

    // The resource name could also be a key ring.
    // KeyRingName resourceName = KeyRingName.of(projectId, locationId, keyRingId);

    // Get the current policy.
    Policy policy = client.getIamPolicy(resourceName);

    // Search through the bindings and remove matches.
    String roleToFind = "roles/cloudkms.cryptoKeyEncrypterDecrypter";
    for (Binding binding : policy.getBindingsList()) {
      if (binding.getRole().equals(roleToFind) && binding.getMembersList().contains(member)) {
        binding.getMembersList().remove(member);
      }
    }

    client.setIamPolicy(resourceName, policy);
    System.out.printf("Updated IAM policy for %s%n", resourceName.toString());
  }
}
 

public void encryptAsymmetric(
    String projectId,
    String locationId,
    String keyRingId,
    String keyId,
    String keyVersionId,
    String plaintext)
    throws IOException, GeneralSecurityException {
  // Initialize client that will be used to send requests. This client only
  // needs to be created once, and can be reused for multiple requests. After
  // completing all of your requests, call the "close" method on the client to
  // safely clean up any remaining background resources.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
    // Build the key version name from the project, location, key ring, key,
    // and key version.
    CryptoKeyVersionName keyVersionName =
        CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);

    // Get the public key.
    PublicKey publicKey = client.getPublicKey(keyVersionName);

    // Convert the public PEM key to a DER key (see helper below).
    byte[] derKey = convertPemToDer(publicKey.getPem());
    X509EncodedKeySpec keySpec = new X509EncodedKeySpec(derKey);
    java.security.PublicKey rsaKey = KeyFactory.getInstance("RSA").generatePublic(keySpec);

    // Encrypt plaintext for the 'RSA_DECRYPT_OAEP_2048_SHA256' key.
    // For other key algorithms:
    // https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html
    Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
    OAEPParameterSpec oaepParams =
        new OAEPParameterSpec(
            "SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT);
    cipher.init(Cipher.ENCRYPT_MODE, rsaKey, oaepParams);
    byte[] ciphertext = cipher.doFinal(plaintext.getBytes(StandardCharsets.UTF_8));
    System.out.printf("Ciphertext: %s%n", ciphertext);
  }
}