public CryptoKey CreateKeyLabels(
string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
string id = "my-asymmetric-encrypt-key")
{
// Create the client.
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
// Build the parent key ring name.
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
// Build the key.
CryptoKey key = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt,
VersionTemplate = new CryptoKeyVersionTemplate
{
Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.GoogleSymmetricEncryption,
}
};
key.Labels["team"] = "alpha";
key.Labels["cost_center"] = "cc1234";
// Call the API.
CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);
// Return the result.
return(result);
}
public CryptoKey CreateKeyAsymmetricSign(
string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
string id = "my-asymmetric-signing-key")
{
// Create the client.
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
// Build the parent key ring name.
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
// Build the key.
CryptoKey key = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.AsymmetricSign,
VersionTemplate = new CryptoKeyVersionTemplate
{
Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.RsaSignPkcs12048Sha256,
},
// Optional: customize how long key versions should be kept before destroying.
DestroyScheduledDuration = new Duration
{
Seconds = 24 * 60 * 60,
}
};
// Call the API.
CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);
// Return the result.
return(result);
}
// [END kms_get_keyring_policy]
// [START kms_add_member_to_keyring_policy]
public static void AddMemberToKeyRingPolicy(string projectId, string locationId,
string keyRingId, string role, string member)
{
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
Policy policy = client.GetIamPolicy(KeyNameOneof.From(keyRingName));
policy.Bindings.Add(new Binding
{
Role = role,
Members = { member }
});
Policy updateResult = client.SetIamPolicy(KeyNameOneof.From(keyRingName), policy);
foreach (Binding bindingResult in updateResult.Bindings)
{
Console.WriteLine($"Role: {bindingResult.Role}");
foreach (string memberResult in bindingResult.Members)
{
Console.WriteLine($" Member: {memberResult}");
}
}
}
public CryptoKey CreateKeyHsm(
string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
string id = "my-hsm-encryption-key")
{
// Create the client.
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
// Build the parent key ring name.
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
// Build the key.
CryptoKey key = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt,
VersionTemplate = new CryptoKeyVersionTemplate
{
ProtectionLevel = ProtectionLevel.Hsm,
Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.GoogleSymmetricEncryption,
},
// Optional: customize how long key versions should be kept before destroying.
DestroyScheduledDuration = new Duration
{
Seconds = 24 * 60 * 60,
}
};
// Call the API.
CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);
// Return the result.
return(result);
}
public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
{
var safeId = KeyIdCreator.Create(serviceAccountId);
var keyring = new KeyRingName(mProjectName, mKeyringLocation, mKeyringName);
var cryptoKeyName =
new CryptoKeyName(mProjectName, mKeyringLocation, mKeyringName, safeId);
try
{
await mKmsService.GetCryptoKeyAsync(cryptoKeyName);
} catch (RpcException e) when(e.StatusCode == StatusCode.NotFound && createKeyIfMissing)
{
var key = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt,
VersionTemplate = new CryptoKeyVersionTemplate
{
ProtectionLevel = ProtectionLevel.Software
}
};
if (mRotationPeriod.HasValue)
{
key.NextRotationTime = (DateTime.UtcNow + mRotationPeriod.Value).ToTimestamp();
key.RotationPeriod = Duration.FromTimeSpan(mRotationPeriod.Value);
}
var request = await mKmsService.CreateCryptoKeyAsync(keyring, safeId, key);
}
var cryptoKeyPathName = new CryptoKeyPathName(mProjectName, mKeyringLocation, mKeyringName, safeId);
var encryted = await mKmsService.EncryptAsync(cryptoKeyPathName, ByteString.FromBase64(data));
return(encryted.Ciphertext.ToBase64());
}
public KmsDataProtectionProvider(
string googleProjectId,
string keyRingLocation,
string keyRingId)
{
_googleProjectId = googleProjectId ??
throw new ArgumentNullException(nameof(googleProjectId));
_keyRingLocation = keyRingLocation ??
throw new ArgumentNullException(nameof(keyRingLocation));
_keyRingId = keyRingId ??
throw new ArgumentNullException(nameof(keyRingId));
_kms = KeyManagementServiceClient.Create();
_keyRingName = new KeyRingName(_googleProjectId,
_keyRingLocation, _keyRingId);
try
{
// Create the key ring.
_kms.CreateKeyRing(
new LocationName(_googleProjectId, _keyRingLocation),
_keyRingId, new KeyRing());
}
catch (Grpc.Core.RpcException e)
when(e.StatusCode == StatusCode.AlreadyExists)
{
// Already exists. Ok.
}
}
public CryptoKey CreateKeyHsm(
string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
string id = "my-hsm-encryption-key")
{
// Create the client.
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
// Build the parent key ring name.
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
// Build the key.
CryptoKey key = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt,
VersionTemplate = new CryptoKeyVersionTemplate
{
ProtectionLevel = ProtectionLevel.Hsm,
Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.GoogleSymmetricEncryption,
}
};
// Call the API.
CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);
// Return the result.
return(result);
}
public CryptoKey CreateKeyAsymmetricDecrypt(
string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
string id = "my-asymmetric-encrypt-key")
{
// Create the client.
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
// Build the parent key ring name.
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
// Build the key.
CryptoKey key = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.AsymmetricDecrypt,
VersionTemplate = new CryptoKeyVersionTemplate
{
Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.RsaDecryptOaep2048Sha256,
}
};
// Call the API.
CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);
// Return the result.
return(result);
}
// [END kms_create_keyring]
// [START kms_get_keyring]
public static void GetKeyRing(string projectId, string locationId, string keyRingId)
{
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
KeyRing result = client.GetKeyRing(keyRingName);
Console.WriteLine($"Found KeyRing: {result.Name}");
Console.WriteLine($" Created on: {result.CreateTime}");
}
// [END kms_get_cryptokey]
// [START kms_create_cryptokey]
public static void CreateCryptoKey(string projectId, string locationId, string keyRingId, string cryptoKeyId)
{
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
// The KeyRing in which to create the CryptoKey.
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
CryptoKey cryptoKeyToCreate = new CryptoKey();
cryptoKeyToCreate.Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt;
CryptoKey result = client.CreateCryptoKey(keyRingName, cryptoKeyId, cryptoKeyToCreate);
Console.Write($"Created Crypto Key: {result.Name}");
}
// [END kms_remove_member_from_cryptokey_policy]
// [START kms_get_keyring_policy]
public static void GetKeyRingIamPolicy(string projectId, string locationId, string keyRingId)
{
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
Policy result = client.GetIamPolicy(KeyNameOneof.From(keyRingName));
foreach (Binding binding in result.Bindings)
{
Console.WriteLine($"Role: {binding.Role}");
foreach (String member in binding.Members)
{
Console.WriteLine($" Member: {member}");
}
}
}
// [END kms_list_keyrings]
// [START kms_list_cryptokeys]
public static void ListCryptoKeys(string projectId, string locationId, string keyRingId)
{
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
// Generate the full path of the parent to use for listing crypto keys.
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
foreach (CryptoKey result in client.ListCryptoKeys(keyRingName))
{
Console.WriteLine(result.Name);
Console.WriteLine($" Created: {result.CreateTime}");
Console.WriteLine($" Purpose: {result.Purpose}");
Console.WriteLine($" Primary: {result.Primary}");
Console.WriteLine($" State: {result.Primary.State}");
Console.WriteLine($" Created: {result.Primary.CreateTime}");
}
}
public KmsFixture()
{
ProjectId = Environment.GetEnvironmentVariable("GOOGLE_PROJECT_ID");
if (string.IsNullOrEmpty(ProjectId))
{
throw new Exception("missing GOOGLE_PROJECT_ID");
}
ProjectName = new ProjectName(ProjectId);
LocationId = "us-east1";
LocationName = new LocationName(ProjectId, LocationId);
KeyRingId = RandomId();
KeyRingName = new KeyRingName(ProjectId, LocationId, KeyRingId);
CreateKeyRing(KeyRingId);
AsymmetricDecryptKeyId = RandomId();
AsymmetricDecryptKeyName = new CryptoKeyName(ProjectId, LocationId, KeyRingId, AsymmetricDecryptKeyId);
CreateAsymmetricDecryptKey(AsymmetricDecryptKeyId);
AsymmetricSignEcKeyId = RandomId();
AsymmetricSignEcKeyName = new CryptoKeyName(ProjectId, LocationId, KeyRingId, AsymmetricSignEcKeyId);
CreateAsymmetricSignEcKey(AsymmetricSignEcKeyId);
AsymmetricSignRsaKeyId = RandomId();
AsymmetricSignRsaKeyName = new CryptoKeyName(ProjectId, LocationId, KeyRingId, AsymmetricSignRsaKeyId);
CreateAsymmetricSignRsaKey(AsymmetricSignRsaKeyId);
HsmKeyId = RandomId();
HsmKeyName = new CryptoKeyName(ProjectId, LocationId, KeyRingId, HsmKeyId);
CreateHsmKey(HsmKeyId);
MacKeyId = RandomId();
MacKeyName = new CryptoKeyName(ProjectId, LocationId, KeyRingId, MacKeyId);
CreateMacKey(MacKeyId);
SymmetricKeyId = RandomId();
SymmetricKeyName = new CryptoKeyName(ProjectId, LocationId, KeyRingId, SymmetricKeyId);
CreateSymmetricKey(SymmetricKeyId);
}
private async Task InitializeEncryptionKeys()
{
var client = await KeyManagementServiceClient.CreateAsync();
var keyRingName = KeyRingName.FromProjectLocationKeyRing(KmsKeyName.ProjectId, KmsKeyName.LocationId, KmsKeyName.KeyRingId);
try
{
await client.GetKeyRingAsync(keyRingName);
}
catch (RpcException e) when(e.StatusCode == StatusCode.NotFound)
{
await client.CreateKeyRingAsync(new CreateKeyRingRequest
{
ParentAsLocationName = LocationName.FromProjectLocation(keyRingName.ProjectId, keyRingName.LocationId),
KeyRingId = KmsKeyName.KeyRingId,
KeyRing = new KeyRing(),
});
}
var keyName = Google.Cloud.Kms.V1.CryptoKeyName.FromProjectLocationKeyRingCryptoKey(KmsKeyName.ProjectId, KmsKeyName.LocationId, KmsKeyName.KeyRingId, KmsKeyName.CryptoKeyId);
try
{
await client.GetCryptoKeyAsync(keyName);
}
catch (RpcException e) when(e.StatusCode == StatusCode.NotFound)
{
await client.CreateCryptoKeyAsync(new CreateCryptoKeyRequest
{
ParentAsKeyRingName = keyRingName,
CryptoKeyId = keyName.CryptoKeyId,
CryptoKey = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt,
},
});
}
}
public CryptoKey CreateKeyRotationSchedule(
string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
string id = "my-key-with-rotation-schedule")
{
// Create the client.
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
// Build the parent key ring name.
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
// Build the key.
CryptoKey key = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt,
VersionTemplate = new CryptoKeyVersionTemplate
{
Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.GoogleSymmetricEncryption,
},
// Rotate the key every 30 days.
RotationPeriod = new Duration
{
Seconds = 60 * 60 * 24 * 30, // 30 days
},
// Start the first rotation in 24 hours.
NextRotationTime = new Timestamp
{
Seconds = new DateTimeOffset(DateTime.UtcNow.AddHours(24)).ToUnixTimeSeconds(),
}
};
// Call the API.
CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);
// Return the result.
return(result);
}
