public CryptoKey CreateKeyLabels(
string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
string id = "my-asymmetric-encrypt-key")
{
// Create the client.
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
// Build the parent key ring name.
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
// Build the key.
CryptoKey key = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt,
VersionTemplate = new CryptoKeyVersionTemplate
{
Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.GoogleSymmetricEncryption,
}
};
key.Labels["team"] = "alpha";
key.Labels["cost_center"] = "cc1234";
// Call the API.
CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);
// Return the result.
return(result);
}
public CryptoKey CreateKeyAsymmetricSign(
string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
string id = "my-asymmetric-signing-key")
{
// Create the client.
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
// Build the parent key ring name.
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
// Build the key.
CryptoKey key = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.AsymmetricSign,
VersionTemplate = new CryptoKeyVersionTemplate
{
Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.RsaSignPkcs12048Sha256,
},
// Optional: customize how long key versions should be kept before destroying.
DestroyScheduledDuration = new Duration
{
Seconds = 24 * 60 * 60,
}
};
// Call the API.
CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);
// Return the result.
return(result);
}
public CryptoKey CreateKeyHsm(
string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
string id = "my-hsm-encryption-key")
{
// Create the client.
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
// Build the parent key ring name.
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
// Build the key.
CryptoKey key = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt,
VersionTemplate = new CryptoKeyVersionTemplate
{
ProtectionLevel = ProtectionLevel.Hsm,
Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.GoogleSymmetricEncryption,
},
// Optional: customize how long key versions should be kept before destroying.
DestroyScheduledDuration = new Duration
{
Seconds = 24 * 60 * 60,
}
};
// Call the API.
CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);
// Return the result.
return(result);
}
IDataProtector IDataProtectionProvider.CreateProtector(string purpose)
{
IDataProtector cached;
if (_dataProtectorCache.TryGetValue(purpose, out cached))
{
return(cached);
}
// Create the crypto key:
CryptoKey cryptoKeyToCreate = new CryptoKey()
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt,
NextRotationTime = Timestamp.FromDateTime(DateTime.UtcNow.AddDays(7)),
RotationPeriod = Duration.FromTimeSpan(TimeSpan.FromDays(7))
};
CryptoKeyName keyName = new CryptoKeyName(_googleProjectId,
_keyRingLocation, _keyRingId, EscapeKeyId(purpose));
try
{
_kms.CreateCryptoKey(_keyRingName, keyName.CryptoKeyId,
cryptoKeyToCreate);
}
catch (Grpc.Core.RpcException e)
when(e.StatusCode == StatusCode.AlreadyExists)
{
// Already exists. Ok.
}
var newProtector = new KmsDataProtector(_kms, keyName,
(string innerPurpose) =>
this.CreateProtector($"{purpose}.{innerPurpose}"));
_dataProtectorCache.TryAdd(purpose, newProtector);
return(newProtector);
}
public CryptoKey CreateKeyHsm(
string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
string id = "my-hsm-encryption-key")
{
// Create the client.
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
// Build the parent key ring name.
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
// Build the key.
CryptoKey key = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt,
VersionTemplate = new CryptoKeyVersionTemplate
{
ProtectionLevel = ProtectionLevel.Hsm,
Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.GoogleSymmetricEncryption,
}
};
// Call the API.
CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);
// Return the result.
return(result);
}
public CryptoKey CreateKeyAsymmetricDecrypt(
string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
string id = "my-asymmetric-encrypt-key")
{
// Create the client.
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
// Build the parent key ring name.
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
// Build the key.
CryptoKey key = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.AsymmetricDecrypt,
VersionTemplate = new CryptoKeyVersionTemplate
{
Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.RsaDecryptOaep2048Sha256,
}
};
// Call the API.
CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);
// Return the result.
return(result);
}
// [END kms_get_cryptokey]
// [START kms_create_cryptokey]
public static void CreateCryptoKey(string projectId, string locationId, string keyRingId, string cryptoKeyId)
{
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
// The KeyRing in which to create the CryptoKey.
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
CryptoKey cryptoKeyToCreate = new CryptoKey();
cryptoKeyToCreate.Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt;
CryptoKey result = client.CreateCryptoKey(keyRingName, cryptoKeyId, cryptoKeyToCreate);
Console.Write($"Created Crypto Key: {result.Name}");
}
public CryptoKey CreateKeyRotationSchedule(
string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
string id = "my-key-with-rotation-schedule")
{
// Create the client.
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
// Build the parent key ring name.
KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);
// Build the key.
CryptoKey key = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt,
VersionTemplate = new CryptoKeyVersionTemplate
{
Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.GoogleSymmetricEncryption,
},
// Rotate the key every 30 days.
RotationPeriod = new Duration
{
Seconds = 60 * 60 * 24 * 30, // 30 days
},
// Start the first rotation in 24 hours.
NextRotationTime = new Timestamp
{
Seconds = new DateTimeOffset(DateTime.UtcNow.AddHours(24)).ToUnixTimeSeconds(),
}
};
// Call the API.
CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);
// Return the result.
return(result);
}
public CryptoKey CreateSymmetricKey(string keyId)
{
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
var request = new CreateCryptoKeyRequest
{
ParentAsKeyRingName = KeyRingName,
CryptoKeyId = keyId,
CryptoKey = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt,
VersionTemplate = new CryptoKeyVersionTemplate
{
Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.GoogleSymmetricEncryption,
},
},
};
request.CryptoKey.Labels["foo"] = "bar";
request.CryptoKey.Labels["zip"] = "zap";
return(client.CreateCryptoKey(request));
}
public CryptoKey CreateAsymmetricSignRsaKey(string keyId)
{
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
var request = new CreateCryptoKeyRequest
{
ParentAsKeyRingName = KeyRingName,
CryptoKeyId = keyId,
CryptoKey = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.AsymmetricSign,
VersionTemplate = new CryptoKeyVersionTemplate
{
Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.RsaSignPss2048Sha256,
},
},
};
request.CryptoKey.Labels["foo"] = "bar";
request.CryptoKey.Labels["zip"] = "zap";
return(client.CreateCryptoKey(request));
}
public CryptoKey CreateMacKey(string keyId)
{
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
var request = new CreateCryptoKeyRequest
{
ParentAsKeyRingName = KeyRingName,
CryptoKeyId = keyId,
CryptoKey = new CryptoKey
{
Purpose = CryptoKey.Types.CryptoKeyPurpose.Mac,
VersionTemplate = new CryptoKeyVersionTemplate
{
Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.HmacSha256,
ProtectionLevel = ProtectionLevel.Hsm,
},
},
};
request.CryptoKey.Labels["foo"] = "bar";
request.CryptoKey.Labels["zip"] = "zap";
return(client.CreateCryptoKey(request));
}
