0

我需要将 ProtectionLevel 设置为 HSM,以便在创建期间和现有情况下为密钥环设置密钥环。

我正在尝试使用与任何其他选项相同的方式将此选项设置为:

CreateKeyRingRequest.newBuilder().//I see nothing to set ProtectionLevel here.

如何使用此 API 执行此操作?

4

1 回答 1

0

HSM ProtectionLevel 未在密钥环级别上指定。

创建密钥环(即具有 HSM 密钥)时,您只需要考虑HSM ProtectionLevel 支持的区域

对于 Key Ring 创建,您只需要一个父级(位置)、keyring_id(名称)和 keyRing 对象,文档提供了以下 Java 示例:

/**
 * Creates a new key ring with the given id.
 */
public static KeyRing createKeyRing(String projectId, String locationId, String keyRingId)
    throws IOException {
  // Create the Cloud KMS client.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {

    // The resource name of the location associated with the KeyRing.
    String parent = LocationName.format(projectId, locationId);

    // Create the KeyRing for your project.
    KeyRing keyRing = client.createKeyRing(parent, keyRingId, KeyRing.newBuilder().build());

    return keyRing;
  }
}

然后您继续创建您的 KMS 密钥,添加 HSM 保护级别,您需要创建一个新的 CryptoKey 版本模板并将该模板设置为 Crypto Key Builder。这是我已经尝试过并确认它有效的示例代码:

  /**
   * Creates a new crypto key with the given id.
   */
  public static CryptoKey createCryptoKey(String projectId, String locationId, String keyRingId,
      String cryptoKeyId)
      throws IOException {

    // Create the Cloud KMS client.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // The resource name of the location associated with the KeyRing.
      String parent = KeyRingName.format(projectId, locationId, keyRingId);
      ProtectionLevel protectionLevel = ProtectionLevel.HSM;

      // creating the template with the right protection level
      CryptoKeyVersionTemplate template = CryptoKeyVersionTemplate.newBuilder()
            .setProtectionLevel(protectionLevel)
            .build();

      // This will allow the API access to the key for encryption and decryption and also the HSM PL.
      CryptoKey cryptoKey = CryptoKey.newBuilder()
          .setPurpose(CryptoKeyPurpose.ENCRYPT_DECRYPT)
          .setVersionTemplate(template)
          .build();

      // Create the CryptoKey for your project.
      CryptoKey createdKey = client.createCryptoKey(parent, cryptoKeyId, cryptoKey);

      return createdKey;
    }
  }

您将需要的依赖项:

import com.google.cloud.kms.v1.CryptoKey;
import com.google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose;
import com.google.cloud.kms.v1.ProtectionLevel;
import com.google.cloud.kms.v1.CryptoKeyName;
import com.google.cloud.kms.v1.CryptoKeyVersionTemplate;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.LocationName;
于 2019-11-12T11:38:37.757 回答