GoogleKMS Component
Properties Methods Events Configuration Settings Errors
The GoogleKMS component provides an easy-to-use interface for the Google Cloud Key Management Service.
Syntax
TickGoogleKMS
Remarks
The GoogleKMS component makes it easy to work with the Google Cloud Key Management Service (KMS) in a secure manner using TLS. Google KMS allows you to create and manage key rings that contain symmetric and asymmetric keys. Each key has one or more versions which can be used for cryptographic operations.
To begin, register for a Google Cloud account. Set the GoogleProjectId property to your full Google Cloud project Id, and set the Location property to the Google Cloud location you'd like to make requests against (by default, the us multi-regional location is used). Note that each location's resources are completely separate from the others'.
This component supports authentication via OAuth 2.0. First, perform OAuth authentication using the OAuth component or a separate process. Once complete you should have an authorization string which looks like:
Bearer ya29.AHES6ZSZEJzATdZYjeihDn5W-VrXSsxEZu5p0pclxGdKKQAssign this value to the Authorization property before attempting any operations. Consult the documentation for the service for more information about supported scope values and more details on OAuth authentication.
Using the Component
First, select which key ring the component should interact with using the KeyRing property. If the selected key ring does not yet exist, use the CreateKeyRing method to create it. Note that key rings cannot be deleted later, and therefore key ring names can never be reused within a given Location (unless you create a new Google Cloud project).
Once a key ring has been selected (and created, if necessary), keys can be created in it using the CreateKey method. A key consists of one or more key versions (which themselves can be thought of as distinct resources), each of which has its own cryptographic material. Symmetric keys have a primary version which is used when encrypting data. Asymmetric keys do not have a primary version; a specific version must always be targeted.
When a key is created, a single key version is automatically created for it as well (and for symmetric keys, this becomes the primary version). Additional key versions can be created using the CreateVersion method. Each key version receives a sequentially-assigned version Id, and the first version's Id is always 1. As will become apparent, most operations are performed with key versions, not keys.
googlekms.KeyRing = "MyKeyRing";
googlekms.CreateKeyRing();
// When a key is created, you specify its name, purpose, algorithm, and protection level.
// Refer to the CreateKey method's documentation for more information.
googlekms.CreateKey("MyKey", 1, "GOOGLE_SYMMETRIC_ENCRYPTION", false);
// When a new version is created, the algorithm and protection level are reused.
googlekms.CreateVersion("MyKey");
Like key rings, keys and key versions cannot be deleted. However, a key version can be disabled, or its cryptographic material can be destroyed, making it permanently unusable. To enable or disable a key version, use the SetVersionEnabled method; to destroy a key version's cryptographic material, use the DestroyVersion method. Note that the latter doesn't destroy the cryptographic material immediately; instead, it schedules it for destruction 24 hours from the time of the call. The CancelDestruction method can be called within this waiting period to cancel the destruction.
// Disable a key version to make it unusable until it is re-enabled.
googlekms.SetVersionEnabled("MyKey", "7", false);
// Destroy a key version's cryptographic material to make it permanently unusable.
googlekms.DestroyVersion("MyKey", "7");
// The destruction takes place after a 24 hour waiting period; it can be canceled during that period.
// If destruction is canceled, the key version is always placed into a disabled state.
googlekms.CancelDestruction("MyKey", "7");
To list key rings, keys, or key versions, use the ListKeyRings, ListKeys, or ListVersions method. If there are multiple pages of results when listing a resource, the appropriate marker property will be populated, and all pages of results can be accumulated by continuing to call the relevant listing method until the marker property is empty.
do {
googlekms.ListKeyRings();
} while (!string.IsNullOrEmpty(googlekms.KeyRingMarker));
foreach (GoogleKeyRing keyring in googlekms.KeyRings) {
Console.WriteLine(keyring.Name);
}
googlekms.KeyRing = "MyKeyRing";
do {
googlekms.ListKeys();
} while (!string.IsNullOrEmpty(googlekms.KeyMarker));
foreach (GoogleKey key in googlekms.Keys) {
Console.WriteLine(key.Name);
}
do {
googlekms.ListKeyVersions("MyKey");
} while (!string.IsNullOrEmpty(googlekms.VersionMarker));
foreach (GoogleKeyVersion version in googlekms.Versions) {
Console.WriteLine(version.Name + " " + version.VersionId);
}
Depending on a key's purpose, it can be used to perform different cryptographic operations. Keys whose purpose is encryption/decryption can be used in Encrypt and Decrypt operations. Keys whose purpose is sign/verify can be used in Sign and Verify operations. To perform a cryptographic operation, use InputData, InputFile, or SetInputStream to supply the input data that should be processed. All operations will output the result data to OutputData, OutputFile, or SetOutputStream (except Verify; refer to its documentation for more information).
Note that Google does not support server-side asymmetric encryption or asymmetric verification. The component performs these operations locally as a convenience to account for this.
// Create an asymmetric key whose purpose is encryption/decryption.
googlekms.CreateKey("MyAsymmEncKey", 3, "RSA_DECRYPT_OAEP_3072_SHA256", false);
// Encrypt the string "Test123" and write the encrypted data to an output file.
googlekms.InputData = "Test123";
googlekms.OutputFile = "C:/temp/enc.dat";
googlekms.Encrypt("MyAsymmEncKey", "1");
// ...Later, decrypt the data again.
googlekms.InputFile = "C:/temp/enc.dat";
googlekms.OutputFile = ""; // So that the data will be output to the OutputData property.
googlekms.Decrypt("MyAsymmEncKey", "1");
The component also supports a variety of other functionality, including:
- Retrieval of a single resource's information with GetKeyRingInfo, GetKeyInfo, or GetVersionInfo.
- Getting an asymmetric key's public key using GetPublicKey.
- Label support using AddLabel and the Label* properties.
- Updating key information with UpdateKey and SetPrimaryVersion.
- And more!
Property List
The following is the full list of the properties of the component with short descriptions. Click on the links for further details.
AdditionalData | Additional data to send when performing symmetric encryption or decryption. |
Authorization | OAuth 2.0 Authorization Token. |
Firewall | A set of properties related to firewall access. |
GoogleProjectId | The Id of the Google Cloud project to make requests against. |
Idle | The current status of the component. |
InputData | The data to process. |
InputFile | The file whose data should be processed. |
KeyMarker | A marker indicating what page of keys to return next. |
KeyRing | Selects a key ring for the component to interact with. |
KeyRingMarker | A marker indicating what page of key rings to return next. |
KeyRings | A collection of key rings. |
Keys | A collection of keys. |
Labels | A collection of labels. |
LocalHost | The name of the local host or user-assigned IP interface through which connections are initiated or accepted. |
Location | The Google Cloud location to make requests against. |
OtherHeaders | Other headers as determined by the user (optional). |
OutputData | The output data. |
OutputFile | The file to which output data should be written. |
Overwrite | Whether the output file should be overwritten if necessary. |
ParsedHeaders | Collection of headers returned from the last request. |
Proxy | A set of properties related to proxy access. |
PublicKey | The public key of an asymmetric key pair. |
PublicKeyAlgorithm | The algorithm of an asymmetric key pair. |
QueryParams | Additional query parameters to be included in the request. |
SSLAcceptServerCertEncoded | The certificate (PEM/base64 encoded). |
SSLCertEncoded | The certificate (PEM/base64 encoded). |
SSLCertStore | The name of the certificate store for the client certificate. |
SSLCertStorePassword | If the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store. |
SSLCertStoreType | The type of certificate store for this certificate. |
SSLCertSubject | The subject of the certificate used for client authentication. |
SSLServerCertEncoded | The certificate (PEM/base64 encoded). |
Timeout | A timeout for the component. |
VersionMarker | A marker indicating what page of key versions to return next. |
Versions | A collection of key versions. |
Method List
The following is the full list of the methods of the component with short descriptions. Click on the links for further details.
AddLabel | Adds an item to the Labels properties. |
AddQueryParam | Adds a query parameter to the QueryParams properties. |
CancelDestruction | Cancels the destruction of a key version's cryptographic material. |
Config | Sets or retrieves a configuration setting. |
CreateKey | Creates a new key. |
CreateKeyRing | Creates a new key ring. |
CreateVersion | Creates a new key version. |
Decrypt | Decrypts data using a key. |
DestroyVersion | Schedules the specified key version's cryptographic material for destruction. |
DoEvents | Processes events from the internal message queue. |
Encrypt | Encrypts data using a key. |
GetKeyInfo | Gets information about a key. |
GetKeyRingInfo | Gets information about a key ring. |
GetPublicKey | Retrieves the public key of an asymmetric key pair. |
GetVersionInfo | Gets information about a key version. |
ListKeyRings | Lists the key rings in the currently-selected location. |
ListKeys | Lists the keys in the currently-selected key ring. |
ListVersions | Lists the key versions for the specified key. |
Reset | Resets the component to its initial state. |
SendCustomRequest | Sends a custom request to the server. |
SetInputStream | Sets the stream whose data should be processed. |
SetOutputStream | Sets the stream to which output data should be written. |
SetPrimaryVersion | Sets the primary version of a symmetric key. |
SetVersionEnabled | Enables or disables a key version. |
Sign | Signs a message using a key. |
UpdateKey | Updates a key. |
Verify | Verifies a digital signature using a key. |
Event List
The following is the full list of the events fired by the component with short descriptions. Click on the links for further details.
EndTransfer | Fired when a document finishes transferring. |
Error | Information about errors during data delivery. |
Header | Fired every time a header line comes in. |
KeyList | Fires once for each key when listing keys. |
KeyRingList | Fires once for each key ring when listing key rings. |
LabelList | Fires once for each label returned when a key's information is retrieved. |
Log | Fires once for each log message. |
SSLServerAuthentication | Fired after the server presents its certificate to the client. |
SSLStatus | Shows the progress of the secure connection. |
StartTransfer | Fired when a document starts transferring (after the headers). |
Transfer | Fired while a document transfers (delivers document). |
VersionList | Fires once for each key version when listing key versions. |
Configuration Settings
The following is a list of configuration settings for the component with short descriptions. Click on the links for further details.
AccumulatePages | Whether the component should accumulate subsequent pages of results when listing them. |
CloseInputStreamAfterProcessing | Whether the specified input stream should be closed after data is read from it. |
CloseOutputStreamAfterProcessing | Whether the specified output stream should be closed after data is written to it. |
ForceSymmetricEncryption | Whether the Encrypt method should always perform symmetric encryption. |
MaxKeyRings | The maximum number of results to return when listing key rings. |
MaxKeys | The maximum number of results to return when listing keys. |
MaxVersions | The maximum number of results to return when listing key versions. |
MessageDigest | The message digest computed by the component during the last sign or verify operation, if any. |
NextRotateDate | The next rotation date to send when creating or updating a key. |
RawRequest | Returns the data that was sent to the server. |
RawResponse | Returns the data that was received from the server. |
RotationPeriod | The rotation period to send when creating or updating a key. |
XChildCount | The number of child elements of the current element. |
XChildName[i] | The name of the child element. |
XChildXText[i] | The inner text of the child element. |
XElement | The name of the current element. |
XParent | The parent of the current element. |
XPath | Provides a way to point to a specific element in the returned XML or JSON response. |
XSubTree | A snapshot of the current element in the document. |
XText | The text of the current element. |
AcceptEncoding | Used to tell the server which types of content encodings the client supports. |
AllowHTTPCompression | This property enables HTTP compression for receiving data. |
AllowHTTPFallback | Whether HTTP/2 connections are permitted to fallback to HTTP/1.1. |
Append | Whether to append data to LocalFile. |
Authorization | The Authorization string to be sent to the server. |
BytesTransferred | Contains the number of bytes transferred in the response data. |
ChunkSize | Specifies the chunk size in bytes when using chunked encoding. |
CompressHTTPRequest | Set to true to compress the body of a PUT or POST request. |
EncodeURL | If set to true the URL will be encoded by the component. |
FollowRedirects | Determines what happens when the server issues a redirect. |
GetOn302Redirect | If set to true the component will perform a GET on the new location. |
HTTP2HeadersWithoutIndexing | HTTP2 headers that should not update the dynamic header table with incremental indexing. |
HTTPVersion | The version of HTTP used by the component. |
IfModifiedSince | A date determining the maximum age of the desired document. |
KeepAlive | Determines whether the HTTP connection is closed after completion of the request. |
KerberosSPN | The Service Principal Name for the Kerberos Domain Controller. |
LogLevel | The level of detail that is logged. |
MaxRedirectAttempts | Limits the number of redirects that are followed in a request. |
NegotiatedHTTPVersion | The negotiated HTTP version. |
OtherHeaders | Other headers as determined by the user (optional). |
ProxyAuthorization | The authorization string to be sent to the proxy server. |
ProxyAuthScheme | The authorization scheme to be used for the proxy. |
ProxyPassword | A password if authentication is to be used for the proxy. |
ProxyPort | Port for the proxy server (default 80). |
ProxyServer | Name or IP address of a proxy server (optional). |
ProxyUser | A user name if authentication is to be used for the proxy. |
SentHeaders | The full set of headers as sent by the client. |
StatusLine | The first line of the last response from the server. |
TransferredData | The contents of the last response from the server. |
TransferredDataLimit | The maximum number of incoming bytes to be stored by the component. |
TransferredHeaders | The full set of headers as received from the server. |
TransferredRequest | The full request as sent by the client. |
UseChunkedEncoding | Enables or Disables HTTP chunked encoding for transfers. |
UseIDNs | Whether to encode hostnames to internationalized domain names. |
UserAgent | Information about the user agent (browser). |
CloseStreamAfterTransfer | If true, the component will close the upload or download stream after the transfer. |
ConnectionTimeout | Sets a separate timeout value for establishing a connection. |
FirewallAutoDetect | Tells the component whether or not to automatically detect and use firewall system settings, if available. |
FirewallHost | Name or IP address of firewall (optional). |
FirewallPassword | Password to be used if authentication is to be used when connecting through the firewall. |
FirewallPort | The TCP port for the FirewallHost;. |
FirewallType | Determines the type of firewall to connect through. |
FirewallUser | A user name if authentication is to be used connecting through a firewall. |
KeepAliveInterval | The retry interval, in milliseconds, to be used when a TCP keep-alive packet is sent and no response is received. |
KeepAliveTime | The inactivity time in milliseconds before a TCP keep-alive packet is sent. |
Linger | When set to True, connections are terminated gracefully. |
LingerTime | Time in seconds to have the connection linger. |
LocalHost | The name of the local host through which connections are initiated or accepted. |
LocalPort | The port in the local host where the component binds. |
MaxLineLength | The maximum amount of data to accumulate when no EOL is found. |
MaxTransferRate | The transfer rate limit in bytes per second. |
ProxyExceptionsList | A semicolon separated list of hosts and IPs to bypass when using a proxy. |
TCPKeepAlive | Determines whether or not the keep alive socket option is enabled. |
TcpNoDelay | Whether or not to delay when sending packets. |
UseIPv6 | Whether to use IPv6. |
LogSSLPackets | Controls whether SSL packets are logged when using the internal security API. |
OpenSSLCADir | The path to a directory containing CA certificates. |
OpenSSLCAFile | Name of the file containing the list of CA's trusted by your application. |
OpenSSLCipherList | A string that controls the ciphers to be used by SSL. |
OpenSSLPrngSeedData | The data to seed the pseudo random number generator (PRNG). |
ReuseSSLSession | Determines if the SSL session is reused. |
SSLCACerts | A newline separated list of CA certificate to use during SSL client authentication. |
SSLCheckCRL | Whether to check the Certificate Revocation List for the server certificate. |
SSLCipherStrength | The minimum cipher strength used for bulk encryption. |
SSLEnabledCipherSuites | The cipher suite to be used in an SSL negotiation. |
SSLEnabledProtocols | Used to enable/disable the supported security protocols. |
SSLEnableRenegotiation | Whether the renegotiation_info SSL extension is supported. |
SSLIncludeCertChain | Whether the entire certificate chain is included in the SSLServerAuthentication event. |
SSLNegotiatedCipher | Returns the negotiated ciphersuite. |
SSLNegotiatedCipherStrength | Returns the negotiated ciphersuite strength. |
SSLNegotiatedCipherSuite | Returns the negotiated ciphersuite. |
SSLNegotiatedKeyExchange | Returns the negotiated key exchange algorithm. |
SSLNegotiatedKeyExchangeStrength | Returns the negotiated key exchange algorithm strength. |
SSLNegotiatedProtocol | Returns the negotiated protocol version. |
SSLProvider | The name of the security provider to use. |
SSLSecurityFlags | Flags that control certificate verification. |
SSLServerCACerts | A newline separated list of CA certificate to use during SSL server certificate validation. |
TLS12SignatureAlgorithms | Defines the allowed TLS 1.2 signature algorithms when UseInternalSecurityAPI is True. |
TLS12SupportedGroups | The supported groups for ECC. |
TLS13KeyShareGroups | The groups for which to pregenerate key shares. |
TLS13SignatureAlgorithms | The allowed certificate signature algorithms. |
TLS13SupportedGroups | The supported groups for (EC)DHE key exchange. |
AbsoluteTimeout | Determines whether timeouts are inactivity timeouts or absolute timeouts. |
FirewallData | Used to send extra data to the firewall. |
InBufferSize | The size in bytes of the incoming queue of the socket. |
OutBufferSize | The size in bytes of the outgoing queue of the socket. |
BuildInfo | Information about the product's build. |
CodePage | The system code page used for Unicode to Multibyte translations. |
LicenseInfo | Information about the current license. |
UseInternalSecurityAPI | Tells the component whether or not to use the system security libraries or an internal implementation. |