CreateKey Method

Creates a new key.

Syntax

public func createKey(keyName: String, purpose: Int32, algorithm: String, useHSM: Bool) throws -> Void

Remarks

This method creates a new key with the specified KeyName in the currently-selected KeyRing. A key version is automatically created when this occurs (and for symmetric keys, it automatically becomes the primary version).

The value passed for KeyName must consist solely of alphanumeric characters, underscores, and hyphens; and may be up to 63 characters in length.

The Purpose parameter specifies what the key's purpose should be. Possible values are:

  • 1: A symmetric key used for encryption and decryption.
  • 2: An asymmetric key used for signing and verification.
  • 3: An asymmetric key used for encryption and decryption.

For symmetric keys, the only valid value for Algorithm is GOOGLE_SYMMETRIC_ENCRYPTION (which is assumed if empty string is passed). For asymmetric keys, the algorithm specifies the key type, repeats the purpose (either SIGN or DECRYPT), and dictates the algorithm that will be used for the relevant cryptographic operations; and valid values are:

  • RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest
  • RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest
  • RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest
  • RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest
  • RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest
  • RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest
  • RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest
  • RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest
  • RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 digest
  • RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 digest
  • RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 digest
  • RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 digest
  • EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest
  • EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest

Refer to Google's CryptoKeyVersionAlgorithm documentation page for more information.

The UseHSM parameter specifies whether the key's protection level should be SOFTWARE (false) or HSM (true).

Note that the values passed for Algorithm and UseHSM will be stored on the server as template values, and used again anytime a new key version is created with CreateVersion. The template algorithm can be changed at any time using UpdateKey; the template protection level cannot be changed.

If there are any items in the Label* properties, they will be applied to the newly-created key. Keys may have up to 64 labels.

For symmetric keys, the RotationPeriod and NextRotateDate configuration settings can also be used to enable automatic rotation, refer to their documentation for more information.

 
 
Copyright (c) 2021 /n software inc. - All rights reserved.
Cloud Keys 2020 macOS Edition - Version 20.0 [Build 7876]