Keys are logical containers you create in Key Manager to store cryptographic keys. They support encryption, decryption, and the generation of data encryption keys.
List all available algorithms
Lists all cryptographic algorithms supported by the Key Manager service.
path Parameters
regionThe region you want to target
query Parameters
Filter by key usage.
List all available algorithms › Responses
Returns a list of algorithms matching the requested criteria.
List keys
Retrieve a list of keys across all Projects in an Organization or within a specific Project. You must specify the region, and either the organization_id or the project_id.
path Parameters
regionThe region you want to target
query Parameters
scheduled_for_deletionFilter keys based on their deletion status. By default, only keys not scheduled for deletion are returned in the output.
organization_id(Optional) Filter by Organization ID. (UUID format)
project_id(Optional) Filter by Project ID. (UUID format)
order_bypagepage_sizetags(Optional) List of tags to filter on.
name(Optional) Filter by key name.
usage(Optional) Filter keys by usage. Select from symmetric encryption, asymmetric encryption, or asymmetric signing.
List keys › Responses
Single page of keys matching the requested criteria.
total_countTotal count of keys matching the requested criteria.
Create a key
Create a key in a given region specified by the region parameter. You can use keys to encrypt or decrypt arbitrary payloads, to sign and verify messages or to generate data encryption keys. Data encryption keys are not stored in Key Manager.
path Parameters
regionThe region you want to target
Create a key › Request Body
project_idID of the Project containing the key. (UUID format)
name(Optional) Name of the key.
Key usage.
See the Key.Usage enum for a description of possible values.
description(Optional) Description of the key.
tags(Optional) List of the key's tags.
(Optional) Rotation policy of the key. If not specified, no rotation policy will be applied to the key.
unprotected(Optional) Defines whether key protection is applied to a key. Protected keys can be used but not deleted.
Default value is false.
originKey origin.
Refer to the Key.Origin enum for a description of values.
Create a key › Responses
idID of the key. (UUID format)
project_idID of the Project containing the key. (UUID format)
nameName of the key.
Key usage.
See the Key.Usage enum for a description of possible values.
stateKey state.
See the Key.State enum for a description of possible values.
rotation_countNumber of key rotations. The rotation count tracks the number of times the key has been rotated.
created_atKey creation date. (RFC 3339 format)
updated_atKey last modification date. (RFC 3339 format)
protectedReturns true if key protection is applied to the key.
lockedReturns true if the key is locked.
descriptionDescription of the key.
tagsList of the key's tags.
rotated_atKey last rotation date. (RFC 3339 format)
Key rotation policy.
originKey origin.
Refer to the Key.Origin enum for a description of values.
deletion_requested_atReturns the time at which deletion was requested. (RFC 3339 format)
regionRegion where the key is stored.
Get key metadata
Retrieve metadata for a specified key using the region and key_id parameters.
path Parameters
regionThe region you want to target
key_idID of the key to target. (UUID format)
Get key metadata › Responses
idID of the key. (UUID format)
project_idID of the Project containing the key. (UUID format)
nameName of the key.
Key usage.
See the Key.Usage enum for a description of possible values.
stateKey state.
See the Key.State enum for a description of possible values.
rotation_countNumber of key rotations. The rotation count tracks the number of times the key has been rotated.
created_atKey creation date. (RFC 3339 format)
updated_atKey last modification date. (RFC 3339 format)
protectedReturns true if key protection is applied to the key.
lockedReturns true if the key is locked.
descriptionDescription of the key.
tagsList of the key's tags.
rotated_atKey last rotation date. (RFC 3339 format)
Key rotation policy.
originKey origin.
Refer to the Key.Origin enum for a description of values.
deletion_requested_atReturns the time at which deletion was requested. (RFC 3339 format)
regionRegion where the key is stored.
Delete a key
Permanently delete a key specified by the region and key_id parameters. This action is irreversible. Any data encrypted with this key, including data encryption keys, will no longer be decipherable.
path Parameters
regionThe region you want to target
key_idID of the key to delete. (UUID format)
Delete a key › Responses
Update a key
Modify a key's metadata including name, description and tags, specified by the key_id and region parameters.
path Parameters
regionThe region you want to target
key_idID of the key to update. (UUID format)
Update a key › Request Body
name(Optional) Updated name of the key.
description(Optional) Updated description of the key.
tags(Optional) Updated list of the key's tags.
(Optional) Updated rotation policy of the key. If not specified, the key's existing rotation policy applies.
Update a key › Responses
idID of the key. (UUID format)
project_idID of the Project containing the key. (UUID format)
nameName of the key.
Key usage.
See the Key.Usage enum for a description of possible values.
stateKey state.
See the Key.State enum for a description of possible values.
rotation_countNumber of key rotations. The rotation count tracks the number of times the key has been rotated.
created_atKey creation date. (RFC 3339 format)
updated_atKey last modification date. (RFC 3339 format)
protectedReturns true if key protection is applied to the key.
lockedReturns true if the key is locked.
descriptionDescription of the key.
tagsList of the key's tags.
rotated_atKey last rotation date. (RFC 3339 format)
Key rotation policy.
originKey origin.
Refer to the Key.Origin enum for a description of values.
deletion_requested_atReturns the time at which deletion was requested. (RFC 3339 format)
regionRegion where the key is stored.
Decrypt an encrypted payload
Decrypt an encrypted payload using an existing key, specified by the key_id parameter. The maximum payload size that can be decrypted is equivalent to the encrypted output of 64 KB of data (around 131 KB).
path Parameters
regionThe region you want to target
key_idID of the key to decrypt with.
The key must have an usage set to symmetric_encryption or asymmetric_encryption. (UUID format)
Decrypt an encrypted payload › Request Body
ciphertextCiphertext data to decrypt. Data size must be between 1 and 131071 bytes.
(Optional) Additional authenticated data.
The additional data must match the value passed in the encryption request. Only supported by keys with a usage set to symmetric_encryption.
Decrypt an encrypted payload › Responses
key_idID of the key used for decryption. (UUID format)
plaintextKey's decrypted data.
(Optional) Data encrypted with the latest key rotation. If the data was already encrypted with the latest key rotation, no output will be returned in the response object.
Delete key material
Delete previously imported key material. This renders the associated cryptographic key unusable for any operation. The key's origin must be external.
path Parameters
regionThe region you want to target
key_idID of the key of which to delete the key material. (UUID format)
Delete key material › Responses
Disable key
Disable a given key, preventing it to be used for cryptographic operations. Disabling a key renders it unusable. You must specify the region and key_id parameters.
path Parameters
regionThe region you want to target
key_idID of the key to disable. (UUID format)
Disable key › Responses
idID of the key. (UUID format)
project_idID of the Project containing the key. (UUID format)
nameName of the key.
Key usage.
See the Key.Usage enum for a description of possible values.
stateKey state.
See the Key.State enum for a description of possible values.
rotation_countNumber of key rotations. The rotation count tracks the number of times the key has been rotated.
created_atKey creation date. (RFC 3339 format)
updated_atKey last modification date. (RFC 3339 format)
protectedReturns true if key protection is applied to the key.
lockedReturns true if the key is locked.
descriptionDescription of the key.
tagsList of the key's tags.
rotated_atKey last rotation date. (RFC 3339 format)
Key rotation policy.
originKey origin.
Refer to the Key.Origin enum for a description of values.
deletion_requested_atReturns the time at which deletion was requested. (RFC 3339 format)
regionRegion where the key is stored.
Enable key
Enable a given key to be used for cryptographic operations. Enabling a key allows you to make a disabled key usable again. You must specify the region and key_id parameters.
path Parameters
regionThe region you want to target
key_idID of the key to enable. (UUID format)
Enable key › Responses
idID of the key. (UUID format)
project_idID of the Project containing the key. (UUID format)
nameName of the key.
Key usage.
See the Key.Usage enum for a description of possible values.
stateKey state.
See the Key.State enum for a description of possible values.
rotation_countNumber of key rotations. The rotation count tracks the number of times the key has been rotated.
created_atKey creation date. (RFC 3339 format)
updated_atKey last modification date. (RFC 3339 format)
protectedReturns true if key protection is applied to the key.
lockedReturns true if the key is locked.
descriptionDescription of the key.
tagsList of the key's tags.
rotated_atKey last rotation date. (RFC 3339 format)
Key rotation policy.
originKey origin.
Refer to the Key.Origin enum for a description of values.
deletion_requested_atReturns the time at which deletion was requested. (RFC 3339 format)
regionRegion where the key is stored.
Encrypt a payload
Encrypt a payload using an existing key, specified by the key_id parameter. The maximum payload size that can be encrypted is 64 KB of plaintext.
path Parameters
regionThe region you want to target
key_idID of the key to use for encryption.
The key must have an usage set to symmetric_encryption or asymmetric_encryption. (UUID format)
Encrypt a payload › Request Body
plaintextPlaintext data to encrypt. Data size must be between 1 and 65535 bytes.
(Optional) Additional authenticated data.
Additional data which will not be encrypted, but authenticated and appended to the encrypted payload. Only supported by keys with a usage set to symmetric_encryption.
Encrypt a payload › Responses
key_idID of the key used for encryption. (UUID format)
ciphertextKey's encrypted data.
Create a data encryption key
Create a new data encryption key for cryptographic operations outside of Key Manager. The data encryption key is encrypted and must be decrypted using the key you have created in Key Manager.
The data encryption key is returned in plaintext and ciphertext but it should only be stored in its encrypted form (ciphertext). Key Manager does not store your data encryption key. To retrieve your key's plaintext, use the Decrypt method with your key's ID and ciphertext.
path Parameters
regionThe region you want to target
key_idID of the key. (UUID format)
Create a data encryption key › Request Body
algorithmAlgorithm with which the data encryption key will be used to encrypt and decrypt arbitrary payloads.
See the DataKey.Algorithm.SymmetricEncryption enum for a description of values.
without_plaintext(Optional) Defines whether to return the data encryption key's plaintext in the response object.
Default value is false, meaning that the plaintext is returned.
Set it to true if you do not wish the plaintext to be returned in the response object.
Create a data encryption key › Responses
key_idID of the data encryption key. (UUID format)
algorithmSymmetric encryption algorithm of the data encryption key (AES-256-GCM).
ciphertextData encryption key ciphertext. Your data encryption key's ciphertext can be stored safely. It can only be decrypted through the keys you create in Key Manager, using the relevant key ID.
Data encryption key plaintext. (Optional) Your data encryption key's plaintext allows you to use the key immediately upon creation. It must neither be stored or shared.
created_atData encryption key creation date. (RFC 3339 format)
Import key material
Import externally generated key material into Key Manager to derive a new cryptographic key. The key's origin must be external.
path Parameters
regionThe region you want to target
key_idID of the key in which to import key material.
The key's origin must be external. (UUID format)
Import key material › Request Body
key_materialThe key material The key material is a random sequence of bytes used to derive a cryptographic key.
(Optional) Salt value to pass the key derivation function. A salt is random data added to key material to ensure unique derived keys, even if the input is similar. It helps strengthen security when the key material has low randomness (low entropy).
Import key material › Responses
idID of the key. (UUID format)
project_idID of the Project containing the key. (UUID format)
nameName of the key.
Key usage.
See the Key.Usage enum for a description of possible values.
stateKey state.
See the Key.State enum for a description of possible values.
rotation_countNumber of key rotations. The rotation count tracks the number of times the key has been rotated.
created_atKey creation date. (RFC 3339 format)
updated_atKey last modification date. (RFC 3339 format)
protectedReturns true if key protection is applied to the key.
lockedReturns true if the key is locked.
descriptionDescription of the key.
tagsList of the key's tags.
rotated_atKey last rotation date. (RFC 3339 format)
Key rotation policy.
originKey origin.
Refer to the Key.Origin enum for a description of values.
deletion_requested_atReturns the time at which deletion was requested. (RFC 3339 format)
regionRegion where the key is stored.
Apply key protection
Apply protection to a given key specified by the key_id parameter. Applying key protection means that your key can be used and modified, but it cannot be deleted.
path Parameters
regionThe region you want to target
key_idID of the key to apply key protection to. (UUID format)
Apply key protection › Responses
idID of the key. (UUID format)
project_idID of the Project containing the key. (UUID format)
nameName of the key.
Key usage.
See the Key.Usage enum for a description of possible values.
stateKey state.
See the Key.State enum for a description of possible values.
rotation_countNumber of key rotations. The rotation count tracks the number of times the key has been rotated.
created_atKey creation date. (RFC 3339 format)
updated_atKey last modification date. (RFC 3339 format)
protectedReturns true if key protection is applied to the key.
lockedReturns true if the key is locked.
descriptionDescription of the key.
tagsList of the key's tags.
rotated_atKey last rotation date. (RFC 3339 format)
Key rotation policy.
originKey origin.
Refer to the Key.Origin enum for a description of values.
deletion_requested_atReturns the time at which deletion was requested. (RFC 3339 format)
regionRegion where the key is stored.
Get the public key in PEM format.
Restore a key
Restore a key and all its rotations scheduled for deletion specified by the region and key_id parameters.
path Parameters
regionThe region you want to target
key_idRestore a key › Responses
idID of the key. (UUID format)
project_idID of the Project containing the key. (UUID format)
nameName of the key.
Key usage.
See the Key.Usage enum for a description of possible values.
stateKey state.
See the Key.State enum for a description of possible values.
rotation_countNumber of key rotations. The rotation count tracks the number of times the key has been rotated.
created_atKey creation date. (RFC 3339 format)
updated_atKey last modification date. (RFC 3339 format)
protectedReturns true if key protection is applied to the key.
lockedReturns true if the key is locked.
descriptionDescription of the key.
tagsList of the key's tags.
rotated_atKey last rotation date. (RFC 3339 format)
Key rotation policy.
originKey origin.
Refer to the Key.Origin enum for a description of values.
deletion_requested_atReturns the time at which deletion was requested. (RFC 3339 format)
regionRegion where the key is stored.
Rotate a key
Generate a new version of an existing key with new key material. Previous key versions remain usable to decrypt previously encrypted data, but the key's new version will be used for subsequent encryption operations and data key generation.
path Parameters
regionThe region you want to target
key_idID of the key to rotate. (UUID format)
Rotate a key › Responses
idID of the key. (UUID format)
project_idID of the Project containing the key. (UUID format)
nameName of the key.
Key usage.
See the Key.Usage enum for a description of possible values.
stateKey state.
See the Key.State enum for a description of possible values.
rotation_countNumber of key rotations. The rotation count tracks the number of times the key has been rotated.
created_atKey creation date. (RFC 3339 format)
updated_atKey last modification date. (RFC 3339 format)
protectedReturns true if key protection is applied to the key.
lockedReturns true if the key is locked.
descriptionDescription of the key.
tagsList of the key's tags.
rotated_atKey last rotation date. (RFC 3339 format)
Key rotation policy.
originKey origin.
Refer to the Key.Origin enum for a description of values.
deletion_requested_atReturns the time at which deletion was requested. (RFC 3339 format)
regionRegion where the key is stored.
Sign a message digest
Use a given key to sign a message digest. The key must have its usage set to asymmetric_signing. The digest must be created using the same digest algorithm that is defined in the key's algorithm configuration.
path Parameters
regionThe region you want to target
key_idID of the key to use for signing. (UUID format)
Sign a message digest › Request Body
digestDigest of the message to sign. The digest must be generated using the same algorithm defined in the key’s algorithm settings.
Sign a message digest › Responses
key_idID of the key used to generate the signature. (UUID format)
signatureThe message signature.
Remove key protection
Remove key protection from a given key specified by the key_id parameter. Removing key protection means that your key can be deleted anytime.
path Parameters
regionThe region you want to target
key_idID of the key to remove key protection from. (UUID format)
Remove key protection › Responses
idID of the key. (UUID format)
project_idID of the Project containing the key. (UUID format)
nameName of the key.
Key usage.
See the Key.Usage enum for a description of possible values.
stateKey state.
See the Key.State enum for a description of possible values.
rotation_countNumber of key rotations. The rotation count tracks the number of times the key has been rotated.
created_atKey creation date. (RFC 3339 format)
updated_atKey last modification date. (RFC 3339 format)
protectedReturns true if key protection is applied to the key.
lockedReturns true if the key is locked.
descriptionDescription of the key.
tagsList of the key's tags.
rotated_atKey last rotation date. (RFC 3339 format)
Key rotation policy.
originKey origin.
Refer to the Key.Origin enum for a description of values.
deletion_requested_atReturns the time at which deletion was requested. (RFC 3339 format)
regionRegion where the key is stored.
Verify a message signature
Use a given key to verify a message signature against a message digest. The key must have its usage set to asymmetric_signing. The message digest must be generated using the same digest algorithm that is defined in the key's algorithm configuration.
path Parameters
regionThe region you want to target
key_idID of the key to use for signature verification. (UUID format)
Verify a message signature › Request Body
digestDigest of the original signed message. Must be generated using the same algorithm specified in the key’s configuration.
signatureThe message signature to verify.
Verify a message signature › Responses
key_idID of the key used for verification. (UUID format)
validDefines whether the signature is valid.
Returns true if the signature is valid for the digest and key, and false otherwise.