Package com.google.crypto.tink.aead

Class KmsEnvelopeAeadKeyManager

  • public class KmsEnvelopeAeadKeyManager
extends java.lang.Object
    This key manager generates new KmsEnvelopeAeadKey keys and produces new instances of KmsEnvelopeAead.

    • Method Detail

      • createKeyTemplate

        public static KeyTemplate createKeyTemplate​(java.lang.String kekUri,
                                            KeyTemplate dekTemplate)
        Returns a new KeyTemplate that can generate a LegacyKmsEnvelopeAeadKey whose key encrypting key (KEK) is pointing to kekUri and DEK template is dekTemplate (or a derived version of it).

        It requires that a KmsClient that can handle kekUri is registered. Avoid registering it more than once.

        Note: Unlike other templates, when you call KeysetHandle#generateNew with this template Tink does not generate new key material, but instead creates a reference to the remote KEK.

        The second argument of the passed in template is ignoring the Variant, and assuming NO_PREFIX instead.

        It is often not necessary to use this function. Instead of registering a KmsClient, and creating an Aead using KeysetHandle.generateNew(KmsEnvelopeAeadKeyManager.createKeyTemplate(keyUri, KeyTemplates.get("AES128_GCM"))).getPrimitive(RegistryConfiguration.get(), Aead.class), create the Aead directly using KmsEnvelopeAead.create(PredefinedAeadParameters.AES256_GCM, kmsClient.getAead(keyUri)), without registering any KmsClient.

      • register

        public static void register​(boolean newKeyAllowed)
                     throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException