com.google.crypto.tink.aead

Class KmsAeadKeyManager

java.lang.Object

com.google.crypto.tink.aead.KmsAeadKeyManager

public final class KmsAeadKeyManager
extends Object

This key manager produces new instances of Aead that forwards encrypt/decrypt requests to a key residing in a remote KMS.

Method Summary

Modifier and Type	Method and Description
static KeyTemplate	createKeyTemplate(String keyUri) Returns a new KeyTemplate that can generate a KmsAeadKey whose key is pointing to keyUri.
static void	register(boolean newKeyAllowed)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

register

public static void register(boolean newKeyAllowed)
                     throws GeneralSecurityException

Throws:

GeneralSecurityException

createKeyTemplate

public static KeyTemplate createKeyTemplate(String keyUri)

Returns a new KeyTemplate that can generate a KmsAeadKey whose key is pointing to keyUri. Keys generated by this key template use the RAW output prefix to make them compatible with the remote KMS' encrypt/decrypt operations.

It requires that a KmsClient that can handle keyUri is registered. Avoid registering it more than once.

Note: Unlike other templates, when you call KeysetHandle#generateNew with this template, Tink does not generate new key material, but only creates a reference to the remote key.

It is often not necessary to use this function. Instead of registering a KmsClient, and creating an Aead using KeysetHandle.generateNew(KmsAeadKeyManager.createKeyTemplate(keyUri)).getPrimitive(Aead.class), you can create the Aead directly using kmsClient.getAead(kekUri), without registering any KmsClient.