public class KmsEnvelopeAeadKeyManager extends Object
KmsEnvelopeAeadKey keys and produces new instances of
KmsEnvelopeAead.| Modifier and Type | Method and Description |
|---|---|
static KeyTemplate |
createKeyTemplate(String kekUri,
KeyTemplate dekTemplate)
Returns a new
KeyTemplate that can generate a LegacyKmsEnvelopeAeadKey whose
key encrypting key (KEK) is pointing to kekUri and DEK template is dekTemplate
(or a derived version of it). |
static void |
register(boolean newKeyAllowed) |
public static KeyTemplate createKeyTemplate(String kekUri, KeyTemplate dekTemplate)
KeyTemplate that can generate a LegacyKmsEnvelopeAeadKey whose
key encrypting key (KEK) is pointing to kekUri and DEK template is dekTemplate
(or a derived version of it).
It requires that a KmsClient that can handle kekUri is registered. Avoid
registering it more than once.
Note: Unlike other templates, when you call KeysetHandle#generateNew with
this template Tink does not generate new key material, but instead creates a reference to the
remote KEK.
The second argument of the passed in template is ignoring the Variant, and assuming NO_PREFIX instead.
It is often not necessary to use this function. Instead of registering a KmsClient,
and creating an Aead using KeysetHandle.generateNew(KmsEnvelopeAeadKeyManager.createKeyTemplate(keyUri,
KeyTemplates.get("AES128_GCM"))).getPrimitive(RegistryConfiguration.get(), Aead.class), create
the Aead directly using KmsEnvelopeAead.create(PredefinedAeadParameters.AES256_GCM, kmsClient.getAead(keyUri)),
without registering any KmsClient.
public static void register(boolean newKeyAllowed)
throws GeneralSecurityException
GeneralSecurityException