Resource key hash
Stay organized with collections
Save and categorize content based on your preferences.
The resource key hash is a mechanism allowing Google to verify the integrity of
the wrapped encryption keys without having access to the keys.
Generating the resource key hash requires access to the unwrapped key including
the DEK, the resource_name and the perimeter_id specified during the key
wrapping operation.
We use the cryptographic function HMAC-SHA256 with unwrapped_dek as a key and
the concatenation of metadata as data
("ResourceKeyDigest:", resource_name, ":", perimeter_id).
The resource_name and perimeter_id should be UTF-8 encoded strings.
For example, when resource_name = "my_resource",
perimeter_id = "my_perimeter" and unwrapped_dek = 0xf00d, the resource key
hash is:
echo -n "ResourceKeyDigest:my_resource:my_perimeter" | openssl sha256 -mac HMAC -macopt hexkey:f00d -binary
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-11-14 UTC.
[null,null,["Last updated 2024-11-14 UTC."],[[["\u003cp\u003eThe resource key hash ensures Google can verify the integrity of wrapped encryption keys without needing access to the actual keys.\u003c/p\u003e\n"],["\u003cp\u003eGenerating the hash requires the unwrapped key, resource name, and perimeter ID used during key wrapping.\u003c/p\u003e\n"],["\u003cp\u003eIt utilizes HMAC-SHA256, using the unwrapped key as the key and a concatenation of resource details as data for the hash calculation.\u003c/p\u003e\n"],["\u003cp\u003eThe resource name and perimeter ID need to be UTF-8 encoded strings for the hash generation.\u003c/p\u003e\n"]]],["The core mechanism is generating a resource key hash to verify wrapped encryption key integrity. This involves using HMAC-SHA256 with the unwrapped DEK as the key and a specific concatenation of metadata as data. The metadata consists of \"ResourceKeyDigest:\", the UTF-8 encoded `resource_name`, \":\", and the UTF-8 encoded `perimeter_id`. An example shows generating the hash using `openssl` with a sample `resource_name`, `perimeter_id`, and `unwrapped_dek`.\n"],null,["# Resource key hash\n\nThe resource key hash is a mechanism allowing Google to verify the integrity of\nthe wrapped encryption keys without having access to the keys.\n\nGenerating the resource key hash requires access to the unwrapped key including\nthe DEK, the `resource_name` and the `perimeter_id` specified during the key\nwrapping operation.\n\nWe use the cryptographic function HMAC-SHA256 with `unwrapped_dek` as a key and\nthe concatenation of metadata as data\n`(\"ResourceKeyDigest:\", resource_name, \":\", perimeter_id)`.\nThe `resource_name` and `perimeter_id` should be UTF-8 encoded strings.\n\nFor example, when `resource_name = \"my_resource\"`,\n`perimeter_id = \"my_perimeter\"` and `unwrapped_dek = 0xf00d`, the resource key\nhash is: \n\n echo -n \"ResourceKeyDigest:my_resource:my_perimeter\" | openssl sha256 -mac HMAC -macopt hexkey:f00d -binary"]]
