CryptoKeyVersionAlgorithm
The algorithm of theCryptoKeyVersion, indicating what parameters must be used for each cryptographic operation.
TheGOOGLE_SYMMETRIC_ENCRYPTION algorithm is usable withCryptoKey.purposeENCRYPT_DECRYPT.
Algorithms beginning withRSA_SIGN_ are usable withCryptoKey.purposeASYMMETRIC_SIGN.
The fields in the name afterRSA_SIGN_ correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm.
For PSS, the salt length used is equal to the length of digest algorithm. For example,RSA_SIGN_PSS_2048_SHA256 will use PSS with a salt length of 256 bits or 32 bytes.
Algorithms beginning withRSA_DECRYPT_ are usable withCryptoKey.purposeASYMMETRIC_DECRYPT.
The fields in the name afterRSA_DECRYPT_ correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm.
Algorithms beginning withEC_SIGN_ are usable withCryptoKey.purposeASYMMETRIC_SIGN.
The fields in the name afterEC_SIGN_ correspond to the following parameters: elliptic curve, digest algorithm.
Algorithms beginning withHMAC_ are usable withCryptoKey.purposeMAC.
The suffix followingHMAC_ corresponds to the hash algorithm being used (eg. SHA256).
Algorithms beginning withPQ_ are post-quantum.
For more information, seeKey purposes and algorithms.
| Enums | |
|---|---|
CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED | Not specified. |
GOOGLE_SYMMETRIC_ENCRYPTION | Creates symmetric encryption keys. |
AES_128_GCM | AES-GCM (Galois Counter Mode) using 128-bit keys. |
AES_256_GCM | AES-GCM (Galois Counter Mode) using 256-bit keys. |
AES_128_CBC | AES-CBC (Cipher Block Chaining Mode) using 128-bit keys. |
AES_256_CBC | AES-CBC (Cipher Block Chaining Mode) using 256-bit keys. |
AES_128_CTR | AES-CTR (Counter Mode) using 128-bit keys. |
AES_256_CTR | AES-CTR (Counter Mode) using 256-bit keys. |
RSA_SIGN_PSS_2048_SHA256 | RSASSA-PSS 2048 bit key with a SHA256 digest. |
RSA_SIGN_PSS_3072_SHA256 | RSASSA-PSS 3072 bit key with a SHA256 digest. |
RSA_SIGN_PSS_4096_SHA256 | RSASSA-PSS 4096 bit key with a SHA256 digest. |
RSA_SIGN_PSS_4096_SHA512 | RSASSA-PSS 4096 bit key with a SHA512 digest. |
RSA_SIGN_PKCS1_2048_SHA256 | RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest. |
RSA_SIGN_PKCS1_3072_SHA256 | RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest. |
RSA_SIGN_PKCS1_4096_SHA256 | RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest. |
RSA_SIGN_PKCS1_4096_SHA512 | RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest. |
RSA_SIGN_RAW_PKCS1_2048 | RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key. |
RSA_SIGN_RAW_PKCS1_3072 | RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key. |
RSA_SIGN_RAW_PKCS1_4096 | RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key. |
RSA_DECRYPT_OAEP_2048_SHA256 | RSAES-OAEP 2048 bit key with a SHA256 digest. |
RSA_DECRYPT_OAEP_3072_SHA256 | RSAES-OAEP 3072 bit key with a SHA256 digest. |
RSA_DECRYPT_OAEP_4096_SHA256 | RSAES-OAEP 4096 bit key with a SHA256 digest. |
RSA_DECRYPT_OAEP_4096_SHA512 | RSAES-OAEP 4096 bit key with a SHA512 digest. |
RSA_DECRYPT_OAEP_2048_SHA1 | RSAES-OAEP 2048 bit key with a SHA1 digest. |
RSA_DECRYPT_OAEP_3072_SHA1 | RSAES-OAEP 3072 bit key with a SHA1 digest. |
RSA_DECRYPT_OAEP_4096_SHA1 | RSAES-OAEP 4096 bit key with a SHA1 digest. |
EC_SIGN_P256_SHA256 | ECDSA on the NIST P-256 curve with a SHA256 digest. Other hash functions can also be used:https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms |
EC_SIGN_P384_SHA384 | ECDSA on the NIST P-384 curve with a SHA384 digest. Other hash functions can also be used:https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms |
EC_SIGN_SECP256K1_SHA256 | ECDSA on the non-NIST secp256k1 curve. This curve is only supported for HSM protection level. Other hash functions can also be used:https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms |
EC_SIGN_ED25519 | EdDSA on the Curve25519 in pure mode (taking data as input). |
HMAC_SHA256 | HMAC-SHA256 signing with a 256 bit key. |
HMAC_SHA1 | HMAC-SHA1 signing with a 160 bit key. |
HMAC_SHA384 | HMAC-SHA384 signing with a 384 bit key. |
HMAC_SHA512 | HMAC-SHA512 signing with a 512 bit key. |
HMAC_SHA224 | HMAC-SHA224 signing with a 224 bit key. |
EXTERNAL_SYMMETRIC_ENCRYPTION | Algorithm representing symmetric encryption by an external key manager. |
ML_KEM_768 | ML-KEM-768 (FIPS 203) |
ML_KEM_1024 | ML-KEM-1024 (FIPS 203) |
KEM_XWING | X-Wing hybrid KEM combining ML-KEM-768 with X25519. |
PQ_SIGN_ML_DSA_65 | The post-quantum Module-Lattice-Based Digital Signature Algorithm, at security level 3. Randomized version. |
PQ_SIGN_SLH_DSA_SHA2_128S | The post-quantum stateless hash-based digital signature algorithm, at security level 1. Randomized version. |
PQ_SIGN_HASH_SLH_DSA_SHA2_128S_SHA256 | The post-quantum stateless hash-based digital signature algorithm, at security level 1. Randomized pre-hash version supporting SHA256 digests. |
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-09-19 UTC.