com.ibm.cloud.ibm_key_protect_api.v2

Class IbmKeyProtectApi

java.lang.Object

com.ibm.cloud.sdk.core.service.BaseService

com.ibm.cloud.ibm_key_protect_api.v2.IbmKeyProtectApi

public class IbmKeyProtectApi
extends com.ibm.cloud.sdk.core.service.BaseService

IBM Key Protect helps you provision encrypted keys for apps across IBM Cloud. As you manage the lifecycle of your keys, you can benefit from knowing that your keys are secured by cloud-based FIPS 140-2 Level 3 hardware security modules (HSMs) that protect against theft of information. You can use the Key Protect API to store, generate, and retrieve your key material. Keys within the service can protect any type of data in your symmetric key based encryption solution.

Version:

v2

Field Summary

Fields

Modifier and Type	Field and Description
static int	DEFAULT_MAX_RETRY
static long	DEFAULT_RETRY_MAX_INTERVAL
static String	DEFAULT_SERVICE_NAME

Fields inherited from class com.ibm.cloud.sdk.core.service.BaseService

PROPNAME_DISABLE_SSL, PROPNAME_ENABLE_GZIP, PROPNAME_ENABLE_RETRIES, PROPNAME_MAX_RETRIES, PROPNAME_RETRY_INTERVAL, PROPNAME_URL

Constructor Summary

Constructors

Constructor and Description
IbmKeyProtectApi(String serviceName, com.ibm.cloud.sdk.core.security.Authenticator authenticator) Constructs an instance of the `IbmKeyProtectApi` client.
IbmKeyProtectApi(String serviceName, com.ibm.cloud.sdk.core.security.Authenticator authenticator, int maxRetry, long retryMaxInterval) Constructs an instance of the `IbmKeyProtectApi` client.
IbmKeyProtectApi(String serviceName, com.ibm.cloud.sdk.core.security.Authenticator authenticator, String keyRingId) Constructs an instance of the `IbmKeyProtectApi` client, and use the key ring in the instance The specified service name, authenticator and key ring ID are used to configure the client instance.
IbmKeyProtectApi(String serviceName, com.ibm.cloud.sdk.core.security.Authenticator authenticator, String keyRingId, int maxRetry, long retryMaxInterval) Constructs an instance of the `IbmKeyProtectApi` client.

Method Summary

Modifier and Type	Method and Description
com.ibm.cloud.sdk.core.http.ServiceCall<KeyActionOneOfResponse>	actionOnKey(ActionOnKeyOptions actionOnKeyOptions) Invoke an action on a key.
com.ibm.cloud.sdk.core.http.ServiceCall<Key>	createKey(CreateKeyOptions createKeyOptions) Create a key.
com.ibm.cloud.sdk.core.http.ServiceCall<KeyAlias>	createKeyAlias(CreateKeyAliasOptions createKeyAliasOptions) Create an alias.
com.ibm.cloud.sdk.core.http.ServiceCall<Void>	createKeyRing(CreateKeyRingOptions createKeyRingOptions) Create Key Ring.
com.ibm.cloud.sdk.core.http.ServiceCall<DeleteKey>	deleteKey(DeleteKeyOptions deleteKeyOptions) Delete a key.
com.ibm.cloud.sdk.core.http.ServiceCall<Void>	deleteKeyAlias(DeleteKeyAliasOptions deleteKeyAliasOptions) Delete an alias.
com.ibm.cloud.sdk.core.http.ServiceCall<Void>	deleteKeyRing(DeleteKeyRingOptions deleteKeyRingOptions) Delete Key Ring.
com.ibm.cloud.sdk.core.http.ServiceCall<Void>	disableKey(DisableKeyOptions disableKeyOptions) Disable a key.
com.ibm.cloud.sdk.core.http.ServiceCall<Void>	enableKey(EnableKeyOptions enableKeyOptions) Enable a key.
com.ibm.cloud.sdk.core.http.ServiceCall<Void>	eventAcknowledge(EventAcknowledgeOptions eventAcknowledgeOptions) Acknowledge key events.
com.ibm.cloud.sdk.core.http.ServiceCall<AllowedIPPort>	getAllowedIPPort(GetAllowedIPPortOptions getAllowedIpPortOptions) Retrieve allowed IP port.
com.ibm.cloud.sdk.core.http.ServiceCall<GetImportToken>	getImportToken(GetImportTokenOptions getImportTokenOptions) Retrieve an import token.
com.ibm.cloud.sdk.core.http.ServiceCall<GetInstancePoliciesOneOf>	getInstancePolicy(GetInstancePolicyOptions getInstancePolicyOptions) List instance policies.
com.ibm.cloud.sdk.core.http.ServiceCall<GetKey>	getKey(GetKeyOptions getKeyOptions) Retrieve a key.
com.ibm.cloud.sdk.core.http.ServiceCall<Void>	getKeyCollectionMetadata(GetKeyCollectionMetadataOptions getKeyCollectionMetadataOptions) Retrieve key total.
com.ibm.cloud.sdk.core.http.ServiceCall<GetKeyMetadata>	getKeyMetadata(GetKeyMetadataOptions getKeyMetadataOptions) Retrieve key metadata.
com.ibm.cloud.sdk.core.http.ServiceCall<ListKeys>	getKeys(GetKeysOptions getKeysOptions) List keys.
com.ibm.cloud.sdk.core.http.ServiceCall<ListKeyVersions>	getKeyVersions(GetKeyVersionsOptions getKeyVersionsOptions) List key versions.
com.ibm.cloud.sdk.core.http.ServiceCall<GetKeyPoliciesOneOf>	getPolicy(GetPolicyOptions getPolicyOptions) List key policies.
com.ibm.cloud.sdk.core.http.ServiceCall<RegistrationWithTotalCount>	getRegistrations(GetRegistrationsOptions getRegistrationsOptions) List registrations for a key.
com.ibm.cloud.sdk.core.http.ServiceCall<RegistrationWithTotalCount>	getRegistrationsAllKeys(GetRegistrationsAllKeysOptions getRegistrationsAllKeysOptions) List registrations for any key.
com.ibm.cloud.sdk.core.http.ServiceCall<ListKeyRings>	listKeyRings(ListKeyRingsOptions listKeyRingsOptions) List Key Rings.
static IbmKeyProtectApi	newInstance() Class method which constructs an instance of the `IbmKeyProtectApi` client.
static IbmKeyProtectApi	newInstance(com.ibm.cloud.sdk.core.security.Authenticator authenticator) Class method which constructs an instance of the `IbmKeyProtectApi` client.
static IbmKeyProtectApi	newInstance(com.ibm.cloud.sdk.core.security.Authenticator authenticator, int maxRetry, long retryMaxInterval) Class method which constructs an instance of the `IbmKeyProtectApi` client.
static IbmKeyProtectApi	newInstance(com.ibm.cloud.sdk.core.security.Authenticator authenticator, String keyRingId) Class method which constructs an instance of the `IbmKeyProtectApi` client.
static IbmKeyProtectApi	newInstance(com.ibm.cloud.sdk.core.security.Authenticator authenticator, String keyRingId, int maxRetry, long retryMaxInterval) Class method which constructs an instance of the `IbmKeyProtectApi` client.
static IbmKeyProtectApi	newInstance(String serviceName) Class method which constructs an instance of the `IbmKeyProtectApi` client.
com.ibm.cloud.sdk.core.http.ServiceCall<PatchKeyResponseBody>	patchKey(PatchKeyOptions patchKeyOptions) Update (patch) a key.
com.ibm.cloud.sdk.core.http.ServiceCall<ImportToken>	postImportToken(PostImportTokenOptions postImportTokenOptions) Create an import token.
com.ibm.cloud.sdk.core.http.ServiceCall<PurgeKey>	purgeKey(PurgeKeyOptions purgeKeyOptions) Purge a deleted key.
com.ibm.cloud.sdk.core.http.ServiceCall<Void>	putInstancePolicy(PutInstancePolicyOptions putInstancePolicyOptions) Set instance policies.
com.ibm.cloud.sdk.core.http.ServiceCall<GetKeyPoliciesOneOf>	putPolicy(PutPolicyOptions putPolicyOptions) Set key policies.
com.ibm.cloud.sdk.core.http.ServiceCall<InputStream>	restoreKey(RestoreKeyOptions restoreKeyOptions) Restore a key.
com.ibm.cloud.sdk.core.http.ServiceCall<RewrapKeyResponseBody>	rewrapKey(RewrapKeyOptions rewrapKeyOptions) Rewrap a key.
com.ibm.cloud.sdk.core.http.ServiceCall<Void>	rotateKey(RotateKeyOptions rotateKeyOptions) Rotate a key.
com.ibm.cloud.sdk.core.http.ServiceCall<Void>	setKeyForDeletion(SetKeyForDeletionOptions setKeyForDeletionOptions) Set a key for deletion.
com.ibm.cloud.sdk.core.http.ServiceCall<Void>	syncAssociatedResources(SyncAssociatedResourcesOptions syncAssociatedResourcesOptions) Sync associated resources.
com.ibm.cloud.sdk.core.http.ServiceCall<Void>	unsetKeyForDeletion(UnsetKeyForDeletionOptions unsetKeyForDeletionOptions) Unset a key for deletion.
com.ibm.cloud.sdk.core.http.ServiceCall<UnwrapKeyResponseBody>	unwrapKey(UnwrapKeyOptions unwrapKeyOptions) Unwrap a key.
com.ibm.cloud.sdk.core.http.ServiceCall<WrapKeyResponseBody>	wrapKey(WrapKeyOptions wrapKeyOptions) Wrap a key.

Methods inherited from class com.ibm.cloud.sdk.core.service.BaseService

configureClient, configureService, constructServiceUrl, constructServiceURL, disableRetries, enableGzipCompression, enableRetries, getAuthenticator, getClient, getDefaultHeaders, getEndPoint, getName, getServiceUrl, isJsonMimeType, isJsonPatchMimeType, setClient, setDefaultHeaders, setEndPoint, setServiceUrl, toString

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

DEFAULT_SERVICE_NAME

public static final String DEFAULT_SERVICE_NAME

See Also:

Constant Field Values

DEFAULT_MAX_RETRY

public static final int DEFAULT_MAX_RETRY

See Also:

Constant Field Values

DEFAULT_RETRY_MAX_INTERVAL

public static final long DEFAULT_RETRY_MAX_INTERVAL

See Also:

Constant Field Values

Constructor Detail

IbmKeyProtectApi

public IbmKeyProtectApi(String serviceName,
                        com.ibm.cloud.sdk.core.security.Authenticator authenticator)

Constructs an instance of the `IbmKeyProtectApi` client. The specified service name and authenticator are used to configure the client instance.

Parameters:

serviceName - the service name to be used when configuring the client instance

authenticator - the Authenticator instance to be configured for this client

IbmKeyProtectApi

public IbmKeyProtectApi(String serviceName,
                        com.ibm.cloud.sdk.core.security.Authenticator authenticator,
                        String keyRingId)

Constructs an instance of the `IbmKeyProtectApi` client, and use the key ring in the instance The specified service name, authenticator and key ring ID are used to configure the client instance.

Parameters:

serviceName - the service name to be used when configuring the client instance

authenticator - the Authenticator instance to be configured for this client

keyRingId - Key Ring ID of the key ring which the client will be bound to

IbmKeyProtectApi

public IbmKeyProtectApi(String serviceName,
                        com.ibm.cloud.sdk.core.security.Authenticator authenticator,
                        int maxRetry,
                        long retryMaxInterval)

Constructs an instance of the `IbmKeyProtectApi` client. The specified service name, authenticator, retries and intervals are used to configure the client instance.

Parameters:

serviceName - the service name to be used when configuring the client instance

authenticator - the Authenticator instance to be configured for this client

maxRetry - maximum number of retry attempts for failed HTTP requests

retryMaxInterval - maximum time interval between two subsequent retries

IbmKeyProtectApi

public IbmKeyProtectApi(String serviceName,
                        com.ibm.cloud.sdk.core.security.Authenticator authenticator,
                        String keyRingId,
                        int maxRetry,
                        long retryMaxInterval)

Constructs an instance of the `IbmKeyProtectApi` client. The specified service name, authenticator, key ring ID, retries and intervals are used to configure the client instance.

Parameters:

serviceName - the service name to be used when configuring the client instance

authenticator - the Authenticator instance to be configured for this client

keyRingId - Key Ring ID of the key ring which the client will be bound to

maxRetry - maximum number of retry attempts for failed HTTP requests

retryMaxInterval - maximum time interval between two subsequent retries

Method Detail

newInstance

public static IbmKeyProtectApi newInstance()

Class method which constructs an instance of the `IbmKeyProtectApi` client. The default service name is used to configure the client instance.

Returns:

an instance of the `IbmKeyProtectApi` client using external configuration

newInstance

public static IbmKeyProtectApi newInstance(com.ibm.cloud.sdk.core.security.Authenticator authenticator)

Class method which constructs an instance of the `IbmKeyProtectApi` client. The default service name is used to configure the client instance. The specified authenticator is used to configure the client instance.

Parameters:

authenticator - the Authenticator instance to be configured for this client

Returns:

an instance of the `IbmKeyProtectApi` client using external configuration

newInstance

public static IbmKeyProtectApi newInstance(com.ibm.cloud.sdk.core.security.Authenticator authenticator,
                                           int maxRetry,
                                           long retryMaxInterval)

Class method which constructs an instance of the `IbmKeyProtectApi` client. The default service name is used to configure the client instance. The specified authenticator is used to configure the client instance. The specified retry attempts and intervals can be passed

Parameters:

authenticator - the Authenticator instance to be configured for this client

maxRetry - maximum number of retry attempts for failed HTTP requests

retryMaxInterval - maximum time interval between two subsequent retries

Returns:

an instance of the `IbmKeyProtectApi` client using external configuration

newInstance

public static IbmKeyProtectApi newInstance(com.ibm.cloud.sdk.core.security.Authenticator authenticator,
                                           String keyRingId)

Class method which constructs an instance of the `IbmKeyProtectApi` client. The default service name is used to configure the client instance. The specified authenticator is used to configure the client instance. The specified key ring ID is used to configure the client instance.

Parameters:

authenticator - the Authenticator instance to be configured for this client

keyRingId - Key Ring ID of the key ring which the client will be bound to

Returns:

an instance of the `IbmKeyProtectApi` client using external configuration

newInstance

public static IbmKeyProtectApi newInstance(com.ibm.cloud.sdk.core.security.Authenticator authenticator,
                                           String keyRingId,
                                           int maxRetry,
                                           long retryMaxInterval)

Class method which constructs an instance of the `IbmKeyProtectApi` client. The default service name is used to configure the client instance. The specified authenticator is used to configure the client instance. The specified key ring ID is used to configure the client instance. The specified retry attempts and intervals can be passed

Parameters:

authenticator - the Authenticator instance to be configured for this client

keyRingId - Key Ring ID of the key ring which the client will be bound to

maxRetry - maximum number of retry attempts for failed HTTP requests

retryMaxInterval - maximum time interval between two subsequent retries

Returns:

an instance of the `IbmKeyProtectApi` client using external configuration

newInstance

public static IbmKeyProtectApi newInstance(String serviceName)

Class method which constructs an instance of the `IbmKeyProtectApi` client. The specified service name is used to configure the client instance.

Parameters:

serviceName - the service name to be used when configuring the client instance

Returns:

an instance of the `IbmKeyProtectApi` client using external configuration

createKeyAlias

public com.ibm.cloud.sdk.core.http.ServiceCall<KeyAlias> createKeyAlias(CreateKeyAliasOptions createKeyAliasOptions)

Create an alias.

Creates an alias for the specified key.

Parameters:

createKeyAliasOptions - the CreateKeyAliasOptions containing the options for the call

Returns:

a ServiceCall with a result of type KeyAlias

deleteKeyAlias

public com.ibm.cloud.sdk.core.http.ServiceCall<Void> deleteKeyAlias(DeleteKeyAliasOptions deleteKeyAliasOptions)

Delete an alias.

Deletes an alias from the associated key.

Delete alias does not delete the key.

Parameters:

deleteKeyAliasOptions - the DeleteKeyAliasOptions containing the options for the call

Returns:

a ServiceCall with a void result

postImportToken

public com.ibm.cloud.sdk.core.http.ServiceCall<ImportToken> postImportToken(PostImportTokenOptions postImportTokenOptions)

Create an import token.

Creates an import token that you can use to encrypt and import root keys into the service. [Learn more](/docs/key-protect?topic=key-protect-importing-keys#using-import-tokens)

When you call `POST /import_token`, Key Protect creates an RSA key-pair from its HSMs. The service encrypts and stores the private key in the HSM, and returns the corresponding public key when you call `GET /import_token`. You can create only one import token per service instance.

Parameters:

postImportTokenOptions - the PostImportTokenOptions containing the options for the call

Returns:

a ServiceCall with a result of type ImportToken

getImportToken

public com.ibm.cloud.sdk.core.http.ServiceCall<GetImportToken> getImportToken(GetImportTokenOptions getImportTokenOptions)

Retrieve an import token.

Retrieves the import token that is associated with your service instance.

When you call `GET /import_token`, Key Protect returns the public key that you can use to encrypt and import key material to the service, along with details about the key.

**Note:** After you reach the `maxAllowedRetrievals` or `expirationDate` for the import token, the import token and its associated public key can no longer be used for key operations. To create a new import token, use `POST /import_token`.

Parameters:

getImportTokenOptions - the GetImportTokenOptions containing the options for the call

Returns:

a ServiceCall with a result of type GetImportToken

wrapKey

public com.ibm.cloud.sdk.core.http.ServiceCall<WrapKeyResponseBody> wrapKey(WrapKeyOptions wrapKeyOptions)

Wrap a key.

Use a root key to [wrap or encrypt a data encryption key](/docs/key-protect?topic=key-protect-wrap-keys).

Parameters:

wrapKeyOptions - the WrapKeyOptions containing the options for the call

Returns:

a ServiceCall with a result of type WrapKeyResponseBody

unwrapKey

public com.ibm.cloud.sdk.core.http.ServiceCall<UnwrapKeyResponseBody> unwrapKey(UnwrapKeyOptions unwrapKeyOptions)

Unwrap a key.

Use a root key to [unwrap or decrypt a data encryption key](/docs/key-protect?topic=key-protect-unwrap-keys).

**Note:** When you unwrap a wrapped data encryption key (WDEK) by using a rotated root key, the service returns a new ciphertext in the response entity-body. Each ciphertext remains available for `unwrap` actions. If you unwrap a DEK with a previous ciphertext, the service also returns the latest ciphertext and latest key version in the response. Use the latest ciphertext for future unwrap operations.

Parameters:

unwrapKeyOptions - the UnwrapKeyOptions containing the options for the call

Returns:

a ServiceCall with a result of type UnwrapKeyResponseBody

rewrapKey

public com.ibm.cloud.sdk.core.http.ServiceCall<RewrapKeyResponseBody> rewrapKey(RewrapKeyOptions rewrapKeyOptions)

Rewrap a key.

Use a root key to [rewrap or reencrypt a data encryption key](/docs/key-protect?topic=key-protect-rewrap-keys).

Parameters:

rewrapKeyOptions - the RewrapKeyOptions containing the options for the call

Returns:

a ServiceCall with a result of type RewrapKeyResponseBody

rotateKey

public com.ibm.cloud.sdk.core.http.ServiceCall<Void> rotateKey(RotateKeyOptions rotateKeyOptions)

Rotate a key.

[Create a new version](/docs/key-protect?topic=key-protect-rotate-keys) of a root key.

Parameters:

rotateKeyOptions - the RotateKeyOptions containing the options for the call

Returns:

a ServiceCall with a void result

setKeyForDeletion

public com.ibm.cloud.sdk.core.http.ServiceCall<Void> setKeyForDeletion(SetKeyForDeletionOptions setKeyForDeletionOptions)

Set a key for deletion.

[Authorize deletion](/docs/key-protect?topic=key-protect-delete-dual-auth-keys#set-key-deletion-api) for a key with a dual authorization policy.

Parameters:

setKeyForDeletionOptions - the SetKeyForDeletionOptions containing the options for the call

Returns:

a ServiceCall with a void result

unsetKeyForDeletion

public com.ibm.cloud.sdk.core.http.ServiceCall<Void> unsetKeyForDeletion(UnsetKeyForDeletionOptions unsetKeyForDeletionOptions)

Unset a key for deletion.

[Remove an authorization](/docs/key-protect?topic=key-protect-delete-dual-auth-keys#unset-key-deletion-api) for a key with a dual authorization policy.

Parameters:

unsetKeyForDeletionOptions - the UnsetKeyForDeletionOptions containing the options for the call

Returns:

a ServiceCall with a void result

enableKey

public com.ibm.cloud.sdk.core.http.ServiceCall<Void> enableKey(EnableKeyOptions enableKeyOptions)

Enable a key.

[Enable operations](/docs/key-protect?topic=key-protect-disable-keys#enable-api) for a key.

Parameters:

enableKeyOptions - the EnableKeyOptions containing the options for the call

Returns:

a ServiceCall with a void result

disableKey

public com.ibm.cloud.sdk.core.http.ServiceCall<Void> disableKey(DisableKeyOptions disableKeyOptions)

Disable a key.

[Disable operations](/docs/key-protect?topic=key-protect-disable-keys) for a key.

Parameters:

disableKeyOptions - the DisableKeyOptions containing the options for the call

Returns:

a ServiceCall with a void result

syncAssociatedResources

public com.ibm.cloud.sdk.core.http.ServiceCall<Void> syncAssociatedResources(SyncAssociatedResourcesOptions syncAssociatedResourcesOptions)

Sync associated resources.

Initiate a manual data synchronization request to the associated resources of a key. Regular key lifecycle events automatically notify integrated services of the change, however, in the case a service does not respond to a key lifecycle event notification, the `sync` API may be used to initiate a renotification to the integrated services that manage the associated resources linked to the key.

**Note:** The services that manage the associated resources linked to the key are responsible for maintaining up-to-date records of the key state and version. Key Protect does not have the ability to force data synchronization for other services. The `sync` API is purely to **initiate** a request for all associated resources to synchronize their key records with what the Key Protect API returns.

Parameters:

syncAssociatedResourcesOptions - the SyncAssociatedResourcesOptions containing the options for the call

Returns:

a ServiceCall with a void result

eventAcknowledge

public com.ibm.cloud.sdk.core.http.ServiceCall<Void> eventAcknowledge(EventAcknowledgeOptions eventAcknowledgeOptions)

Acknowledge key events.

**Service to service calls only.** Acknowledges a key lifecycle event.

When a customer performs an action on a root key, Key Protect uses Hyperwarp to notify the cloud services that are registered with the key. To acknowledge the Hyperwarp event, registered services must call `POST /api/v2/event_ack`.

Parameters:

eventAcknowledgeOptions - the EventAcknowledgeOptions containing the options for the call

Returns:

a ServiceCall with a void result

listKeyRings

public com.ibm.cloud.sdk.core.http.ServiceCall<ListKeyRings> listKeyRings(ListKeyRingsOptions listKeyRingsOptions)

List Key Rings.

List all key rings in the instance.

Parameters:

listKeyRingsOptions - the ListKeyRingsOptions containing the options for the call

Returns:

a ServiceCall with a result of type ListKeyRings

createKeyRing

public com.ibm.cloud.sdk.core.http.ServiceCall<Void> createKeyRing(CreateKeyRingOptions createKeyRingOptions)

Create Key Ring.

Create a key ring in the instance with the specified name. The key ring ID `default` is a reserved key ring ID and cannot be created nor destroyed. The default key ring is initial key ring that is generated with each newly created instance. All keys not associated with an otherwise specified key ring exist within the default key ring.

Parameters:

createKeyRingOptions - the CreateKeyRingOptions containing the options for the call

Returns:

a ServiceCall with a void result

deleteKeyRing

public com.ibm.cloud.sdk.core.http.ServiceCall<Void> deleteKeyRing(DeleteKeyRingOptions deleteKeyRingOptions)

Delete Key Ring.

Delete the key ring from the instance. key ring ID `default` cannot be destroyed. Currently, only key rings with 0 (zero) keys, in any state [Active (1), Suspended (2), Deactivated (3), Destroyed (5)], may be deleted.

Parameters:

deleteKeyRingOptions - the DeleteKeyRingOptions containing the options for the call

Returns:

a ServiceCall with a void result

getKeyCollectionMetadata

public com.ibm.cloud.sdk.core.http.ServiceCall<Void> getKeyCollectionMetadata(GetKeyCollectionMetadataOptions getKeyCollectionMetadataOptions)

Retrieve key total.

Returns the same HTTP headers as a GET request without returning the entity-body. This operation returns the number of keys in your instance in a header called `Key-Total`.

Parameters:

getKeyCollectionMetadataOptions - the GetKeyCollectionMetadataOptions containing the options for the call

Returns:

a ServiceCall with a void result

createKey

public com.ibm.cloud.sdk.core.http.ServiceCall<Key> createKey(CreateKeyOptions createKeyOptions)

Create a key.

Creates a new key with specified key material.

Key Protect designates the resource as either a root key or a standard key based on the `extractable` value that you specify. A successful `POST /keys` operation adds the key to the service and returns the details of the request in the response entity-body, if the Prefer header is set to `return=representation`.

Parameters:

createKeyOptions - the CreateKeyOptions containing the options for the call

Returns:

a ServiceCall with a result of type Key

getKeys

public com.ibm.cloud.sdk.core.http.ServiceCall<ListKeys> getKeys(GetKeysOptions getKeysOptions)

List keys.

Retrieves a list of keys that are stored in your Key Protect service instance.

**Note:** `GET /keys` will not return the key material in the response body. You can retrieve the key material for a standard key with a subsequent `GET /keys/{id}` request.

Parameters:

getKeysOptions - the GetKeysOptions containing the options for the call

Returns:

a ServiceCall with a result of type ListKeys

getKey

public com.ibm.cloud.sdk.core.http.ServiceCall<GetKey> getKey(GetKeyOptions getKeyOptions)

Retrieve a key.

Retrieves a key and its details by specifying the ID or alias of the key.

Parameters:

getKeyOptions - the GetKeyOptions containing the options for the call

Returns:

a ServiceCall with a result of type GetKey

actionOnKey

public com.ibm.cloud.sdk.core.http.ServiceCall<KeyActionOneOfResponse> actionOnKey(ActionOnKeyOptions actionOnKeyOptions)

Invoke an action on a key.

**Note:** This API has been **deprecated** and transitioned to individual request paths. Existing actions using this API will continue to be supported, but new actions will no longer be added to it. We recommend, if possible, aligning your request URLs to the new API path. The generic format of actions is now the following: `/api/v2/keys/<key_ID>/actions/<action>` where `key_ID` is the key you want to operate on/with and `action` is the same action that was passed as a query parameter previously.

Invokes an action on a specified key. This method supports the following actions:

- `disable`: [Disable operations](/docs/key-protect?topic=key-protect-disable-keys) for a key - `enable`: [Enable operations](/docs/key-protect?topic=key-protect-disable-keys#enable-api) for a key - `restore`: [Restore a root key](/docs/key-protect?topic=key-protect-restore-keys) - `rewrap`: Use a root key to [rewrap or reencrypt a data encryption key](/docs/key-protect?topic=key-protect-rewrap-keys) - `rotate`: [Create a new version](/docs/key-protect?topic=key-protect-rotate-keys) of a root key - `setKeyForDeletion`: [Authorize deletion](/docs/key-protect?topic=key-protect-delete-dual-auth-keys#set-key-deletion-api) for a key with a dual authorization policy - `unsetKeyForDeletion`: [Remove an authorization]((/docs/key-protect?topic=key-protect-delete-dual-auth-keys#unset-key-deletion-api) for a key with a dual authorization policy - `unwrap`: Use a root key to [unwrap or decrypt a data encryption key](/docs/key-protect?topic=key-protect-unwrap-keys) - `wrap`: Use a root key to [wrap or encrypt a data encryption key](/docs/key-protect?topic=key-protect-wrap-keys)

**Note:** When you unwrap a wrapped data encryption key (WDEK) by using a rotated root key, the service returns a new ciphertext in the response entity-body. Each ciphertext remains available for `unwrap` actions. If you unwrap a DEK with a previous ciphertext, the service also returns the latest ciphertext and latest key version in the response. Use the latest ciphertext for future unwrap operations.

Parameters:

actionOnKeyOptions - the ActionOnKeyOptions containing the options for the call

Returns:

a ServiceCall with a result of type KeyActionOneOfResponse

patchKey

public com.ibm.cloud.sdk.core.http.ServiceCall<PatchKeyResponseBody> patchKey(PatchKeyOptions patchKeyOptions)

Update (patch) a key.

Update attributes of a key. Currently only the following attributes are applicable for update: - keyRingID Note: If provided, the `X-Kms-Key-Ring` header should specify the key's current key ring. To change the key ring of the key, specify the new key ring in the request body.

Parameters:

patchKeyOptions - the PatchKeyOptions containing the options for the call

Returns:

a ServiceCall with a result of type PatchKeyResponseBody

deleteKey

public com.ibm.cloud.sdk.core.http.ServiceCall<DeleteKey> deleteKey(DeleteKeyOptions deleteKeyOptions)

Delete a key.

Deletes a key by specifying the ID of the key.

By default, Key Protect requires a single authorization to delete keys. For added protection, you can [enable a dual authorization policy](#set-key-policies) to safely delete keys from your service instance.

**Important:** When you delete a key, you permanently shred its contents and associated data. The action cannot be reversed.

**Note:** By default, Key Protect blocks the deletion of a key that's protecting a cloud resource, such as a Cloud Object Storage bucket. Use `GET keys/{id}/registrations` to verify if the key has an active registration to a resource. To delete the key and its associated registrations, set the optional `force` parameter to `true`.

Parameters:

deleteKeyOptions - the DeleteKeyOptions containing the options for the call

Returns:

a ServiceCall with a result of type DeleteKey

getKeyMetadata

public com.ibm.cloud.sdk.core.http.ServiceCall<GetKeyMetadata> getKeyMetadata(GetKeyMetadataOptions getKeyMetadataOptions)

Retrieve key metadata.

Retrieves the details of a key by specifying the ID of the key.

Parameters:

getKeyMetadataOptions - the GetKeyMetadataOptions containing the options for the call

Returns:

a ServiceCall with a result of type GetKeyMetadata

purgeKey

public com.ibm.cloud.sdk.core.http.ServiceCall<PurgeKey> purgeKey(PurgeKeyOptions purgeKeyOptions)

Purge a deleted key.

Purge all key metadata and registrations associated with the specified key. Purge key can only be applied to a key in the Destroyed (5) state. After a key is deleted, there is a wait period of up to four hours before purge key operation is allowed. **Important:** When you purge a key, you permanently shred its contents and associated data. The action cannot be reversed.

Parameters:

purgeKeyOptions - the PurgeKeyOptions containing the options for the call

Returns:

a ServiceCall with a result of type PurgeKey

restoreKey

public com.ibm.cloud.sdk.core.http.ServiceCall<InputStream> restoreKey(RestoreKeyOptions restoreKeyOptions)

Restore a key.

[Restore a key](/docs/key-protect?topic=key-protect-restore-keys).

Parameters:

restoreKeyOptions - the RestoreKeyOptions containing the options for the call

Returns:

a ServiceCall with a result of type InputStream

getKeyVersions

public com.ibm.cloud.sdk.core.http.ServiceCall<ListKeyVersions> getKeyVersions(GetKeyVersionsOptions getKeyVersionsOptions)

List key versions.

Retrieves all versions of a root key by specifying the ID of the key.

When you rotate a root key, you generate a new version of the key. If you're using the root key to protect resources across IBM Cloud, the stered cloud services that you associate with the key use the latest key version to wrap your data. [Learn more](/docs/key-protect?topic=key-protect-key-rotation).

Parameters:

getKeyVersionsOptions - the GetKeyVersionsOptions containing the options for the call

Returns:

a ServiceCall with a result of type ListKeyVersions

putPolicy

public com.ibm.cloud.sdk.core.http.ServiceCall<GetKeyPoliciesOneOf> putPolicy(PutPolicyOptions putPolicyOptions)

Set key policies.

Creates or updates one or more policies for the specified key.

You can set policies for a key, such as an [automatic rotation policy](/docs/key-protect?topic=key-protect-set-rotation-policy) or a [dual authorization policy](/docs/key-protect?topic=key-protect-set-dual-auth-key-policy) to protect against the accidental deletion of keys. Use `PUT /keys/{id}/policies` to create new policies for a key or update an existing policy.

Parameters:

putPolicyOptions - the PutPolicyOptions containing the options for the call

Returns:

a ServiceCall with a result of type GetKeyPoliciesOneOf

getPolicy

public com.ibm.cloud.sdk.core.http.ServiceCall<GetKeyPoliciesOneOf> getPolicy(GetPolicyOptions getPolicyOptions)

List key policies.

Retrieves a list of policies that are associated with a specified key.

You can set policies for a key, such as an [automatic rotation policy](/docs/key-protect?topic=key-protect-set-rotation-policy) or a [dual authorization policy](/docs/key-protect?topic=key-protect-set-dual-auth-key-policy) to protect against the accidental deletion of keys. Use `GET /keys/{id}/policies` to browse the policies that exist for a specified key.

Parameters:

getPolicyOptions - the GetPolicyOptions containing the options for the call

Returns:

a ServiceCall with a result of type GetKeyPoliciesOneOf

putInstancePolicy

public com.ibm.cloud.sdk.core.http.ServiceCall<Void> putInstancePolicy(PutInstancePolicyOptions putInstancePolicyOptions)

Set instance policies.

Creates or updates one or more policies for the specified service instance.

**Note:** When you set an instance policy, Key Protect associates the policy information with keys that you add to the instance after the policy is updated. This operation does not affect existing keys in the instance.

Parameters:

putInstancePolicyOptions - the PutInstancePolicyOptions containing the options for the call

Returns:

a ServiceCall with a void result

getInstancePolicy

public com.ibm.cloud.sdk.core.http.ServiceCall<GetInstancePoliciesOneOf> getInstancePolicy(GetInstancePolicyOptions getInstancePolicyOptions)

List instance policies.

Retrieves a list of policies that are associated with a specified service instance.

You can manage advanced preferences for keys in your service instance by creating instance-level policies. Use `GET /instance/policies` to browse the policies that are associated with the specified instance. Currently, dual authorization policies are supported.

Parameters:

getInstancePolicyOptions - the GetInstancePolicyOptions containing the options for the call

Returns:

a ServiceCall with a result of type GetInstancePoliciesOneOf

getAllowedIPPort

public com.ibm.cloud.sdk.core.http.ServiceCall<AllowedIPPort> getAllowedIPPort(GetAllowedIPPortOptions getAllowedIpPortOptions)

Retrieve allowed IP port.

Retrieves the private endpoint port associated with your service instance's active allowed IP policy. If the instance does not contain an active allowed IP policy, no information will be returned.

Parameters:

getAllowedIpPortOptions - the GetAllowedIPPortOptions containing the options for the call

Returns:

a ServiceCall with a result of type AllowedIPPort

getRegistrations

public com.ibm.cloud.sdk.core.http.ServiceCall<RegistrationWithTotalCount> getRegistrations(GetRegistrationsOptions getRegistrationsOptions)

List registrations for a key.

Retrieves a list of registrations that are associated with a specified root key.

When you use a root key to protect an IBM Cloud resource, such as a Cloud Object Storage bucket, Key Protect creates a registration between the resource and root key. You can use `GET /keys/{id}/registrations` to understand which cloud resources are protected by the key that you specify.

Parameters:

getRegistrationsOptions - the GetRegistrationsOptions containing the options for the call

Returns:

a ServiceCall with a result of type RegistrationWithTotalCount

getRegistrationsAllKeys

public com.ibm.cloud.sdk.core.http.ServiceCall<RegistrationWithTotalCount> getRegistrationsAllKeys(GetRegistrationsAllKeysOptions getRegistrationsAllKeysOptions)

List registrations for any key.

Retrieves a list of registrations that match the Cloud Resource Name (CRN) query that you specify.

When you use a root key to protect an IBM Cloud resource, such as a Cloud Object Storage bucket, Key Protect creates a registration between the resource and root key. You can use `GET /keys/registrations` to understand which cloud resources are protected by keys in your Key Protect service instance.

Parameters:

getRegistrationsAllKeysOptions - the GetRegistrationsAllKeysOptions containing the options for the call

Returns:

a ServiceCall with a result of type RegistrationWithTotalCount