- Resource: CseKeyPair
- EnablementState
- CsePrivateKeyMetadata
- KaclsKeyMetadata
- HardwareKeyMetadata
- Methods
Resource: CseKeyPair
A client-side encryption S/MIME key pair, which is comprised of a public key, its certificate chain, and metadata for its paired private key. Gmail uses the key pair to complete the following tasks:
- Sign outgoing client-side encrypted messages.
- Save and reopen drafts of client-side encrypted messages.
- Save and reopen sent messages.
- Decrypt incoming or archived S/MIME messages.
| JSON representation |
|---|
{ "keyPairId": string, "pkcs7": string, "pem": string, "subjectEmailAddresses": [ string ], "enablementState": enum ( |
| Fields | |
|---|---|
keyPairId |
Output only. The immutable ID for the client-side encryption S/MIME key pair. |
pkcs7 |
Input only. The public key and its certificate chain. The chain must be in PKCS#7 format and use PEM encoding and ASCII armor. |
pem |
Output only. The public key and its certificate chain, in PEM format. |
subjectEmailAddresses[] |
Output only. The email address identities that are specified on the leaf certificate. |
enablementState |
Output only. The current state of the key pair. |
disableTime |
Output only. If a key pair is set to A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
privateKeyMetadata[] |
Metadata for instances of this key pair's private key. |
EnablementState
The enumeration for the current state of the key pair.
| Enums | |
|---|---|
stateUnspecified |
The current state of the key pair is not set. The key pair is neither turned on nor turned off. |
enabled |
The key pair is turned on. For any email messages that this key pair encrypts, Gmail decrypts the messages and signs any outgoing mail with the private key. To turn on a key pair, use the |
disabled |
The key pair is turned off. Authenticated users cannot decrypt email messages nor sign outgoing messages. If a key pair is turned off for more than 30 days, you can permanently delete it. To turn off a key pair, use the |
CsePrivateKeyMetadata
Metadata for a private key instance.
| JSON representation |
|---|
{ "privateKeyMetadataId": string, // Union field |
| Fields | |
|---|---|
privateKeyMetadataId |
Output only. The immutable ID for the private key metadata instance. |
Union field metadata_variant. Union field: Exactly one of the following metadata variant types must be present. metadata_variant can be only one of the following: |
|
kaclsKeyMetadata |
Metadata for a private key instance managed by an external key access control list service. |
hardwareKeyMetadata |
Metadata for hardware keys. |
KaclsKeyMetadata
Metadata for private keys managed by an external key access control list service. For details about managing key access, see Google Workspace CSE API Reference.
| JSON representation |
|---|
{ "kaclsUri": string, "kaclsData": string } |
| Fields | |
|---|---|
kaclsUri |
The URI of the key access control list service that manages the private key. |
kaclsData |
Opaque data generated and used by the key access control list service. Maximum size: 8 KiB. |
HardwareKeyMetadata
Metadata for hardware keys.
| JSON representation |
|---|
{ "description": string } |
| Fields | |
|---|---|
description |
Description about the hardware key. |
Methods |
|
|---|---|
|
Creates and uploads a client-side encryption S/MIME public key certificate chain and private key metadata for the authenticated user. |
|
Turns off a client-side encryption key pair. |
|
Turns on a client-side encryption key pair that was turned off. |
|
Retrieves an existing client-side encryption key pair. |
|
Lists client-side encryption key pairs for an authenticated user. |
|
Deletes a client-side encryption key pair permanently and immediately. |