Once you create a key, your KMS gives you an ID that uniquely identifies that key. From this ID, you can form a key Uniform Resource Identifier (URI) by adding an appropriate prefix for your KMS. This key URI helps Tink identify your key.
The following table shows the format of supported key URIs. Note that HashiCorp Vault is currently only supported in Golang. All other implementation and Tinkey (Tink’s command line utility) only supports AWS KMS and Google Cloud KMS.
| KMS | KMS identifier prefix | Key URI format |
|---|---|---|
| AWS KMS | aws-kms:// |
aws-kms://arn:aws:kms:<region>:<account-id>:key/<key-id> |
| GCP KMS | gcp-kms:// |
gcp-kms://projects/*/locations/*/keyRings/*/cryptoKeys/* |
| HashiCorp Vault | hcvault:// |
hcvault://<key-id> |
NOTE: HashiCorp Vault integration is currently only available in Golang
Next: