Resource key hash

The resource key hash is a mechanism allowing Google to verify the integrity of the wrapped encryption keys without having access to the keys.

Generating the resource key hash requires access to the unwrapped key including the DEK, the resource_name and the perimeter_id specified during the key wrapping operation.

We use the cryptographic function HMAC-SHA256 with unwrapped_dek as a key and the concatenation of metadata as data ("ResourceKeyDigest:", resource_name, ":", perimeter_id). The resource_name and perimeter_id should be UTF-8 encoded strings.

For example, when resource_name = "my_resource", perimeter_id = "my_perimeter" and unwrapped_dek = 0xf00d, the resource key hash is:

echo -n "ResourceKeyDigest:my_resource:my_perimeter" | openssl sha256 -mac HMAC -macopt hexkey:f00d -binary

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2024-04-08 UTC.

Blog
Read the Google Workspace Developers blog
X (Twitter)
Follow @workspacedevs on X (Twitter)
Code Samples
Explore our sample apps or copy them to build your own
Codelabs
Try a guided, hands-on coding experience
Videos
Subscribe to our YouTube channel