Skip to main content
This appendix demonstrates how to configure the Google EKM service to connect to VirtuCrypt through a Google Virtual Private Cloud (VPC) network. You must have appropriate permissions within your Google Cloud project and ensure that you enable the Cloud Key Management Service (KMS) and Cloud EKM APIs for your project.
Before proceeding, you need your CryptoHub hostname, TLS certificate, and Crypto Space path.
Perform the following steps to configure KMS infrastructure:
1
In the Google Cloud console, go to the Key Management page.
2
Select [ KMS Infrastructure ].
3
Select [ Create Connection ].
4
In the Create EKM via VPC connection wizard, perform the following steps:
  • Enter a name for the connection.
  • Select a region. It must be in the same region as the VPC network.
  • Enter the resource ID (self-link) of the Service Directory service to use with this connection, which you created in the first section of this integration guide. The service must point to your external key manager IP address and must be in the same region as this connection.
  • Enter the EKM hostname.
The EKM hostname you enter here should be the same FQDN you used when deploying the CryptoHub Google EKM service (and present in the server cert CN/SAN). This ensures the Google -> CryptoHub call uses the same audience CryptoHub expects.
  • Upload the external key manager’s X.509 server certificates in DER format.
  • Select Cloud KMS as the EKM management mode and specify a Crypto Space path (such as gekms/gapi/v0/cryptospaces/0147e96a-8698-0002-0030-e1e51ee48252).
  • (Optional) Set default. This uses this interface for all keys by using External through VPC connection as default.
  • Select [ Create ].