Create an external key in Google Cloud EKM

To create an external key in the Google Cloud Key Management dashboard, perform the following steps:

From the main Google Cloud dashboard, enter Key Management in the search bar, and select the Key Management - Security service.

Select the Key Ring you created in earlier.

Select [ Create Key ]. This opens the key creation wizard.

Enter a name for the key. This key name does not need to match the name of the key created in CryptoHub.

Select External as the protection level for the key.

Select either via internet or via VPC as the EKM connection type.

Select [ Continue ].

Enter the Key URI. You can copy the Key URI by selecting the Key URI button for the key in CryptoHub.

IMPORTANTIn addition to the preceding steps, Google must whitelist the domain specified in the Key URI field for your specific Google Cloud account.

Select [ Continue ] again. This enables you to select Symmetric encrypt/decrypt or Asymmetric sign in the Purpose drop-down menu.

Select [ Create ] to create the externally managed key.

The key status should change to a green checkmark, confirming the key is successfully synced with the key material stored in CryptoHub.

⌘I