Skip to main content
We offer full integration with Google Cloud External Key Manager (EKM). Create, store, and manage keys in a separate environment from your encrypted data. Our FIPS-140-2 Level 3 validated key management solution enhances data privacy and maintains control over cryptographic keys. Keys are created inside what is referred to as a CryptoSpace, enabling you to manage key creation, rotation, and destruction of CryptoHub-stored keys directly from the Google Cloud dashboard. This integration supports both symmetric and asymmetric keys, as well as various algorithms.

Log in to the CryptoHub web dashboard

Perform the following steps to log in to the CryptoHub web dashboard:
1
Open the CryptoHub web dashboard in a browser.
2
Log in under dual control with your administrator identities.

Deploy the Google Cloud EKM service

Perform the following steps to deploy the Google Cloud EKM service:
1
Select the Google Cloud EKM service on the Service Management page.
2
Select [ Deploy ].
3
Specify a Service Name and Service Category, and select [ Next ].
4
(Optional) Grant any roles and identities you want to be able to access the service, and select [ Next ].
5
Specify a Device Address and the Google Cloud Service Account. The Device Address must match an audience address configured for Google’s identity provider. Copy and paste the Service Account email address you noted at the end of the previous section.
If your CryptoHub peers with other CryptoHubs and you need to balance traffic across multiple sites, select [ Add Device Address ] to configure additional audiences. Configure each Device Address as an audience in Google’s identity provider as well.
6
Select [ Deploy ].
A message confirms that the Google Cloud EKM service was successfully deployed.

Create a CryptoSpace

If you selected [ Manage Service ] on the confirmation page after deploying the Google Cloud EKM service, the Service Management page opens. Follow the steps below to create a new CryptoSpace:
1
Select [ CryptoSpaces ] under Actions.
2
Select [ Add New ].
3
In the Create CryptoSpace wizard, specify a CryptoSpace Name, check the boxes for all Justifications that are applicable, and select the permissions you want your Google Cloud Project to have on the CryptoSpace. Select [ Create CryptoSpace ] when finished.

Create keys inside the CryptoSpace

Next, create a few keys inside the CryptoSpace. Later in this guide, these keys are created as External keys in Google EKM. Essentially, associating the key material stored in CryptoHub with the instance of the key in Google EKM.
1
The new CryptoSpace is now listed on the Manage CryptoSpaces page. Select the CryptoSpace name.
2
Select [ Keys ].
3
Select [ Add New ].
4
In the Create Key wizard, perform the following steps:
  1. Specify a Key Name.
  2. Select the Key Algorithm to use.
  3. Check the boxes for all Justifications you want to allow.
  4. Specify the Rotation Period.
  5. Select [ Create Key ] when finished.

Manage audiences after deployment

You can update the audience addresses (device locations) on a deployed Google Cloud EKM service at any time. This is useful when adding new peered CryptoHubs or rebalancing traffic across existing sites without redeploying the service.
1
On the Service Management page for the deployed Google Cloud EKM service, select [ Audiences ].
2
On the Manage Audiences page, perform any of the following actions:
  • To add an audience, select [ Add Audience ] and enter the audience address in the new field.
  • To remove an audience, select the X next to the address you want to remove.
3
Select [ Save ] to apply your changes.
Configure each audience address here as an audience in Google’s identity provider as well.