Skip to main content
Manually managed keys use keys that you create on the KMES Series 3 to perform cryptographic requests by Google Cloud. You can copy the key path from KMES key settings and combine it with the KMES hostname or IP and the System/Host API port number to create a URL for accessing the key. The KMES manages key rotation automatically for symmetric keys. You must enter the URL for every key creation and rotation. Internet URL format: https://<server ip>:<port>/v0/key-encrypt/external/<key uuid> VPC key path format: /v0/key-encrypt/external/<key uuid>

Create a new Google Crypto Space

Perform the following steps to create a new Google Crypto Space on the KMES Series 3:
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to the Key Management > Google Crypto Spaces menu and select [ Add ].
3
On the Info tab of the Google Crypto Space window, enter a name for the Google Crypto Space. Then, set the following permissions:
Key typePermissions
Symmetric
  • CREATE_KEY
  • DESTROY_KEY
  • WRAP
  • UNWRAP
Asymmetric
  • CREATE_KEY
  • DESTROY_KEY
  • GET_PUBLIC_KEY
  • ASYMMETRIC_SIGN
If you use a VPC connection between Google Cloud and the KMES Series 3, select the GET_INFO permission.
4
On the Justifications tab, select the access reason from the following default access reasons:
  • REASON_UNSPECIFIED
  • CUSTOMER_INITIATED_SUPPORT
  • GOOGLE_INITIATED_SERVICE
  • THIRD_PARTY_DATA_REQUEST
  • GOOGLE_INITIATED_REVIEW
  • CUSTOMER_INITIATED_ACCESS
  • GOOGLE_INITIATED_SYSTEM_OPERATION
  • REASON_NOT_EXPECTED
  • MODIFIED_CUSTOMER_INITIATED_ACCESS
  • MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION
  • GOOGLE_RESPONSE_TO_PRODUCTION_ALERT
5
Select [ OK ].
The CryptoSpace was successfully created message displays.
6
Select [ OK ].
The Google Crypto Space window opens with additional tabs, enabling you to create Symmetric or Asymmetric keys.

Create keys in the Google Crypto Space

Perform the following tasks to create symmetric or asymmetric keys.

Create a symmetric key

Perform the following steps to create a symmetric key:
1
In the Google Crypto Space window, go to the Symmetric Keys tab and select [ Add ].
2
In the Google Symmetric Key window, copy the key path to your clipboard.
3
Enter a name for the key.
4
Specify the desired key rotation period.
5
On the Justifications tab, select the access reason.
6
Select [ OK ] to finish.
The new key displays on the Symmetric Keys tab.

Create an asymmetric key

Perform the following steps to create an asymmetric key:
1
In the Google Crypto Space window, go to the Asymmetric Keys tab and select [ Add ].
2
In the Google Asymmetric Key window, copy the key path to your clipboard.
3
Enter a name for the key
4
Select the algorithm that matches the algorithm you set in Google Cloud from the following options in the drop-down menu:
  • RSA 2048 PSS SHA-256
  • RSA 3072 PSS SHA-256
  • RSA 4096 PSS SHA-256
  • RSA 4096 PSS SHA-512
  • RSA 2048 PKCS#1 SHA-256
  • RSA 3072 PKCS#1 SHA-256
  • RSA 4096 PKCS#1 SHA-256
  • RSA 4096 PKCS#1 SHA-512
  • EC P-256 SHA-256
  • EC P-384 SHA-384
5
Select [ OK ] to finish.
The new key displays on the Asymmetric Keys tab.

Grant permission

Perform the following steps to grant the Google EKM Identity permission to use the Crypto Space:
1
Right-click the Google Crypto Space you just created and select Permission.
2
In the Set Object-Group Permissions window, grant the Google EKM identity the Use permission.
3
Select [ OK ] to finish.