Cloud key management
Google Cloud EKM (External Key...

Appendix: Configure Google VPC and KMS infrastructure

2min

Virtual Private Cloud (VPC) uses a private network to connect directly to a network without using the public Internet. Perform the following tasks in the Google Cloud dashboard to set up a VPC connection to the KMES Series 3 and configure the KMS infrastructure:

Configure VPC

Refer to the Google documentation for how to configure a VPC in your Google Cloud account: https://cloud.google.com/vpc/docs/create-modify-vpc-networks

The following steps provide a high-level outline:

1

Go to Computer Engine > VM Instance > Create VM Instance.

2

Go to Network Services > VPC Network > Create VPC Network.

  1. Enter a VPC Network name.
  2. Enter the Subnet name.
  3. Enter the Subnet Region.
3

Select created VPC Network > Add Route.

  1. Enter the VPC Route name.
  2. Enter the Destination IP address.
4

Go to Network Services > Service Directory > Namespace List > Create Namespace.

  1. Select region - must match VPC Network.
  2. Enter Namespace name.
5

Go to Network Services > Service Directory > Register Service.

  1. Select Standard.
  2. Enter region - should be the same as the VPC network.
  3. Select Namespace.
  4. Enter service name.
6

Select the created Service Directory > Create Endpoint.

  1. Enter endpoint name
  2. Enter IP of the KMES Series 3
  3. Enter the KMES REST API port number
  4. Select Choose from list
    1. Select VPC Network

Configure KMS infrastructure

1

From the main Google Cloud dashboard, enter Key Management into the search bar at the top of the page. Then, select Key Management - Security service.

2

Select [ KMS Infrastructure ].

3

Select [ Create Connection ].

4

Perform the following steps in the Create EKM via VPC connection wizard:

  1. Enter a name for the connection.
  2. Select a region for the connection. It must be the same region as the VPC network.
  3. Enter the resource ID (self link) of Service Directory service to use with this connection. The service must point to your external key manager IP address and must exist in the same region as the connection. Example: projects/futurex-ekms-test/locations/us-east1/ekmConnections/futurex-ekm-east
  4. Enter the EKM hostname. It should match the Common Name of the TLS certificate.
  5. Upload the external key manager X.509 server certificates (also known as end-entity or leaf certificates) in DER format with the .crt extension. This is the TLS certificate that is configured for the REST API connection pair on the KMES
  6. Enter one of the following EKM management modes:
    • Manual: Manually manage key rotation from your EKM (such as KMES Series 3). This choice requires a URL for each rotation. Example: /v0/key-encrypt/external/0147E96A-77F2-0001-000A-34BE0BC561B5
    • Cloud KMS: Crypto Space where Google manages the key rotation. Example: /v0/key-encrypt/external/<Crypto Space Name>
  7. (Optional) Set default - uses this interface for all keys using External via VPC connection as default.



Updated 01 Feb 2024
Did this page help you?
PREVIOUS
Test encryption and decryption with externally managed key
NEXT
Google Workspace Client-Side Encryption
Docs powered by Archbee