Configure Google Crypto Space managed keys

3min

Google Crypto Space managed keys enable you to create, rotate, and destroy KMES-stored keys directly from the Google Cloud dashboard. You can create both symmetric and asymmetric keys inside key rings.
You must configure a VPC connection between Google Cloud and the KMES Series 3. Then, Google EKM requires only the Google Crypto Space URL in the KMS Infrastructure menu. Refer to Appendix: Google VPC and KMS Infrastructure Setup for VPC and KMS Infrastructure setup instructions.
When changing the existing KMS Infrastructure from Manual to Crypto Space, you cannot rotate keys if the wrapping key exists outside of the Google Crypto Space. You can set the key rotation period in key settings, but it defaults to never rotate.
The Google Crypto Space URL is in the following format: /v0/key-encrypt/external/<crypto-space name>
The URL must start with '/v0'. Otherwise, Google appends it to the returned Crypto Space path resulting in a mismatching URL check.
Create a new Google Crypto Space on the KMES Series 3
1
Log in to the KMES Series 3 application interface with the default Admin identities.
2
Go to the Key Management > Google Crypto Spaces menu and select [ Add ].
3
On the Info tab of the Google Crypto Space window, enter a name for the Google Crypto Space. Then, set the following permissions:
Key type
Permissions
﻿
Symmetric
CREATE_KEY
DESTROY_KEY
WRAP
UNWRAP
﻿
Asymmetric 
CREATE_KEY
DESTROY_KEY
GET_PUBLIC_KEY
ASYMMETRIC_SIGN
﻿
If you use a VPC connection between Google Cloud and the KMES Series 3, select the GET_INFO permission. 
4
On the Justifications tab, select one of the following access reasons:
REASON_UNSPECIFIED
CUSTOMER_INITIATED_SUPPORT
GOOGLE_INITIATED_SERVICE
THIRD_PARTY_DATA_REQUEST
GOOGLE_INITIATED_REVIEW
CUSTOMER_INITIATED_ACCESS
GOOGLE_INITIATED_SYSTEM_OPERATION
REASON_NOT_EXPECTED
MODIFIED_CUSTOMER_INITIATED_ACCESS
MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION
GOOGLE_RESPONSE_TO_PRODUCTION_ALERT
5
Select [ OK ].
6
Select [ OK ] to close the successful creation message. The Google Crypto Space window now has additional tabs for Symmetric and Asymmetric keys.
7
Because you create future keys on the KMES through the Google Cloud dashboard, select [ OK ] to save and close the Google Crypto Space window.
Grant the Google EKM Identity permission to use the Crypto Space
1
Right-click the Google Crypto Space you just created and select Permission.
2
In the Set Object-Group Permissions window, grant the Google EKM identity the Use permission.
3
Select [ OK ] to finish.
﻿
﻿

Updated 01 Feb 2024

Did this page help you?

Configure manually managed keys

Create an externally managed key in Google Cloud