Configure Google Crypto Space managed keys

google crypto space managed keys enable you to create, rotate, and destroy {{k}} stored keys directly from the google cloud dashboard you can create both symmetric and asymmetric keys inside key rings you must configure a vpc connection between google cloud and the {{k3}} then, google ekm requires only the google crypto space url in the kms infrastructure menu refer to appendix google vpc and kms infrastructure setup for vpc and kms infrastructure setup instructions when changing the existing kms infrastructure from manual to crypto space, you cannot rotate keys if the wrapping key exists outside the google crypto space you can set the key rotation period in key settings, but it defaults to never rotate the google crypto space url is in the following format /v0/key encrypt/external/\<crypto space name> the url must start with /v0 otherwise, google appends it to the returned crypto space path, resulting in a mismatching url check create a google crypto space perform the following steps to create a new google crypto space on the {{k3}} log in to the {{k3}} application interface with the default admin identities go to the key management > google crypto spaces menu and select \[ add ] on the info tab of the google crypto space window, enter a name for the google crypto space then, set the following permissions key type permissions symmetric create key destroy key wrap unwrap asymmetric create key destroy key get public key asymmetric sign if you use a vpc connection between google cloud and the {{k3}} , select the get info permission on the justifications tab, select one of the following access reasons reason unspecified customer initiated support google initiated service third party data request google initiated review customer initiated access google initiated system operation reason not expected modified customer initiated access modified google initiated system operation google response to production alert select \[ ok ] select \[ ok ] to close the successful creation message the google crypto space window now has additional tabs for symmetric and asymmetric keys because you create future keys on the {{k}} through the google cloud dashboard, select \[ ok ] to save and close the google crypto space window grant permission perform the following steps to grant the google ekm identity permission to use the crypto space right click the google crypto space you just created and select permission in the set object group permissions window, grant the google ekm identity the use permission select \[ ok ] to finish