Cloud key management
Google Cloud EKM (External Key...

Configure manually managed keys

5min

Manually managed keys use keys that you create on the KMES Series 3 to perform cryptographic requests by Google Cloud. You can copy the key path from KMES key settings and combine it with the KMES hostname or IP and the System/Host API port number to create a URL for accessing the key. The KMES manages key rotation automatically for symmetric keys.

You must enter the URL for every key creation and rotation.

Internet URL format: https://<server ip>:<port>/v0/key-encrypt/external/<key uuid>

VPC key path format: /v0/key-encrypt/external/<key uuid>

Create a new Google Crypto Space on the KMES Series 3.

1

Log in to the KMES Series 3 application interface with the default Admin identities.

2

Go to the Key Management > Google Crypto Spaces menu and select [ Add ].

3

On the Info tab of the Google Crypto Space window, enter a name for the Google Crypto Space. Then set the following permissions:

Key type

Permissions



Symmetric

  • CREATE_KEY
  • DESTROY_KEY
  • WRAP
  • UNWRAP


Asymmetric

  • CREATE_KEY
  • DESTROY_KEY
  • GET_PUBLIC_KEY
  • ASYMMETRIC_SIGN

If you use a VPC connection between Google Cloud and the KMES Series 3, select the GET_INFO permission.

4

On the Justifications tab, select the access reason from the following default access reasons:

  • REASON_UNSPECIFIED
  • CUSTOMER_INITIATED_SUPPORT
  • GOOGLE_INITIATED_SERVICE
  • THIRD_PARTY_DATA_REQUEST
  • GOOGLE_INITIATED_REVIEW
  • CUSTOMER_INITIATED_ACCESS
  • GOOGLE_INITIATED_SYSTEM_OPERATION
  • REASON_NOT_EXPECTED
  • MODIFIED_CUSTOMER_INITIATED_ACCESS
  • MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION
  • GOOGLE_RESPONSE_TO_PRODUCTION_ALERT
5

Select [ OK ].

6

After the CryptoSpace was successfully created message display, select [ OK ] to close it.

The Google Crypto Space window opens with additional tabs, enabling you to create Symmetric or Asymmetric keys.



Create keys in the Google Crypto Space

Perform the following tasks to create symmetric or asymmetric keys:

Create a Symmetric Key

1

In the Google Crypto Space window, go to the Symmetric Keys tab and select [ Add ].

2

In the Google Symmetric Key window, copy the key path to your clipboard.

3

Enter a name for the key.

4

Specify the desired key rotation period.

5

On the Justifications tab, select the access reason.

6

Select [ OK ] to finish.

The new key displays on the Symmetric Keys tab.

Create an Asymmetric Key

1

In the Google Crypto Space window, go to the Asymmetric Keys tab and select [ Add ].

2

In the Google Asymmetric Key window, copy the key path to your clipboard.

3

Enter a name for the key

4

Select the algorithm that matches the algorithm you set in Google Cloud from the following options in the drop-down menu:

  • RSA 2048 PSS SHA-256
  • RSA 3072 PSS SHA-256
  • RSA 4096 PSS SHA-256
  • RSA 4096 PSS SHA-512
  • RSA 2048 PKCS#1 SHA-256
  • RSA 3072 PKCS#1 SHA-256
  • RSA 4096 PKCS#1 SHA-256
  • RSA 4096 PKCS#1 SHA-512
  • EC P-256 SHA-256
  • EC P-384 SHA-384
5

Select [ OK ] to finish.

The new key displays on the Asymmetric Keys tab.

Grant the Google EKM Identity permission to use the Crypto Space

1

Right-click the Google Crypto Space you just created and select Permission.

2

In the Set Object-Group Permissions window, grant the Google EKM identity the Use permission.

3

Select [ OK ] to finish.





Updated 01 Feb 2024
Did this page help you?
PREVIOUS
Set up TLS and authentication on the KMES Series 3
NEXT
Configure Google Crypto Space managed keys
Docs powered by Archbee