Configure manually managed keys

manually managed keys use keys that you create on the kmes series 3 to perform cryptographic requests by google cloud you can copy the key path from kmes key settings and combine it with the kmes hostname or ip and the system/host api port number to create a url for accessing the key the kmes manages key rotation automatically for symmetric keys you must enter the url for every key creation and rotation internet url format https //\<server ip> \<port>/v0/key encrypt/external/\<key uuid> vpc key path format /v0/key encrypt/external/\<key uuid> create a new google crypto space on the kmes series 3 log in to the kmes series 3 application interface with the default admin identities go to the key management > google crypto spaces menu and select \[ add ] on the info tab of the google crypto space window, enter a name for the google crypto space then set the following permissions key type permissions symmetric create key destroy key wrap unwrap asymmetric create key destroy key get public key asymmetric sign if you use a vpc connection between google cloud and the kmes series 3, select the get info permission on the justifications tab, select the access reason from the following default access reasons reason unspecified customer initiated support google initiated service third party data request google initiated review customer initiated access google initiated system operation reason not expected modified customer initiated access modified google initiated system operation google response to production alert select \[ ok ] after the cryptospace was successfully created message display, select \[ ok ] to close it the google crypto space window opens with additional tabs, enabling you to create symmetric or asymmetric keys create keys in the google crypto space perform the following tasks to create symmetric or asymmetric keys create a symmetric key in the google crypto space window, go to the symmetric keys tab and select \[ add ] in the google symmetric key window, copy the key path to your clipboard enter a name for the key specify the desired key rotation period on the justifications tab, select the access reason select \[ ok ] to finish the new key displays on the symmetric keys tab create an asymmetric key in the google crypto space window, go to the asymmetric keys tab and select \[ add ] in the google asymmetric key window, copy the key path to your clipboard enter a name for the key select the algorithm that matches the algorithm you set in google cloud from the following options in the drop down menu rsa 2048 pss sha 256 rsa 3072 pss sha 256 rsa 4096 pss sha 256 rsa 4096 pss sha 512 rsa 2048 pkcs#1 sha 256 rsa 3072 pkcs#1 sha 256 rsa 4096 pkcs#1 sha 256 rsa 4096 pkcs#1 sha 512 ec p 256 sha 256 ec p 384 sha 384 select \[ ok ] to finish the new key displays on the asymmetric keys tab grant the google ekm identity permission to use the crypto space right click the google crypto space you just created and select permission in the set object group permissions window, grant the google ekm identity the use permission select \[ ok ] to finish