Create an externally managed key in Google Cloud
Regardless of whether you are using Manual or Crypto Space for your Google KMS infrastructure, perform the following tasks to create a key in the Google Cloud Key Management dashboard:
From the main Google Cloud dashboard, enter Key Management into the search bar at the top of the page.
Select Key Management - Security service.
Select the key ring you created during the initial setup section of this guide.
Select [ Create Key ].
In the Key Creation wizard, enter a name for the key. The key name you specify here does not need to match the name of the key created on the KMES Series 3.
Select External as the protection level for the key.
Select either via Internet or via VPC as the External key manager (EKM) connection type.
Select [ Continue ].
Enter the Key URI.
- If using Manual for your Google KMS infrastructure, you must specify the full identifying string for the external key that was created on the KMES Series 3. Format: https://<hostname>:<port>/v0/key-encrypt/external/<key name> Example: https://ekms.virtucrypt.com:8081/v0/key-encrypt/external/Demo-Key
- If using Crypto Space for your Google KMS Infrastructure, you need to specify only the following portion of the identifying string for the Google Crypto Space you created on the KMES Series 3: /v0/key-encrypt/external/<crypto space name>
You must configure the <server ip> and <key name> fields specifically for your use case. In the <key name> field, specify the name of the key created on the KMES.
In the <hostname> field, specify the hostname or IP address of the KMES Series 3 device. Set the <port> field to the REST API port on the KMES. By default, the REST API port is 8081.
In addition to the preceding steps, Google must whitelist the domain specified in the Key URI field for your specific Google Cloud account.
Select [ Continue ]. This enables you to select either Symmetric encrypt/decrypt or Asymmetric sign in the Purpose drop-down menu.
Select [ Create ] to create the externally managed key.