Create an externally managed key in Google Cloud

regardless of whether you are using manual or crypto space for your google kms infrastructure, perform the following tasks to create a key in the google cloud key management dashboard go to the dashboard perform the following steps to go to the google cloud key management dashboard from the main google cloud dashboard, enter key management into the search bar at the top of the page select key management security service create a key perform the following steps to create an externally managed key select the key ring you created during the initial setup section of this guide select \[ create key ] in the key creation wizard, enter a name for the key the key name you specify here does not need to match the name of the key created on the {{k3}} select external as the protection level for the key select either via internet or via vpc as the external key manager (ekm) connection type select \[ continue ] enter the key uri if using manual for your google kms infrastructure, you must specify the full identifying string for the external key that was created on the {{k3}} format https //\<hostname> \<port>/v0/key encrypt/external/\<key name> example https //ekms virtucrypt com 8081/v0/key encrypt/external/demo key if using crypto space for your google kms infrastructure, you need to specify only the following portion of the identifying string for the google crypto space you created on the {{k3}} /v0/key encrypt/external/\<crypto space name> you must configure the \<server ip> and \<key name> fields specifically for your use case in the \<key name> field, specify the name of the key created on the {{k}} in the \<hostname> field, specify the hostname or ip address of the {{}} device set the \<port> field to the rest api port on the {{k}} by default, the rest api port is 8081 in addition to the preceding steps, google must whitelist the domain specified in the key uri field for your specific google cloud account select \[ continue ] this enables you to select either symmetric encrypt/decrypt or asymmetric sign in the purpose drop down menu select \[ create ] to create the externally managed key