Set up Google Cloud External Key Manager (EKM) initially
To set up EKM the first time, perform the steps in this section in the Google dashboard to create a new key ring and find the service account address.
From the main Google Cloud dashboard, enter Key Management in the search bar at the top of the page.
Select Key Management - Security service.
From the Key Management dashboard, select [ Create Key Ring ] at the top of the page.
In the Create key ring wizard, enter a name for the key ring.
Key ring names can only contain letters, numbers, underscores (_), and hyphens (-). You can't rename or delete them.
Select Region as the Location type (EKM does not support Multi-region). In the drop-down menu, select the Google region where you want to create the key ring.
Select [ Create ].
Note the following regarding the key ring location:
- Cloud EKM needs to be able to reach your keys quickly to avoid an error. When creating a Cloud EKM key, choose a Google Cloud location that is geographically near the location of the KMES Series 3.
- You can use Cloud EKM in any Google Cloud location supported for Cloud KMS, except for global.
After you create the Key Ring, the browser redirects to the key creation wizard. Perform the following steps to find the Service Account email address:
Enter a name for the key in the Key Creation wizard.
Select the External as the protection level for the key.
Select either via internet or via VPC as the External key manager (EKM) connection type.
Select [ Continue ].
Note the service account email address in the Key material section. The service account email address is copied later to the email field of the identity that Google uses to interact with the KMES Series 3.
You return to this dialog in the Google Cloud dashboard after creating a Google Crypto Space on the KMES in an upcoming section.