Google Cloud Keys (2024)

Table of Contents
Key Types Key Creation Methods and Sources Creating/Uploading New Key Material Uploading CipherTrust (Local) Key Material Creating Google (Native) Key Material Uploading Luna HSM Key Material Uploading Vormetric DSM Key Material Cloning Existing Key Material Cloning CipherTrust (Local) Key Material Cloning Luna HSM Key Material Cloning Vormetric DSM Key Material Viewing Google Cloud Keys Refreshing Google Cloud Keys Refreshing All Keys Refreshing Specific Keys Viewing Versions of a Key Disabling a Key Version Enabling a Key Version Downloading Public Key of an Asymmetric Version Scheduling Destruction of a Key Version Canceling Scheduled Destruction of a Key Version Enabling All Versions of a Key Disabling All Versions of a Key Scheduling Destruction of All Versions of a Key Canceling Scheduled Destruction of All Key Versions Adding a Key Version Adding Key Version by Creating New Key Material Adding Key Version by Cloning Existing Key Material Viewing or Editing Details of Google Cloud Keys Updating Default Algorithm for New Key Versions Adding or Updating Labels Updating Key Rotation Schedule Performing Key Version Operations

This section describes how to manage Google Cloud keys on CCKM. Before proceeding, you must have a Google Cloud key ring added to the CCKM. Refer to Google Cloud Key Rings for details.

  • Key Types

  • Key Creation Methods and Sources

  • Creating/Uploading New Key Material

  • Cloning Existing Key Material

  • Viewing Google Cloud Keys

  • Refreshing Google Cloud Keys

  • Viewing Versions of a Key

  • Disabling a Key Version

  • Enabling a Key Version

  • Downloading Public Key of an Asymmetric Version

  • Scheduling Destruction of a Key Version

  • Canceling Scheduled Destruction of a Key Version

  • Enabling All Versions of a Key

  • Disabling All Versions of a Key

  • Scheduling Destruction of All Versions of a Key

  • Canceling Scheduled Destruction of All Key Versions

  • Adding a Key Version

  • Viewing or Editing Details of Google Cloud Keys

Key Types

CCKM supports two types of Google Cloud keys:

  • Symmetric: A randomly generated key is used to encrypt and decrypt the data.

  • Asymmetric: A public and private RSA key pair is used to encrypt and decrypt the data. The public key encrypts while the private key decrypts the data.

Key Creation Methods and Sources

Methods to create Google Cloud keys using CCKM are:

  • Creating/Uploading New Key Material: Add key material by creating and uploading new source key or creating new native key. The key sources can be:

    • CipherTrust (Local): A new key is first created on the CipherTrust Manager. Then, this key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is CCKM.

    • Google (Native): A new key is directly created on Google Cloud using the native Google application. The key origin is NATIVE.

    • Luna HSM: A new Luna HSM key is first created on the CipherTrust Manager. Then, this key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is CCKM.

    • Vormetric DSM: A new DSM key is first created on the CipherTrust Manager. Then, this key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is CCKM.

  • Cloning Existing Key Material: Clone key material from an existing key to create a new key. The key sources can be:

    • CipherTrust (Local): An existing local CipherTrust Manager key is first cloned on the CipherTrust Manager. Then, the cloned key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is CCKM.

    • Luna HSM: An existing Luna HSM key is first cloned on the CipherTrust Manager. Then, the key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is CCKM.

    • Vormetric DSM: An existing DSM key is first cloned on the CipherTrust Manager. Then, the key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is CCKM.

Creating/Uploading New Key Material

To add a Google Cloud key by creating/uploading new key material:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Google.

  3. Click Add Key. The Select Material Origin screen of the Add Google Key wizard is displayed.

  4. Under Select Method, select Create/Upload New Key Material. The Select Source section appears. Depending on your requirements, select from the following sources:

    • CipherTrust (Local): Refer to Uploading CipherTrust (Local) Key Material for details.

    • Google (Native): Refer to Creating Google (Native) Key Material for details.

    • Luna HSM: Refer to Uploading Luna HSM Key Material for details.

    • Vormetric DSM: Refer to Uploading Vormetric DSM Key Material for details.

    Refer to Key Creation Methods and Sources for details on key sources.

Uploading CipherTrust (Local) Key Material

Upload the local key material using the CipherTrust Manager to configure the source key.

Select Material Origin > Select Source

  1. Select CipherTrust (Local).

  2. Click Next. The Configure Source Key screen is displayed.

Configure Source Key

  1. Select Key Type. The options are Symmetric and Asymmetric.

    • Symmetric: Creates and uploads a symmetric key.

    • Asymmetric: Creates and uploads an asymmetric key. Additional fields Algorithm and Key Size are displayed.

  2. Enter a Key Name. A new key with this name will be created on the CipherTrust Manager and its key material will be uploaded to Google Cloud.

  3. (Applicable to Asymmetric keys) Select the Algorithm. The options are RSA and EC.

  4. (Applicable to Asymmetric keys) Select the Key Size / Key Curve based on the algorithm:

    • For the RSA algorithm, select the Key Size. The options are 2048, 3072, and 4096.

    • For the EC algorithm, select the Key Curve. The options are prime256v1, secp384r1, and secp265k1.

  5. Click Next.

Configure Destination (Google) Key

  1. (Applicable to Asymmetric keys) Select the Key Purpose. A key purpose specifies the operation that the key can be used to perform. Depending on the key algorithm selected on the previous screen, the options are:

    • Decrypt: Enables the key for RSA encryption. This option is not applicable to EC algorithms.

    • Sign: Enables the key for elliptic curve signing and RSA signing.

  2. Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the Key Name you specified on the previous screen is populated.

    The key name can only contain alphanumeric characters and dashes.

  3. Select the desired Key Ring from the drop-down list.

  4. (Optional, applicable to Symmetric keys) Select Google Automatic Rotation and specify the following:

    1. Select Rotation Period from the drop-down list. This is the time period (in days) after which the key will rotate automatically, after the date specified in Starting on (see below). The options are 30, 90, 180, and 365 days.

      To specify a custom frequency, select Custom and specify the rotation frequency in the Rotate key every (days) field that appears. The default value is 1 day.

    2. Click the Starting on field, and select the key expiration date and time from the on-screen calendar.

      This is the time when the automatic key rotation becomes effective. Next automatic key rotation will happen after the specified Rotation Period.

    For example, if you set Rotation Period as 30 days and set Starting on as today, the key will automatically rotate after 30 days from today.

  5. Select a Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:

    • Software: Crypto operations are performed in software.

    • HSM: Crypto operations are performed in an HSM.

  6. (Applicable to Asymmetric keys) Select an Algorithm for the key. The options vary based on the Algorithm, Key Size / Key Curve (selected on the Configure Source Key screen), and key purpose.

  7. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

    Note

    For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

    3. Click the + button.

    Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

  8. Click Next. The Review and Add screen is displayed.

Review and Add

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

  1. Review the key details displayed on the screen.

    If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

  2. Click Add Key.

    The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

    When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.

  3. Click Close. The Add Google Key wizard is closed.

The newly created key is displayed in the list of Google Cloud keys.

Creating Google (Native) Key Material

Create the key material directly using native Google application.

Select Material Origin > Select Source

  1. Select Google (Native).

  2. Click Next. The Configure Source Key screen is displayed.

Configure Source Key

  1. Select Key Type. The options are:

    • Symmetric: Creates a symmetric key. Additional field Google Automatic Rotation is displayed.

    • Asymmetric: Creates an asymmetric key. Additional fields Select Key Purpose and Algorithm are displayed.

  2. (Applicable to Asymmetric keys) Select Key Purpose. A key purpose specifies the operation that the key can be used to perform. The options are:

    • Decrypt: Enables the key for RSA encryption.

    • Sign: Enables the key for elliptic curve signing and RSA signing.

  3. Enter the Key Name. This name helps uniquely identify a key.

  4. Select the desired Key Ring from the drop-down list.

  5. (Optional, applicable to Symmetric keys) Select Google Automatic Rotation and specify the following:

    1. Select Rotation Period from the drop-down list. This is the time period (in days) after which the key will rotate automatically, after the date specified in Starting on (see below). The options are 30, 90, 180, and 365 days.

      To specify a custom frequency, select Custom and specify the rotation frequency in the Rotate key every (days) field that appears. The default value is 1 day.

    2. Click the Starting on field, and select the key expiration date and time from the on-screen calendar.

      This is the time when the automatic key rotation becomes effective. Next automatic key rotation will happen after the specified Rotation Period.

    For example, if you set Rotation Period as 30 days and set Starting on as today, the key will automatically rotate after 30 days from today.

  6. Select a Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:

    • Software: Crypto operations are performed in software.

    • HSM: Crypto operations are performed in an HSM.

  7. (Applicable to Asymmetric keys) Select an Algorithm for the key. The options vary based on the selected key purpose.

  8. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

    Note

    For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

    3. Click the + button.

    Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

  9. Click Next. The Review and Add screen is displayed.

Review and Add

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN and NATIVE KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

  1. Review the key details displayed on the screen.

    If details are incorrect or you want to make any changes, click Edit next to the NATIVE KEY section and update details. Alternatively, click Back and make changes, as appropriate.

  2. Click Add Key.

    The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

    When the status next to the NATIVE KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.

  3. Click Close. The Add Google Key wizard is closed.

The newly created key is displayed in the list of Google Cloud keys. The origin of the key is NATIVE.

Uploading Luna HSM Key Material

Upload the key material using Luna HSM to configure the source key.

See Also
List and get service account keys  |  IAM Documentation  |  Google CloudProduct overview of Cloud Storage  |  Google CloudCloud Storage OptionsDeriving AES/HMAC symmetric key from any AES/HMAC symmetric key

Select Material Origin > Select Source

  1. Select Luna HSM.

  2. Click Next. The Configure Source Key screen is displayed.

Configure Source Key

  1. Enter a Luna HSM Key Label. A new key with this name will be created on the Luna HSM and its key material will be uploaded to Google Cloud.

  2. Select the Partition ID of the desired Luna HSM partition.

  3. Select the key Mechanism. The supported key mechanisms are:

    • CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN

    • CKM_RSA_X9_31_KEY_PAIR_GEN

    • CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN

    • CKM_RSA_PKCS_KEY_PAIR_GEN

  4. Select the Key Size from the available options. The supported sizes are 2048, 3072, and 4096.

  5. Select the Key Attributes. The options are:

    • Modifiable, Extractable, Sensitive (all three are selected for a BYOK Compatible key)

    • Encrypt, Decrypt, Wrap, Unwrap

    • Sign, Verify, Derive

  6. Click Next.

Configure Destination (Google) Key

  1. Select Key Purpose. A key purpose specifies the operation that the key can be used to perform. The options are:

    • Decrypt: Enables the key for RSA encryption. This option is not applicable to EC algorithms.

    • Sign: Enables the key for elliptic curve signing and RSA signing.

  2. Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the Luna HSM Key Label you specified on the previous screen is populated.

    The key name can only contain alphanumeric characters and dashes.

  3. Select the desired Key Ring from the drop-down list.

  4. Select the Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:

    • Software: Crypto operations are performed in software.

    • HSM: Crypto operations are performed in an HSM.

  5. Select an Algorithm for the key. The options vary based on the key size and the purpose.

  6. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

    Note

    For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

    3. Click the + button.

    Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

  7. Click Next. The Review and Add screen is displayed.

Review and Add

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

  1. Review the key details displayed on the screen.

    If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

  2. Click Add Key.

    The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

    When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.

  3. Click Close. The Add Google Key wizard is closed.

The newly created key is displayed in the list of Google Cloud keys.

Uploading Vormetric DSM Key Material

Upload the key material using Vormetric DSM to configure the source key.

Select Material Origin > Select Source

  1. Select Vormetric DSM.

  2. Click Next. The Configure Source Key screen is displayed.

Configure Source Key

  1. Select Encryption Type. The options are Symmetric and Asymmetric.

    • Symmetric: Creates and uploads a symmetric key.

    • Asymmetric: Creates and uploads an asymmetric key. Additional fields Algorithm and Key Size are displayed.

  2. Enter a DSM Key Name. A new key with this name will be created on the DSM and its key material will be uploaded to Google Cloud.

  3. (Optional) Provide a Description for the key.

  4. Select a DSM Domain for the key. The drop-down list shows the DSM domains linked with the configured DSM connection.

  5. (Optional) Select the Expiration Date check box, select the key expiration date and time from the on-screen calendar.

  6. (Applicable to Asymmetric keys) Select an Algorithm for the key. The options are RSA-2048, RSA-3072, and RSA-4096.

  7. Click Next.

Configure Destination (Google) Key

  1. (Applicable to Asymmetric keys) Select Key Purpose. A key purpose specifies the operation that the key can be used to perform. The options are:

    • Decrypt: Enables the key for RSA encryption. This option is not applicable to EC algorithms.

    • Sign: Enables the key for elliptic curve signing and RSA signing.

  2. Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the DSM Key Name you specified on the previous screen is populated.

    The key name can only contain alphanumeric characters and dashes.

  3. Select the desired Key Ring from the drop-down list.

  4. (Optional, applicable to Symmetric keys) Select Google Automatic Rotation and specify the following:

    1. Select Rotation Period from the drop-down list. This is the time period (in days) after which the key will rotate automatically, after the date specified in Starting on (see below). The options are 30, 90, 180, and 365 days.

      To specify a custom frequency, select Custom and specify the rotation frequency in the Rotate key every (days) field that appears. The default value is 1 day.

    2. Click the Starting on field, and select the key expiration date and time from the on-screen calendar.

      This is the time when the automatic key rotation becomes effective. Next automatic key rotation will happen after the specified Rotation Period.

    For example, if you set Rotation Period as 30 days and set Starting on as today, the key will automatically rotate after 30 days from today.

  5. Select a Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:

    • Software: Crypto operations are performed in software.

    • HSM: Crypto operations are performed in an HSM.

  6. (Applicable to Asymmetric keys) Select an Algorithm for the key. The options vary based on the key purpose.

  7. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

    Note

    For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

    3. Click the + button.

    Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

  8. Click Next. The Review and Add screen is displayed.

Review and Add

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

  1. Review the key details displayed on the screen.

    If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

  2. Click Add Key.

    The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

    When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.

  3. Click Close. The Add Google Key wizard is closed.

The newly created key is displayed in the list of Google Cloud keys.

Cloning Existing Key Material

To add a new Google Cloud key by cloning key material existing on the CipherTrust Manager, Luna HSM, or the DSM:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Google.

  3. Click Add Key. The Select Material Origin screen of the Add Google Key wizard is displayed.

  4. Under Select Method, select Clone Existing Key Material. The Select Source section appears. Depending on your requirements, select from the following sources:

    • CipherTrust (Local): Refer to Cloning CipherTrust (Local) Key Material for details.

    • Luna HSM: Refer to Cloning Luna HSM Key Material for details.

    • Vormetric DSM: Refer to Cloning Vormetric DSM Key Material for details.

    Refer to Key Creation Methods and Sources for details on these key sources.

Cloning CipherTrust (Local) Key Material

Clone and upload the local key material using the CipherTrust Manager to configure the source key.

Select Material Origin > Select Source

  1. Select CipherTrust (Local).

  2. Click Next. The Select CipherTrust Key screen is displayed.

Select CipherTrust Key

  1. Select the desired key from the CipherTrust Key Name drop-down list. This field shows the available local CipherTrust Manager keys.

  2. Click Next. The Configure Destination (Google) Key screen is displayed.

Configure Destination (Google) Key

  1. Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the CipherTrust Key Name you specified on the previous screen is populated.

    The key name can only contain alphanumeric characters and dashes.

  2. Select the desired Key Ring. The drop-down list shows the key rings in the project location linked with the configured Google Cloud connection.

  3. (Optional) Select Google Automatic Rotation and specify the following:

    1. Select Rotation Period from the drop-down list. This is the time period (in days) after which the key will rotate automatically, after the date specified in Starting on (see below). The options are 30, 90, 180, and 365 days.

      To specify a custom frequency, select Custom and specify the rotation frequency in the Rotate key every (days) field that appears. The default value is 1 day.

    2. Click the Starting on field, and select the key expiration date and time from the on-screen calendar.

      This is the time when the automatic key rotation becomes effective. Next automatic key rotation will happen after the specified Rotation Period.

    For example, if you set Rotation Period as 30 days and set Starting on as today, the key will automatically rotate after 30 days from today.

  4. Select a Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:

    • Software: Crypto operations are performed in software.

    • HSM: Crypto operations are performed in an HSM.

  5. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

    Note

    For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

    3. Click the + button.

    Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

    See Also
    Google cloud storage authentication

  6. Click Next. The Review and Add screen is displayed.

Review and Add

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

  1. Review the key details displayed on the screen.

    If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

  2. Click Add Key.

    The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

    When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.

  3. Click Close. The Add Google Key wizard is closed.

The newly created key is displayed in the list of Google Cloud keys.

Cloning Luna HSM Key Material

Clone and upload the Luna HSM key material using the CipherTrust Manager to configure the source key.

Select Material Origin > Select Source

  1. Select Luna DSM.

  2. Click Next. The Select Luna HSM Key screen is displayed.

Select Luna HSM Key

  1. Select the desired key from the HSM Key Name drop-down list. This field displays the available Luna HSM keys.

  2. Click Next. The Configure Destination (Google) Key screen is displayed.

Configure Destination (Google) Key

  1. Select Key Purpose. A key purpose specifies the operation that the key can be used to perform. The options are:

    • Decrypt: Enables the key for RSA encryption. This option is not applicable to EC algorithms.

    • Sign: Enables the key for elliptic curve signing and RSA signing.

  2. Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the DSM Key Name you specified on the previous screen is populated.

    The key name can only contain alphanumeric characters and dashes.

  3. Select the desired Key Ring. The drop-down list shows the key rings in the project location linked with the configured Google Cloud connection.

  4. Select the Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:

    • Software: Crypto operations are performed in software.

    • HSM: Crypto operations are performed in an HSM.

  5. Select the Algorithm for the key. The options vary based on the key purpose.

  6. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

    Note

    For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

    3. Click the + button.

    Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

  7. Click Next. The Review and Add screen is displayed.

Review and Add

This screen shows the key details that you have provided. These details are divided into SOURCE KEY and DESTINATION KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

  1. Review the key details displayed on the screen.

    If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

  2. Click Add Key.

    The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

    When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.

  3. Click Close. The Add Google Key wizard is closed.

The newly created key is displayed in the list of Google Cloud keys.

Cloning Vormetric DSM Key Material

Clone and upload the DSM key material using the CipherTrust Manager to configure the source key.

Select Material Origin > Select Source

  1. Select Vormetric DSM.

  2. Click Next. The Select DSM Key screen is displayed.

Select DSM Key

  1. Select the desired key from the DSM Key Name drop-down list. This field displays the available DSM keys.

  2. Click Next. The Configure Destination (Google) Key screen is displayed.

Configure Destination (Google) Key

  1. Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the DSM Key Name you specified on the previous screen is populated.

    The key name can only contain alphanumeric characters and dashes.

  2. (Optional) Provide a basic Description of the key.

  3. Select the desired Key Ring. The drop-down list shows the key rings in the project location linked with the configured Google Cloud connection.

  4. (Optional) Select Google Automatic Rotation and specify the following:

    1. Select Rotation Period from the drop-down list. This is the time period (in days) after which the key will rotate automatically, after the date specified in Starting on (see below). The options are 30, 90, 180, and 365 days.

      To specify a custom frequency, select Custom and specify the rotation frequency in the Rotate key every (days) field that appears. The default value is 1 day.

    2. Click the Starting on field, and select the key expiration date and time from the on-screen calendar.

      This is the time when the automatic key rotation becomes effective. Next automatic key rotation will happen after the specified Rotation Period.

    For example, if you set Rotation Period as 30 days and set Starting on as today, the key will automatically rotate after 30 days from today.

  5. Select a Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:

    • Software: Crypto operations are performed in software.

    • HSM: Crypto operations are performed in an HSM.

  6. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

    Note

    For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

    3. Click the + button.

    Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

  7. Click Next. The Review and Add screen is displayed.

Review and Add

This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.

Before adding the key, review all details. After the key is added, certain features will no longer be editable.

  1. Review the key details displayed on the screen.

    If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.

  2. Click Add Key.

    The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.

    When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.

  3. Click Close. The Add Google Key wizard is closed.

The newly created key is displayed in the list of Google Cloud keys.

Viewing Google Cloud Keys

The Google Keys page shows the list of Google Cloud keys available on the CipherTrust Manager.

To view the Google Cloud keys:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Google. The list of available Google Cloud keys is displayed. The Google Keys page displays the following details:

    FieldDescription
    NameUnique, user-friendly name of the Google Cloud key. Click the link to view additional details of the key or edit the key. Refer to Viewing or Editing Details of Google Cloud Keys. This name is useful in searching for specific keys.
    StatusState of the Google Cloud key. The status can be:
    • Available
    • Not Available
    • Deleted
    PurposePurpose of the Google Cloud key. The purpose can be:
    •Encrypt Decrypt
    •Asymmetric Sign
    •Asymmetric Decrypt
    ProtectionProtection level of the Google Cloud key. The protection level can be Software or HSM.
    AlgorithmAlgorithm of the Google Cloud key. A number of algorithms are supported.
    Key RingName of the Google Cloud key ring where the key resides.
    LocationLocation where the Google Cloud key is created.
    ProjectProject where the Google Cloud key is created.
    OrganizationOrganization where the Google Cloud key is created.
    Creation DateDate and time when the Google Cloud key is created.
    Next Google RotationDate and time of the next Google Cloud key rotation.

Sometimes, you might notice certain Google Cloud keys are displayed as grayed out. This happens when the keys are no longer accessible. For example, when:

  • Any cloud permissions on the keys are changed. The keys are no longer accessible from the Google Cloud connection.

  • Connection is changed in KMS. The new connection does not have permissions to access the keys.

  • When Google Cloud locations are changed or removed. The keys from the configured location are no longer accessible.

Refreshing Google Cloud Keys

Refreshing is the process of downloading keys created in Google Cloud key rings to CCKM. You can refresh keys from all Google Cloud key rings at once.

Refreshing All Keys

To refresh all keys:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Google. The Google Keys page is displayed. This page displays the list of Google Cloud keys.

  3. Click Refresh All. The This may take a while... message is displayed.

    Note

    Refresh all keys is a time intensive operation that could take several hours or days to complete. It will continue running in the background.

  4. Click Refresh All to continue.

A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.

The refreshed keys are listed on the Cloud Keys > Google > Google Keys page.

Refreshing Specific Keys

To refresh a key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Google. The Google Keys page is displayed. This page displays the list of Google Cloud keys.

  3. Click the overflow icon (Google Cloud Keys (1)) corresponding to the desired key.

  4. Click Refresh.

A message Key refreshed successfully.

The refreshed key is listed on the Cloud Keys > Google > Google Keys page.

Viewing Versions of a Key

To view the versions of a key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Google.

  3. Click the expand icon (Google Cloud Keys (2)) to the left of the desired key. The key version details are displayed:

    FieldDescription
    VersionVersion number of the key.
    StateState of the key version. The state can be Aborted, Enabled, Disabled, Destroy Scheduled, or Destroyed.
    AlgorithmAlgorithm used for the key version.
    OriginSource of the key material used for the version. The origin can be:
    CCKM: Key material is created on CCKM.
    Native: Key material is created on the cloud.
    External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud.
    Refer to Key Creation Methods and Sources for details.
    Creation DateDate and time when the key version is created.
    Version Resource URLURL of the key version resource on the CipherTrust Manager.

Disabling a Key Version

If required, you can disable an enabled version of a key. An aborted, destroy scheduled, or destroyed key version cannot be disabled.

A disabled version cannot operate on data. After the key version is disabled, there is a delay of up to a few hours during which it can still operate on data. You can again enable the version later. All versions of a key can also be disable at once. Refer to Disabling All Versions of a Key.

To disable a key version:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Google.

  3. Click the expand icon (Google Cloud Keys (3)) to the left of the desired key.

  4. Click the overflow icon (Google Cloud Keys (4)) corresponding to the desired version.

  5. Click Disable Version. The Disable Key Version dialog box is displayed.

  6. Click Yes, Disable to confirm the action.

The state of the key version changes to Disabled.

Enabling a Key Version

If required, you can enable a disabled version of a key. An aborted, destroy scheduled, or destroyed key version cannot be enabled.

To enable a key version:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Google.

  3. Click the expand icon (Google Cloud Keys (5)) to the left of the desired key.

  4. Click the overflow icon (Google Cloud Keys (6)) corresponding to the desired version.

  5. Click Enable Version. The Enable Key Version dialog box is displayed.

  6. Click Yes, Enable to confirm the action.

The state of the key version changes to Enabled.

Downloading Public Key of an Asymmetric Version

The public key of asymmetric versions of a Google Cloud key can be downloaded.

To download the public key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Google.

  3. Click the expand icon (Google Cloud Keys (7)) to the left of the desired key.

  4. Click the overflow icon (Google Cloud Keys (8)) corresponding to the desired asymmetric version.

  5. Click Get Public Key.

The public key of (public-key.pem) the asymmetric key version is downloaded to your machine.

Scheduling Destruction of a Key Version

With CCKM, you can schedule destruction of a Google Cloud key version. The version will be destroyed 24 hours after you schedule the destruction. However, you can cancel the schedule destruction before the scheduled destruction time.

Caution

When a key version is destroyed, the version is immediately disabled, and cannot be recovered. Any data encrypted or signed by the version cannot decrypted or verified.

To schedule destruction of a key version:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Google.

  3. Click the expand icon (Google Cloud Keys (9)) to the left of the desired key.

  4. Click the overflow icon (Google Cloud Keys (10)) corresponding to the desired version.

  5. Click Schedule Destruction. The Schedule Key Version Destruction dialog box is displayed.

    Note

    If you confirm scheduled destruction, the version will be destroyed after 24 hours and cannot be recovered.

  6. Click Yes, Schedule Destruction to confirm the action.

The state of the key version changes to Destroy Scheduled. After 24 hours, the state will become Destroyed.

Canceling Scheduled Destruction of a Key Version

A scheduled destruction of a key version can be canceled before the destruction time arrives (that is, within 24 hours after you scheduled destruction).

To cancel the schedule destruction of a key version:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Google.

  3. Click the expand icon (Google Cloud Keys (11)) to the left of the desired key.

  4. Click the overflow icon (Google Cloud Keys (12)) corresponding to the desired version with the Destroy Scheduled state.

  5. Click Cancel Destruction. The Cancel Key Version Destruction dialog box is displayed.

  6. Click Yes, Cancel Destruction to confirm the action.

The state of the key version changes to Disabled. The disabled key version can be enabled, if required. Refer to Enabling a Key Version.

Enabling All Versions of a Key

With CCKM, you can enable all disabled versions of a key at once. Aborted, destroy scheduled, or destroyed key versions cannot be enabled.

To enable all disabled versions of a key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Google.

  3. Click the overflow icon (Google Cloud Keys (13)) corresponding to the desired key.

  4. Click Enable All Key Versions. The Enable All Versions dialog box is displayed.

  5. Click Yes, Enable.

All the key versions disabled earlier are now enabled. The status of the key versions changes to Enabled.

Disabling All Versions of a Key

With CCKM, you can disable all enabled versions of a key at once. Aborted, destroy scheduled, or destroyed key versions cannot be disabled.

A disabled version cannot operate on data. After the key version is disabled, there is a delay of up to a few hours during which it can still operate on data. You can again enable the version later. Individual versions of a key can also be disabled. Refer to Disabling a Key Version.

To disable all enabled versions of a key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Google.

  3. Click the overflow icon (Google Cloud Keys (14)) corresponding to the desired key.

  4. Click Disable All Key Versions. The Disable All Versions dialog box is displayed.

  5. Click Yes, Disable.

All the key versions enabled earlier are now disabled. The status of the key versions changes to Disabled.

Scheduling Destruction of All Versions of a Key

With CCKM, you can schedule destruction of all versions of key at once. The versions will be destroyed 24 hours after you schedule the destruction. However, you can cancel the schedule destruction before the scheduled destruction time.

Caution

When a key version is destroyed, the version is immediately disabled, and cannot be recovered. Any data encrypted or signed by the version cannot decrypted or verified.

To schedule destruction of all versions of a key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Google.

  3. Click the overflow icon (Google Cloud Keys (15)) corresponding to the desired key.

  4. Click Destroy All Versions. The Schedule Destruction dialog box is displayed.

  5. Click Yes, Schedule Destruction.

All the key versions are scheduled for destruction. The status of the key versions changes to Destroy Scheduled.

Canceling Scheduled Destruction of All Key Versions

A scheduled destruction of all key versions can be canceled before the destruction time arrives (that is, within 24 hours after you scheduled destruction).

To cancel the schedule destruction of all key versions:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Google.

  3. Click the overflow icon (Google Cloud Keys (16)) corresponding to the desired key.

  4. Click Cancel Destruction. The Cancel Key Version Destruction dialog box is displayed.

  5. Click Yes, Cancel Destruction to confirm the action.

The state of all enabled key versions changes to Disabled. The disabled key versions can be enabled, if required. Refer to Enabling All Versions of a Key.

Adding a Key Version

CCKM provides two methods to add a new version to a key. Refer to Key Creation Methods and Sources for details on key creation methods and key sources.

To add a new key version:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Google.

  3. Click the overflow icon (Google Cloud Keys (17)) corresponding to the desired version.

  4. Click Add Version. The Add Version dialog box is displayed.

  5. Select Method. The options are:

    • Create/Upload New Key Material: Refer to Adding Key Version by Creating/Uploading Key Material.

    • Clone Existing Key Material: Refer to Adding Key Version by Creating/Uploading Key Material.

Adding Key Version by Creating New Key Material

  1. Select Create/Upload New Key Material as the method.

  2. Select Source. The options are:

    • CipherTrust (Local): Select this option, select the Algorithm, and specify Key Name for the new key version.

    • Google (Native): Select this option to create a new native Google Cloud key.

    • Luna HSM: Select this option, select the Algorithm, select the Partition ID, select Key Attributes, and specify Key Name for the new key version.

      The key attributes Modifiable, Extractable, and Sensitive are selected for a BYOK Compatible key.

    • Vormetric DSM: Select this option, select the Algorithm, select the Domain, and specify Key Name for the new key version.

  3. Click Add Version.

A new version is added to the key.

Adding Key Version by Cloning Existing Key Material

  1. Select Clone Existing Key Material as the method.

  2. Select Source. The options are:

    • CipherTrust (Local): Select this option, select the Algorithm, and Select a key source for the new key version.

    • Luna HSM: Select this option and Select a key source for the new key version.

    • Vormetric DSM: Select this option, select the Algorithm, and Select a key source for the new key version.

  3. Click Add Version.

A new version is added to the key.

Viewing or Editing Details of Google Cloud Keys

After a key is created, you can add or update tags and key rotation schedules, and also rotate key versions in the edit view. You can perform various operations on key versions.

In the edit view of a key, you can view all the key details such as its purpose, protection level, and location etc.

To view or edit an Google Cloud key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Google. The list of available Google Cloud keys is displayed.

  3. Click the overflow icon (Google Cloud Keys (18)) corresponding to the desired key and click View/Edit. Alternatively, you can click the key name link. The edit view of the key is displayed. The edit view is divided into:

    • LABELS: View, add, and update labels. Refer to Adding or Updating Labels.

    • ALGORITHM: Update the default algorithm for the new key version. Refer to Updating Default Algorithm for New Key Versions for details.

    • ROTATION: Update a key rotation schedule. Refer to Updating Key Rotation Schedule for details.

    • Key Versions: Perform operations on key versions. Refer to Performing Key Version Operations.

Updating Default Algorithm for New Key Versions

To update the default algorithm for the new versions of the key, in the ALGORITHM section:

  1. Select the desired algorithm from the Select Default Algorithm for New Version drop-down list.

  2. Click Update.

The default algorithm is updated for the new versions of the key.

The key labels are updated.

Adding or Updating Labels

A label is a tag assigned to the key, which consists of a user-defined key and a value.

Note

For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.

To add or update key labels, in the LABELS section:

  1. Under Label, specify a tag key.

  2. Enter the tag value.

  3. Click the + button.

    Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

  4. Click Update.

The key labels are updated.

Updating Key Rotation Schedule

To update a key rotation schedule, in the ROTATION section:

  1. Select Rotation Schedule. The drop-down list shows the available key rotation schedules.

  2. Select the Key Origin. The options are CipherTrust, Native (Google), Luna, and DSM. Refer to Key Creation Methods and Sources for details on sources.

  3. Select the Algorithm for the key.

  4. (Applicable to the DSM) Select the desired DSM Domain.

  5. (Applicable to the Luna HSM) Select the desired Luna HSM Partition.

  6. Click Update.

The key rotation schedule is updated.

Performing Key Version Operations

With CCKM, you enable/disable, add or rotate, and schedule destruction of key versions. Also, you can download public key of asymmetric versions of a key.

To perform a operation on a key version, under the Key Versions section:

  1. Click the overflow icon (Google Cloud Keys (19)) corresponding to the desired version. A popup menu appears.

  2. Select the desired operation. Depending on the current state, the options can be Disable Version, Enable Version, and Schedule Destruction. An Aborted version cannot be enabled, disabled, or scheduled for destruction.

    To download the public key of an asymmetric key version, click Get Public Key. The public key of (public-key.pem) the asymmetric key version is downloaded to your machine.

  3. Confirm the operation.

To rotate all versions of a key, click Rotate under the Key Versions section.

Google Cloud Keys (2024)
Top Articles
Financial Analysis in Marketing: Example & Excel Template
Where to Find Affordable, Feminine Stock Photos - Amy Howard Social
Foxy Roxxie Coomer
Victor Spizzirri Linkedin
Dragon Age Inquisition War Table Operations and Missions Guide
Tyson Employee Paperless
Ds Cuts Saugus
Mylaheychart Login
Https Www E Access Att Com Myworklife
Midway Antique Mall Consignor Access
Compare the Samsung Galaxy S24 - 256GB - Cobalt Violet vs Apple iPhone 16 Pro - 128GB - Desert Titanium | AT&T
Culvers Tartar Sauce
Keniakoop
United Dual Complete Providers
Bad Moms 123Movies
Aspen Mobile Login Help
Tamilyogi Proxy
Shopmonsterus Reviews
The Old Way Showtimes Near Regency Theatres Granada Hills
Winco Employee Handbook 2022
Sodium azide 1% in aqueous solution
12 Facts About John J. McCloy: The 20th Century’s Most Powerful American?
Mals Crazy Crab
Craigslist Dubuque Iowa Pets
SOGo Groupware - Rechenzentrum Universität Osnabrück
Leben in Japan – das muss man wissen - Lernen Sie Sprachen online bei italki
Cinema | Düsseldorfer Filmkunstkinos
Emuaid Max First Aid Ointment 2 Ounce Fake Review Analysis
Busch Gardens Wait Times
Vlacs Maestro Login
Rush County Busted Newspaper
Was heißt AMK? » Bedeutung und Herkunft des Ausdrucks
Walter King Tut Johnson Sentenced
Microsoftlicentiespecialist.nl - Microcenter - ICT voor het MKB
Bee And Willow Bar Cart
One Credit Songs On Touchtunes 2022
Joe's Truck Accessories Summerville South Carolina
Are you ready for some football? Zag Alum Justin Lange Forges Career in NFL
My.lifeway.come/Redeem
Duff Tuff
The Minneapolis Journal from Minneapolis, Minnesota
Red Dead Redemption 2 Legendary Fish Locations Guide (“A Fisher of Fish”)
Taylor University Baseball Roster
The Attleboro Sun Chronicle Obituaries
Po Box 101584 Nashville Tn
Paperlessemployee/Dollartree
Tyco Forums
Dicks Mear Me
Theatervoorstellingen in Nieuwegein, het complete aanbod.
Abigail Cordova Murder
Product Test Drive: Garnier BB Cream vs. Garnier BB Cream For Combo/Oily Skin
Diablo Spawns Blox Fruits
Latest Posts
Financial Performance Analysis in European Football Clubs
Financial Performance Analysis in European Football Clubs
Article information

Author: Tuan Roob DDS

Last Updated:

Views: 5879

Rating: 4.1 / 5 (42 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Tuan Roob DDS

Birthday: 1999-11-20

Address: Suite 592 642 Pfannerstill Island, South Keila, LA 74970-3076

Phone: +9617721773649

Job: Marketing Producer

Hobby: Skydiving, Flag Football, Knitting, Running, Lego building, Hunting, Juggling

Introduction: My name is Tuan Roob DDS, I am a friendly, good, energetic, faithful, fantastic, gentle, enchanting person who loves writing and wants to share my knowledge and understanding with you.