Google Cloud Keys
This section describes how to manage Google Cloud keys on CCKM. Before proceeding, you must have a Google Cloud key ring added to the CCKM. Refer to Google Cloud Key Rings for details.
Key Types
CCKM supports two types of Google Cloud keys:
Symmetric: A randomly generated key is used to encrypt and decrypt the data.
Asymmetric: A public and private RSA key pair is used to encrypt and decrypt the data. The public key encrypts while the private key decrypts the data.
Key Creation Methods and Sources
Methods to create Google Cloud keys using CCKM are:
Creating/Uploading New Key Material: Add key material by creating and uploading new source key or creating new native key. The key source can be:
CipherTrust (External): A new key is first created on the external CipherTrust Manager. Then, this key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the external CipherTrust Manager, the key origin is
CipherTrust (External)
.CipherTrust (Local): A new key is first created on the CipherTrust Manager. Then, this key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.Google (Native): A new key is directly created on Google Cloud using the native Google application. The key origin is
NATIVE
.Luna HSM: A new Luna HSM key is first created on the CipherTrust Manager. Then, this key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Vormetric DSM: A new DSM key is first created on the CipherTrust Manager. Then, this key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.
Cloning Existing Key Material: Clone key material from an existing key to create a new key. The key source can be:
CipherTrust (Local): An existing local CipherTrust Manager key is first cloned on the CipherTrust Manager. Then, the cloned key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.CipherTrust (External): An existing key is first cloned on the external CipherTrust Manager. Then, this key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the external CipherTrust Manager, the key origin is
CipherTrust (External)
.Luna HSM: An existing Luna HSM key is first cloned on the CipherTrust Manager. Then, the key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Vormetric DSM: An existing DSM key is first cloned on the CipherTrust Manager. Then, the key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.
Creating/Uploading New Key Material
To add a Google Cloud key by creating/uploading new key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click Add Key. The Select Material Origin screen of the Add Google Key wizard is displayed.
Under Select Method, select Create/Upload New Key Material. The Select Source section appears. Depending on your requirements, select from the following:
CipherTrust (External): Refer to Uploading CipherTrust (External) Key Material for details.
CipherTrust (Local): Refer to Uploading CipherTrust (Local) Key Material for details.
Google (Native): Refer to Creating Google (Native) Key Material for details.
Luna HSM: Refer to Uploading Luna HSM Key Material for details.
Vormetric DSM: Refer to Uploading Vormetric DSM Key Material for details.
Refer to Key Creation Methods and Sources for details on key sources.
Uploading CipherTrust (External) Key Material
Upload the key material of an external CipherTrust Manager key using the CipherTrust Manager to configure the source key.
Select Material Origin > Select Source
Select CipherTrust (External).
Click Next. The Configure CipherTrust (External) Key screen is displayed.
Configure CipherTrust (External) Key
Select Key Type. The options are Symmetric and Asymmetric.
Symmetric: Creates and uploads a symmetric key.
Asymmetric: Creates and uploads an asymmetric key. Additional fields Algorithm and Key Size are displayed.
Select Domain from the drop-down list. The drop-down list shows the external CM domains linked with the configured external CM connection.
Enter a Key Name. A new key with this name will be created on the CipherTrust Manager and its key material will be uploaded to Google Cloud.
(Applicable to Asymmetric keys) Select an Algorithm for the key.
(Applicable to Asymmetric keys) Select a Key Size / Key Curve for the key. The options vary based on the selected Algorithm.
- Click Next.
Configure Destination (Google) Key
(Applicable to Asymmetric keys) Select the Key Purpose. A key purpose specifies the operation that the key can be used to perform. Depending on the key algorithm selected on the previous screen, the options are:
Decrypt: Enables the key for RSA encryption. This option is not applicable to EC algorithms.
Sign: Enables the key for elliptic curve signing and RSA signing.
Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the Key Name you specified on the previous screen is populated.
The key name can only contain alphanumeric characters and dashes.
Select the desired Key Ring from the drop-down list.
(Optional) Select Restrict key versions to import only to specify that the newer versions of the key can only be imported. After key creation, this field will become non-editable. Google native key rotation will not be allowed for them. That is, the Google Automatic Rotation check box will be disabled for them.
(Optional) Configure the duration for which the key can remain in the soft-deleted state before it is destroyed from CCKM. The default duration is 30 days.
Select Soft Delete Wait Time.
Specify Soft Delete Wait Time (Days). The duration can range from 1 to 120 days. For import-only keys, the minimum duration is 0 days.
Note
The duration applies to all versions of the key created in the future.
The soft-delete wait time can't be modified after the key is created.
The soft-deleted key will be removed from CCKM after the number of days specified in Soft Delete Wait Time (Days).
(Optional, applicable to Symmetric keys) Select Google Automatic Rotation and specify the following:
Select Rotation Period from the drop-down list. This is the time period (in days) after which the key will rotate automatically, after the date specified in Starting on (see below). The options are 30, 90, 180, and 365 days.
To specify a custom frequency, select Custom and specify the rotation frequency in the Rotate key every (days) field that appears. The default value is
1
day.Click the Starting on field, and select the key expiration date and time from the on-screen calendar.
This is the time when the automatic key rotation becomes effective. Next automatic key rotation will happen after the specified Rotation Period.
For example, if you set Rotation Period as 30 days and set Starting on as today, the key will automatically rotate after 30 days from today.
Select a Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:
Software: Crypto operations are performed in software.
HSM: Crypto operations are performed in an HSM.
(Applicable to Asymmetric keys) Select an Algorithm for the key. The options vary based on the Algorithm, Key Size / Key Curve (selected on the Configure Source Key screen), and key purpose.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Add to Schedule screen is displayed.
Add to Schedule
Select Schedule to Apply. The drop-down list shows the available key rotation schedules.
Select the Key Origin from the available options. The key origin can be:
CipherTrust (Local): The local CipherTrust Manager.
CipherTrust (External): The external CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Native: Native cloud, Google.
Select an Algorithm. For the Native Key Origin, the Algorithm field is unavailable.
Click Next.
The Review and Add Key screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add Google Key wizard is closed.
The newly created key is displayed in the list of Google Cloud keys.
Uploading CipherTrust (Local) Key Material
Upload the local key material using the CipherTrust Manager to configure the source key.
Select Material Origin > Select Source
Select CipherTrust (Local).
Click Next. The Configure CipherTrust (Local) Key screen is displayed.
Configure CipherTrust (Local) Key
Select Key Type. The options are Symmetric and Asymmetric.
Symmetric: Creates and uploads a symmetric key.
Asymmetric: Creates and uploads an asymmetric key. Additional fields Algorithm and Key Size are displayed.
Enter a Key Name. A new key with this name will be created on the CipherTrust Manager and its key material will be uploaded to Google Cloud.
(Applicable to Asymmetric keys) Select the Algorithm. The options are RSA and EC.
(Applicable to Asymmetric keys) Select the Key Size / Key Curve based on the algorithm:
For the RSA algorithm, select the Key Size. The options are 2048, 3072, and 4096.
For the EC algorithm, select the Key Curve. The options are prime256v1, secp384r1, and secp265k1.
Click Next.
Configure Destination (Google) Key
(Applicable to Asymmetric keys) Select the Key Purpose. A key purpose specifies the operation that the key can be used to perform. Depending on the key algorithm selected on the previous screen, the options are:
Decrypt: Enables the key for RSA encryption. This option is not applicable to EC algorithms.
Sign: Enables the key for elliptic curve signing and RSA signing.
Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the Key Name you specified on the previous screen is populated.
The key name can only contain alphanumeric characters and dashes.
Select the desired Key Ring from the drop-down list.
(Optional) Select Restrict key versions to import only to specify that the newer versions of the key can only be imported. After key creation, this field will become non-editable. Google native key rotation will not be allowed for them. That is, the Google Automatic Rotation check box will be disabled for them.
(Optional) Configure the duration for which the key can remain in the soft-deleted state before it is destroyed from CCKM. The default duration is 30 days.
Select Soft Delete Wait Time.
Specify Soft Delete Wait Time (Days). The duration can range from 1 to 120 days. For import-only keys, the minimum duration is 0 days.
Note
The duration applies to all versions of the key created in the future.
The soft-delete wait time can't be modified after the key is created.
The soft-deleted key will be removed from CCKM after the number of days specified in Soft Delete Wait Time (Days).
(Optional, applicable to Symmetric keys) Select Google Automatic Rotation and specify the following:
Select Rotation Period from the drop-down list. This is the time period (in days) after which the key will rotate automatically, after the date specified in Starting on (see below). The options are 30, 90, 180, and 365 days.
To specify a custom frequency, select Custom and specify the rotation frequency in the Rotate key every (days) field that appears. The default value is
1
day.Click the Starting on field, and select the key expiration date and time from the on-screen calendar.
This is the time when the automatic key rotation becomes effective. Next automatic key rotation will happen after the specified Rotation Period.
For example, if you set Rotation Period as 30 days and set Starting on as today, the key will automatically rotate after 30 days from today.
Select a Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:
Software: Crypto operations are performed in software.
HSM: Crypto operations are performed in an HSM.
(Applicable to Asymmetric keys) Select an Algorithm for the key. The options vary based on the Algorithm, Key Size / Key Curve (selected on the Configure Source Key screen), and key purpose.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Add to Schedule screen is displayed.
Add to Schedule
Select Schedule to Apply. The drop-down list shows the available key rotation schedules.
Select the Key Origin from the available options. The key origin can be:
CipherTrust (Local): The local CipherTrust Manager.
CipherTrust (External): The external CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Native: Native cloud, Google.
Select an Algorithm. For the Native Key Origin, the Algorithm field is unavailable.
Click Next.
The Review and Add Key screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add Google Key wizard is closed.
The newly created key is displayed in the list of Google Cloud keys.
Creating Google (Native) Key Material
Create the key material directly using native Google application.
Select Material Origin > Select Source
Select Google (Native).
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Select Key Type. The options are:
Symmetric: Creates a symmetric key. Additional field Google Automatic Rotation is displayed.
Asymmetric: Creates an asymmetric key. Additional fields Select Key Purpose and Algorithm are displayed.
(Applicable to Asymmetric keys) Select Key Purpose. A key purpose specifies the operation that the key can be used to perform. The options are:
Decrypt: Enables the key for RSA encryption.
Sign: Enables the key for elliptic curve signing and RSA signing.
Enter the Key Name. This name helps uniquely identify a key.
Select the desired Key Ring from the drop-down list.
(Optional) Configure the duration for which the key can remain in the soft-deleted state before it is destroyed from CCKM. The default duration is 30 days.
Select Soft Delete Wait Time.
Specify Soft Delete Wait Time (Days). The duration can range from 1 to 120 days. For import-only keys, the minimum duration is 0 days.
Note
The duration applies to all versions of the key created in the future.
The soft-delete wait time can't be modified after the key is created.
The soft-deleted key will be removed from CCKM after the number of days specified in Soft Delete Wait Time (Days).
(Optional, applicable to Symmetric keys) Select Google Automatic Rotation and specify the following:
Select Rotation Period from the drop-down list. This is the time period (in days) after which the key will rotate automatically, after the date specified in Starting on (see below). The options are 30, 90, 180, and 365 days.
To specify a custom frequency, select Custom and specify the rotation frequency in the Rotate key every (days) field that appears. The default value is
1
day.Click the Starting on field, and select the key expiration date and time from the on-screen calendar.
This is the time when the automatic key rotation becomes effective. Next automatic key rotation will happen after the specified Rotation Period.
For example, if you set Rotation Period as 30 days and set Starting on as today, the key will automatically rotate after 30 days from today.
Select a Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:
Software: Crypto operations are performed in software.
HSM: Crypto operations are performed in an HSM.
(Applicable to Asymmetric keys) Select an Algorithm for the key. The options vary based on the selected key purpose.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Add to Schedule screen is displayed.
Add to Schedule
Select Schedule to Apply. The drop-down list shows the available key rotation schedules.
Select the Key Origin from the available options. The key origin can be:
CipherTrust (Local): The local CipherTrust Manager.
CipherTrust (External): The external CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Native: Native cloud, Google.
Select an Algorithm. For the Native Key Origin, the Algorithm field is unavailable.
Click Next.
The Review and Add Key screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, NATIVE KEY, and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the NATIVE KEY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the NATIVE KEY and KEY SCHEDULES sections becomes Complete and the Key ID link is displayed, the key is created successfully.
Click Close. The Add Google Key wizard is closed.
The newly created key is displayed in the list of Google Cloud keys. The origin of the key is NATIVE
.
Uploading Luna HSM Key Material
Upload the key material using Luna HSM to configure the source key.
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Select Material Origin > Select Source
Select Luna HSM.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Enter a Luna HSM Key Label. A new key with this name will be created on the Luna HSM and its key material will be uploaded to Google Cloud.
Select the Partition ID of the desired Luna HSM partition.
Select the key Mechanism. The supported key mechanisms are:
CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN
CKM_RSA_X9_31_KEY_PAIR_GEN
CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN
CKM_RSA_PKCS_KEY_PAIR_GEN
Select the Key Size from the available options. The supported sizes are 2048, 3072, and 4096.
Select the Key Attributes. The options are:
Modifiable, Extractable, Sensitive (all three are selected for a BYOK Compatible key)
Encrypt, Decrypt, Wrap, Unwrap
Sign, Verify, Derive
Click Next.
Configure Destination (Google) Key
Select Key Purpose. A key purpose specifies the operation that the key can be used to perform. The options are:
Decrypt: Enables the key for RSA encryption. This option is not applicable to EC algorithms.
Sign: Enables the key for elliptic curve signing and RSA signing.
Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the Luna HSM Key Label you specified on the previous screen is populated.
The key name can only contain alphanumeric characters and dashes.
Select the desired Key Ring from the drop-down list.
(Optional) Select Restrict key versions to import only to specify that the newer versions of the key can only be imported. After key creation, this field will become non-editable. Google native key rotation will not be allowed for them.
(Optional) Configure the duration for which the key can remain in the soft-deleted state before it is destroyed from CCKM. The default duration is 30 days.
Select Soft Delete Wait Time.
Specify Soft Delete Wait Time (Days). The duration can range from 1 to 120 days. For import-only keys, the minimum duration is 0 days.
Note
The duration applies to all versions of the key created in the future.
The soft-delete wait time can't be modified after the key is created.
The soft-deleted key will be removed from CCKM after the number of days specified in Soft Delete Wait Time (Days).
Select the Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:
Software: Crypto operations are performed in software.
HSM: Crypto operations are performed in an HSM.
Select an Algorithm for the key. The options vary based on the key size and the purpose.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Add to Schedule screen is displayed.
Add to Schedule
Select Schedule to Apply. The drop-down list shows the available key rotation schedules.
Select the Key Origin from the available options. The key origin can be:
CipherTrust (Local): The local CipherTrust Manager.
CipherTrust (External): The external CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Native: Native cloud, Google.
Select an Algorithm. For the Native Key Origin, the Algorithm field is unavailable.
Click Next.
The Review and Add Key screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add Google Key wizard is closed.
The newly created key is displayed in the list of Google Cloud keys.
Uploading Vormetric DSM Key Material
Upload the key material using Vormetric DSM to configure the source key.
Select Material Origin > Select Source
Select Vormetric DSM.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Select Encryption Type. The options are Symmetric and Asymmetric.
Symmetric: Creates and uploads a symmetric key.
Asymmetric: Creates and uploads an asymmetric key. Additional fields Algorithm and Key Size are displayed.
Enter a DSM Key Name. A new key with this name will be created on the DSM and its key material will be uploaded to Google Cloud.
(Optional) Provide a Description for the key.
Select a DSM Domain for the key. The drop-down list shows the DSM domains linked with the configured DSM connection.
(Optional) Select the Expiration Date check box, select the key expiration date and time from the on-screen calendar.
(Applicable to Asymmetric keys) Select an Algorithm for the key. The options are RSA-2048, RSA-3072, and RSA-4096.
Click Next.
Configure Destination (Google) Key
(Applicable to Asymmetric keys) Select Key Purpose. A key purpose specifies the operation that the key can be used to perform. The options are:
Decrypt: Enables the key for RSA encryption. This option is not applicable to EC algorithms.
Sign: Enables the key for elliptic curve signing and RSA signing.
Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the DSM Key Name you specified on the previous screen is populated.
The key name can only contain alphanumeric characters and dashes.
Select the desired Key Ring from the drop-down list.
(Optional) Select Restrict key versions to import only to specify that the newer versions of the key can only be imported. After key creation, this field will become non-editable. Google native key rotation will not be allowed for them. That is, the Google Automatic Rotation check box will be disabled for them.
(Optional) Configure the duration for which the key can remain in the soft-deleted state before it is destroyed from CCKM. The default duration is 30 days.
Select Soft Delete Wait Time.
Specify Soft Delete Wait Time (Days). The duration can range from 1 to 120 days. For import-only keys, the minimum duration is 0 days.
Note
The duration applies to all versions of the key created in the future.
The soft-delete wait time can't be modified after the key is created.
The soft-deleted key will be removed from CCKM after the number of days specified in Soft Delete Wait Time (Days).
(Optional, applicable to Symmetric keys) Select Google Automatic Rotation and specify the following:
Select Rotation Period from the drop-down list. This is the time period (in days) after which the key will rotate automatically, after the date specified in Starting on (see below). The options are 30, 90, 180, and 365 days.
To specify a custom frequency, select Custom and specify the rotation frequency in the Rotate key every (days) field that appears. The default value is
1
day.Click the Starting on field, and select the key expiration date and time from the on-screen calendar.
This is the time when the automatic key rotation becomes effective. Next automatic key rotation will happen after the specified Rotation Period.
For example, if you set Rotation Period as 30 days and set Starting on as today, the key will automatically rotate after 30 days from today.
Select a Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:
Software: Crypto operations are performed in software.
HSM: Crypto operations are performed in an HSM.
(Applicable to Asymmetric keys) Select an Algorithm for the key. The options vary based on the key purpose.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Add to Schedule screen is displayed.
Add to Schedule
Select Schedule to Apply. The drop-down list shows the available key rotation schedules.
Select the Key Origin from the available options. The key origin can be:
CipherTrust (Local): The local CipherTrust Manager.
CipherTrust (External): The external CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Native: Native cloud, Google.
Select an Algorithm. For the Native Key Origin, the Algorithm field is unavailable.
Click Next.
The Review and Add Key screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add Google Key wizard is closed.
The newly created key is displayed in the list of Google Cloud keys.
Cloning Existing Key Material
To add a new Google Cloud key by cloning key material existing on the CipherTrust Manager, Luna HSM, or the DSM:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click Add Key. The Select Material Origin screen of the Add Google Key wizard is displayed.
Under Select Method, select Clone Existing Key Material. The Select Source section appears. Depending on your requirements, select from the following:
CipherTrust (External): Refer to Cloning CipherTrust (External) Key Material for details.
CipherTrust (Local): Refer to Cloning CipherTrust (Local) Key Material for details.
Luna HSM: Refer to Cloning Luna HSM Key Material for details.
Vormetric DSM: Refer to Cloning Vormetric DSM Key Material for details.
Refer to Key Creation Methods and Sources for details on these key sources.
Cloning CipherTrust (External) Key Material
Clone and upload the key material of an external CipherTrust Manager key using the CipherTrust Manager to configure the source key.
Select Material Origin > Select Source
Select CipherTrust (External).
Click Next. The Select CipherTrust (External) Key screen is displayed.
Select CipherTrust (External) Key
Select Domain from the drop-down list. The drop-down list shows the external CM domains linked with the configured external CM connection.
Select an Algorithm. The options are AES, RSA, and EC.
Select the Key Size based on the key type:
For an AES key, the option is 256.
For an RSA key, the options are 2048, 3072, and 4096.
For an EC key, the options are prime256v1, secp384r1, and secp256k1.
Select the desired CipherTrust (External) Key from the list.
Click Next. The Configure Destination (Google) Key screen is displayed.
Configure Destination (Google) Key
(Applicable to Asymmetric keys) Select Key Purpose. A key purpose specifies the operation that the key can be used to perform. The options are:
Decrypt: Enables the key for RSA encryption. This option is not applicable to EC algorithms.
Sign: Enables the key for elliptic curve signing and RSA signing.
Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the CipherTrust Key Name you specified on the previous screen is populated.
The key name can only contain alphanumeric characters and dashes.
Select the desired Key Ring. The drop-down list shows the key rings in the project location linked with the configured Google Cloud connection.
(Optional) Select Restrict key versions to import only to specify that the newer versions of the key can only be imported. After key creation, this field will become non-editable. Google native key rotation will not be allowed for them. That is, the Google Automatic Rotation check box will be disabled for them.
(Optional) Configure the duration for which the key can remain in the soft-deleted state before it is destroyed from CCKM. The default duration is 30 days.
Select Soft Delete Wait Time.
Specify Soft Delete Wait Time (Days). The duration can range from 1 to 120 days. For import-only keys, the minimum duration is 0 days.
Note
The duration applies to all versions of the key created in the future.
The soft-delete wait time can't be modified after the key is created.
The soft-deleted key will be removed from CCKM after the number of days specified in Soft Delete Wait Time (Days).
(Optional) Select Google Automatic Rotation and specify the following:
Select Rotation Period from the drop-down list. This is the time period (in days) after which the key will rotate automatically, after the date specified in Starting on (see below). The options are 30, 90, 180, and 365 days.
To specify a custom frequency, select Custom and specify the rotation frequency in the Rotate key every (days) field that appears. The default value is
1
day.Click the Starting on field, and select the key expiration date and time from the on-screen calendar.
This is the time when the automatic key rotation becomes effective. Next automatic key rotation will happen after the specified Rotation Period.
For example, if you set Rotation Period as 30 days and set Starting on as today, the key will automatically rotate after 30 days from today.
Select a Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:
Software: Crypto operations are performed in software.
HSM: Crypto operations are performed in an HSM.
Select the Algorithm for the key.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Add to Schedule screen is displayed.
Add to Schedule
Select Schedule to Apply. The drop-down list shows the available key rotation schedules.
Select the Key Origin from the available options. The key origin can be:
CipherTrust (Local): The local CipherTrust Manager.
CipherTrust (External): The external CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Native: Native cloud, Google.
Select an Algorithm. For the Native Key Origin, the Algorithm field is unavailable.
Click Next.
The Review and Add Key screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID link is displayed, the key is created successfully.
Click Close. The Add Google Key wizard is closed.
The newly created key is displayed in the list of Google Cloud keys.
Cloning CipherTrust (Local) Key Material
Clone and upload the local key material using the CipherTrust Manager to configure the source key.
Select Material Origin > Select Source
Select CipherTrust (Local).
Click Next. The Select CipherTrust (Local) Key screen is displayed.
Select CipherTrust (Local) Key
Select an Algorithm. The options are AES, RSA, and EC.
Select the Key Size based on the key type:
For an AES key, the option is 256.
For an RSA key, the options are 2048, 3072, and 4096.
For an EC key, the options are prime256v1, secp384r1, and secp256k1.
Select the desired CipherTrust (Local) Key from the list.
Click Next. The Configure Destination (Google) Key screen is displayed.
Configure Destination (Google) Key
(Applicable to Asymmetric keys) Select Key Purpose. A key purpose specifies the operation that the key can be used to perform. The options are:
Decrypt: Enables the key for RSA encryption. This option is not applicable to EC algorithms.
Sign: Enables the key for elliptic curve signing and RSA signing.
Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the CipherTrust Key Name you specified on the previous screen is populated.
The key name can only contain alphanumeric characters and dashes.
Select the desired Key Ring. The drop-down list shows the key rings in the project location linked with the configured Google Cloud connection.
(Optional) Select Restrict key versions to import only to specify that the newer versions of the key can only be imported. After key creation, this field will become non-editable. Google native key rotation will not be allowed for them. That is, the Google Automatic Rotation check box will be disabled for them.
(Optional) Configure the duration for which the key can remain in the soft-deleted state before it is destroyed from CCKM. The default duration is 30 days.
Select Soft Delete Wait Time.
Specify Soft Delete Wait Time (Days). The duration can range from 1 to 120 days. For import-only keys, the minimum duration is 0 days.
Note
The duration applies to all versions of the key created in the future.
The soft-delete wait time can't be modified after the key is created.
The soft-deleted key will be removed from CCKM after the number of days specified in Soft Delete Wait Time (Days).
(Optional) Select Google Automatic Rotation and specify the following:
Select Rotation Period from the drop-down list. This is the time period (in days) after which the key will rotate automatically, after the date specified in Starting on (see below). The options are 30, 90, 180, and 365 days.
To specify a custom frequency, select Custom and specify the rotation frequency in the Rotate key every (days) field that appears. The default value is
1
day.Click the Starting on field, and select the key expiration date and time from the on-screen calendar.
This is the time when the automatic key rotation becomes effective. Next automatic key rotation will happen after the specified Rotation Period.
For example, if you set Rotation Period as 30 days and set Starting on as today, the key will automatically rotate after 30 days from today.
Select a Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:
Software: Crypto operations are performed in software.
HSM: Crypto operations are performed in an HSM.
Select the Algorithm for the key.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Add to Schedule screen is displayed.
Add to Schedule
Select Schedule to Apply. The drop-down list shows the available key rotation schedules.
Select the Key Origin from the available options. The key origin can be:
CipherTrust (Local): The local CipherTrust Manager.
CipherTrust (External): The external CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Native: Native cloud, Google.
Select an Algorithm. For the Native Key Origin, the Algorithm field is unavailable.
Click Next.
The Review and Add Key screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID link is displayed, the key is created successfully.
Click Close. The Add Google Key wizard is closed.
The newly created key is displayed in the list of Google Cloud keys.
Cloning Luna HSM Key Material
Clone and upload the Luna HSM key material using the CipherTrust Manager to configure the source key.
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Select Material Origin > Select Source
Select Luna DSM.
Click Next. The Select Luna HSM Key screen is displayed.
Select Luna HSM Key
Select the Key Size. The options are 2048, 3072, and 4096.
Select the desired HSM Key from the list.
Click Next. The Configure Destination (Google) Key screen is displayed.
Configure Destination (Google) Key
Select Key Purpose. A key purpose specifies the operation that the key can be used to perform. The options are:
Decrypt: Enables the key for RSA encryption. This option is not applicable to EC algorithms.
Sign: Enables the key for elliptic curve signing and RSA signing.
Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the DSM Key Name you specified on the previous screen is populated.
The key name can only contain alphanumeric characters and dashes.
Select the desired Key Ring. The drop-down list shows the key rings in the project location linked with the configured Google Cloud connection.
(Optional) Select Restrict key versions to import only to specify that the newer versions of the key can only be imported. After key creation, this field will become non-editable. Google native key rotation will not be allowed for them.
(Optional) Configure the duration for which the key can remain in the soft-deleted state before it is destroyed from CCKM. The default duration is 30 days.
Select Soft Delete Wait Time.
Specify Soft Delete Wait Time (Days). The duration can range from 1 to 120 days. For import-only keys, the minimum duration is 0 days.
Note
The duration applies to all versions of the key created in the future.
The soft-delete wait time can't be modified after the key is created.
The soft-deleted key will be removed from CCKM after the number of days specified in Soft Delete Wait Time (Days).
Select the Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:
Software: Crypto operations are performed in software.
HSM: Crypto operations are performed in an HSM.
Select the Algorithm for the key. The options vary based on the key purpose.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Add to Schedule screen is displayed.
Add to Schedule
Select Schedule to Apply. The drop-down list shows the available key rotation schedules.
Select the Key Origin from the available options. The key origin can be:
CipherTrust (Local): The local CipherTrust Manager.
CipherTrust (External): The external CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Native: Native cloud, Google.
Select an Algorithm. For the Native Key Origin, the Algorithm field is unavailable.
Click Next.
The Review and Add Key screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID link is displayed, the key is created successfully.
Click Close. The Add Google Key wizard is closed.
The newly created key is displayed in the list of Google Cloud keys.
Cloning Vormetric DSM Key Material
Clone and upload the DSM key material using the CipherTrust Manager to configure the source key.
Select Material Origin > Select Source
Select Vormetric DSM.
Click Next. The Select DSM Key screen is displayed.
Select DSM Key
Select an Algorithm. The options are AES and RSA.
Select the Key Size based on the key type:
For an AES key, the option is 256.
For an RSA key, the options are 2048, 3072, and 4096.
Select the desired DSM Key from the list.
Click Next. The Configure Destination (Google) Key screen is displayed.
Configure Destination (Google) Key
Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the DSM Key Name you specified on the previous screen is populated.
The key name can only contain alphanumeric characters and dashes.
(Optional) Provide a basic Description of the key.
Select the desired Key Ring. The drop-down list shows the key rings in the project location linked with the configured Google Cloud connection.
(Optional) Select Restrict key versions to import only to specify that the newer versions of the key can only be imported. After key creation, this field will become non-editable. Google native key rotation will not be allowed for them. That is, the Google Automatic Rotation check box will be disabled for them.
(Optional) Configure the duration for which the key can remain in the soft-deleted state before it is destroyed from CCKM. The default duration is 30 days.
Select Soft Delete Wait Time.
Specify Soft Delete Wait Time (Days). The duration can range from 1 to 120 days. For import-only keys, the minimum duration is 0 days.
Note
The duration applies to all versions of the key created in the future.
The soft-delete wait time can't be modified after the key is created.
The soft-deleted key will be removed from CCKM after the number of days specified in Soft Delete Wait Time (Days).
(Optional) Select Google Automatic Rotation and specify the following:
Select Rotation Period from the drop-down list. This is the time period (in days) after which the key will rotate automatically, after the date specified in Starting on (see below). The options are 30, 90, 180, and 365 days.
To specify a custom frequency, select Custom and specify the rotation frequency in the Rotate key every (days) field that appears. The default value is
1
day.Click the Starting on field, and select the key expiration date and time from the on-screen calendar.
This is the time when the automatic key rotation becomes effective. Next automatic key rotation will happen after the specified Rotation Period.
For example, if you set Rotation Period as 30 days and set Starting on as today, the key will automatically rotate after 30 days from today.
Select a Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:
Software: Crypto operations are performed in software.
HSM: Crypto operations are performed in an HSM.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Add to Schedule screen is displayed.
Add to Schedule
Select Schedule to Apply. The drop-down list shows the available key rotation schedules.
Select the Key Origin from the available options. The key origin can be:
CipherTrust (Local): The local CipherTrust Manager.
CipherTrust (External): The external CipherTrust Manager.
Luna: HSM Luna. Also select a partition from the Select Partition drop-down list.
DSM: Vormetric Data Security Manager. Also select a domain from the Select Domain drop-down list.
Native: Native cloud, Google.
Select an Algorithm. For the Native Key Origin, the Algorithm field is unavailable.
Click Next.
The Review and Add Key screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID link is displayed, the key is created successfully.
Click Close. The Add Google Key wizard is closed.
The newly created key is displayed in the list of Google Cloud keys.
Viewing Google Cloud Keys
The Google Keys page shows the list of Google Cloud keys available on the CipherTrust Manager.
To view the Google Cloud keys:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google. The list of available Google Cloud keys is displayed. The Google Keys page displays the following details:
Field Description Name Unique, user-friendly name of the Google Cloud key. Click the link to view additional details of the key or edit the key. Refer to Viewing or Editing Details of Google Cloud Keys. This name is useful in searching for specific keys. Status State of the Google Cloud key. The status can be:
• Available
• Not Available
• DeletedPurpose Purpose of the Google Cloud key. The purpose can be:
•Encrypt Decrypt
•Asymmetric Sign
•Asymmetric DecryptProtection Protection level of the Google Cloud key. The protection level can be Software or HSM. Algorithm Algorithm of the Google Cloud key. A number of algorithms are supported. Key Ring Name of the Google Cloud key ring where the key resides. Location Location where the Google Cloud key is created. Project Project where the Google Cloud key is created. Organization Organization where the Google Cloud key is created. Creation Date Date and time when the Google Cloud key is created. Next Google Rotation Date and time of the next Google Cloud key rotation.
Sometimes, you might notice certain Google Cloud keys are displayed as grayed out. This happens when the keys are no longer accessible. For example, when:
Any cloud permissions on the keys are changed. The keys are no longer accessible from the Google Cloud connection.
Connection is changed in KMS. The new connection does not have permissions to access the keys.
When Google Cloud locations are changed or removed. The keys from the configured location are no longer accessible.
Refreshing Google Cloud Keys
Refreshing is the process of downloading keys created in Google Cloud key rings to CCKM. You can refresh keys from all Google Cloud key rings at once.
Refreshing All Keys
To refresh all keys:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google. The Google Keys page is displayed. This page displays the list of Google Cloud keys.
Click Refresh All. The This may take a while... message is displayed.
Note
Refresh all keys is a time intensive operation that could take several hours or days to complete. It will continue running in the background.
Click Refresh All to continue.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > Google > Google Keys page.
Refreshing Specific Keys
To refresh a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google. The Google Keys page is displayed. This page displays the list of Google Cloud keys.
Click the overflow icon () corresponding to the desired key.
Click Refresh.
A message Key refreshed successfully.
The refreshed key is listed on the Cloud Keys > Google > Google Keys page.
Viewing Versions of a Key
To view the versions of a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the expand icon () to the left of the desired key. The key version details are displayed:
Field Description Version Version number of the key. State State of the key version. The state can be Aborted, Enabled, Disabled, Destroy Scheduled, or Destroyed. Algorithm Algorithm used for the key version. Origin Source of the key material used for the version. The origin can be:
• CCKM: Key material is created on CCKM.
• Native: Key material is created on the cloud.
• External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud.
Refer to Key Creation Methods and Sources for details.Creation Date Date and time when the key version is created. Destroy Date Date and time when the key version is destroyed. Version Resource URL URL of the key version resource on the CipherTrust Manager.
Disabling a Key Version
If required, you can disable an enabled version of a key. An aborted, destroy scheduled, or destroyed key version cannot be disabled.
A disabled version cannot operate on data. After the key version is disabled, there is a delay of up to a few hours during which it can still operate on data. You can again enable the version later. All versions of a key can also be disable at once. Refer to Disabling All Versions of a Key.
To disable a key version:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the expand icon () to the left of the desired key.
Click the overflow icon () corresponding to the desired version.
Click Disable Version. The Disable Key Version dialog box is displayed.
Click Yes, Disable to confirm the action.
The state of the key version changes to Disabled.
Enabling a Key Version
If required, you can enable a disabled version of a key. An aborted, destroy scheduled, or destroyed key version cannot be enabled.
To enable a key version:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the expand icon () to the left of the desired key.
Click the overflow icon () corresponding to the desired version.
Click Enable Version. The Enable Key Version dialog box is displayed.
Click Yes, Enable to confirm the action.
The state of the key version changes to Enabled.
Downloading Public Key of an Asymmetric Version
The public key of asymmetric versions of a Google Cloud key can be downloaded.
To download the public key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the expand icon () to the left of the desired key.
Click the overflow icon () corresponding to the desired asymmetric version.
Click Get Public Key.
The public key of (public-key.pem
) the asymmetric key version is downloaded to your machine.
Scheduling Destruction of a Key Version
With CCKM, you can schedule destruction of a Google Cloud key version. The version will be destroyed from GCP after the configured soft-delete wait time. However, you can cancel the schedule destruction before the scheduled destruction time.
Caution
When a key version is destroyed from GCP, the version is immediately disabled. Any data encrypted or signed by the version cannot decrypted or verified. However, the destroyed key can be recovered using the post /v1/cckm/google/keys/{id}/versions/{versionID}/re-import
API. Refer to Re-importing a Google Cloud Key Version for details.
To schedule destruction of a key version:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the expand icon () to the left of the desired key.
Click the overflow icon () corresponding to the desired version.
Click Schedule Destruction. The Schedule Key Version Destruction dialog box is displayed.
Note
If you confirm scheduled destruction, the version will be destroyed from GCP after the configured soft-delete wait time.
Click Yes, Schedule Destruction to confirm the action.
The state of the key version changes to Destroy Scheduled. After the configured soft-delete wait time, the state will become Destroyed.
Canceling Scheduled Destruction of a Key Version
A scheduled destruction of a key version can be canceled before the destruction time arrives (that is, within the configured soft-delete wait time, after you scheduled destruction).
To cancel the schedule destruction of a key version:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the expand icon () to the left of the desired key.
Click the overflow icon () corresponding to the desired version with the Destroy Scheduled state.
Click Cancel Destruction. The Cancel Key Version Destruction dialog box is displayed.
Click Yes, Cancel Destruction to confirm the action.
The state of the key version changes to Disabled. The disabled key version can be enabled, if required. Refer to Enabling a Key Version.
Enabling All Versions of a Key
With CCKM, you can enable all disabled versions of a key at once. Aborted, destroy scheduled, or destroyed key versions cannot be enabled.
To enable all disabled versions of a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the overflow icon () corresponding to the desired key.
Click Enable All Key Versions. The Enable All Versions dialog box is displayed.
Click Yes, Enable.
All the key versions disabled earlier are now enabled. The status of the key versions changes to Enabled.
Disabling All Versions of a Key
With CCKM, you can disable all enabled versions of a key at once. Aborted, destroy scheduled, or destroyed key versions cannot be disabled.
A disabled version cannot operate on data. After the key version is disabled, there is a delay of up to a few hours during which it can still operate on data. You can again enable the version later. Individual versions of a key can also be disabled. Refer to Disabling a Key Version.
To disable all enabled versions of a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the overflow icon () corresponding to the desired key.
Click Disable All Key Versions. The Disable All Versions dialog box is displayed.
Click Yes, Disable.
All the key versions enabled earlier are now disabled. The status of the key versions changes to Disabled.
Scheduling Destruction of All Versions of a Key
With CCKM, you can schedule destruction of all versions of key at once. The versions will be destroyed from GCP after the configured soft-delete wait time. However, you can cancel the schedule destruction before the scheduled destruction time.
Caution
When a key version is destroyed from GCP, the version is immediately disabled. Any data encrypted or signed by the version cannot decrypted or verified. However, the destroyed key can be recovered using the post /v1/cckm/google/keys/{id}/versions/{versionID}/re-import
API. Refer to Re-importing a Google Cloud Key Version for details.
To schedule destruction of all versions of a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the overflow icon () corresponding to the desired key.
Click Destroy All Versions. The Schedule Destruction dialog box is displayed.
Click Yes, Schedule Destruction.
All the key versions are scheduled for destruction. The status of the key versions changes to Destroy Scheduled.
Canceling Scheduled Destruction of All Key Versions
A scheduled destruction of all key versions can be canceled before the destruction time arrives (that is, within the configured soft-delete wait time, after you scheduled destruction).
To cancel the schedule destruction of all key versions:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the overflow icon () corresponding to the desired key.
Click Cancel Destruction. The Cancel Key Version Destruction dialog box is displayed.
Click Yes, Cancel Destruction to confirm the action.
The state of all enabled key versions changes to Disabled. The disabled key versions can be enabled, if required. Refer to Enabling All Versions of a Key.
Adding a Key Version
CCKM provides two methods to add a new version to a key. Refer to Key Creation Methods and Sources for details on key creation methods and key sources.
To add a new key version:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the overflow icon () corresponding to the desired key.
Click Add Version. The Add Version dialog box is displayed.
Select Method. The options are:
Create/Upload New Key Material: Refer to Adding Key Version by Creating/Uploading Key Material.
Clone Existing Key Material: Refer to Adding Key Version by Cloning Existing Key Material.
Adding Key Version by Creating New Key Material
Select Create/Upload New Key Material as the method.
Select Source. The options are:
CipherTrust (Local): Select this option, select the Algorithm, and specify Key Name for the new key version.
Google (Native): Select this option to create a new native Google Cloud key.
Luna HSM: Select this option, select the Algorithm, select the Partition ID, select Key Attributes, and specify Key Name for the new key version.
The key attributes Modifiable, Extractable, and Sensitive are selected for a BYOK Compatible key.
Vormetric DSM: Select this option, select the Algorithm, select the Domain, and specify Key Name for the new key version.
Click Add Version.
A new version is added to the key.
Adding Key Version by Cloning Existing Key Material
Select Clone Existing Key Material as the method.
Select a Source. The options are:
CipherTrust (External)
CipherTrust (Local)
Luna HSM
Vormetric DSM
Select an Algorithm.
Select a Key Size.
Note
Depending on the algorithm of the existing key, the Algorithm and Key Size options for the new key version will vary.
Select a Source Key from the list.
Click Save.
A new version is added to the key.
Viewing or Editing Details of Google Cloud Keys
After a key is created, you can add or update tags and key rotation schedules, and also rotate key versions in the edit view. You can perform various operations on key versions.
In the edit view of a key, you can view all the key details such as its purpose, protection level, and location etc.
To view or edit an Google Cloud key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google. The list of available Google Cloud keys is displayed.
Click the overflow icon () corresponding to the desired key and click View/Edit. Alternatively, you can click the key name link. The edit view of the key is displayed. The edit view is divided into:
LABELS: View, add, and update labels. Refer to Adding or Updating Labels.
ALGORITHM: Update the default algorithm for the new key version. Refer to Updating Default Algorithm for New Key Versions for details.
ROTATION: Update a key rotation schedule. Refer to Updating Key Rotation Schedule for details.
KEY VERSIONS: Perform operations on key versions. Refer to Performing Key Version Operations.
PERMISSIONS: Manage the principles and roles. Refer to Managing Principals and Roles.
Updating Default Algorithm for New Key Versions
To update the default algorithm for the new versions of the asymmetric key:
In the ALGORITHM section, select the desired algorithm from the Select Default Algorithm for New Version drop-down list.
Click Update.
The default algorithm is updated for the new versions of the key.
The key labels are updated.
Adding or Updating Labels
A label is a tag assigned to the key, which consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add or update key labels, in the LABELS section:
Under Label, specify a tag key.
Enter the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Update.
The key labels are updated.
Updating Key Rotation Schedule
To update a key rotation schedule, in the ROTATION section:
Select Rotation Schedule. The drop-down list shows the available key rotation schedules.
Select the Key Origin. The options are CipherTrust (External), CipherTrust (Local), Native (Google), and DSM. Refer to Key Creation Methods and Sources for details on sources.
Select the Algorithm for the key.
(Applicable to the CipherTrust (External) and DSM) Select the desired Domain.
Click Update.
The key rotation schedule is updated.
Performing Key Version Operations
With CCKM, you enable/disable, add or rotate, and schedule destruction of key versions. Also, you can download public key of asymmetric versions of a key.
To perform a operation on a key version, under the Key Versions section:
Click the overflow icon () corresponding to the desired version. A popup menu appears.
Select the desired operation. Depending on the current state, the options can be Disable Version, Enable Version, and Schedule Destruction. An Aborted version cannot be enabled, disabled, or scheduled for destruction.
To download the public key of an asymmetric key version, click Get Public Key. The public key of (
public-key.pem
) the asymmetric key version is downloaded to your machine.Confirm the operation.
Note
To rotate all versions of a key, click Rotate under the Key Versions section.
Managing Principals and Roles
Assigning Principals and Roles
To assign the principles and roles:
Expand PERMISSIONS.
Click Assign Principal/Role. The Assign Principal/Role wizard will open.
In the ADD PRINCIPAL section, select a principal Type from the drop-down list. The available types are User, Service Account, Group, and Domain.
Add Principals. You can add multiple principals separated by a comma.
To add additional principals, click Add More Principals.
In the SELECT ROLES section, select a Role from the drop-down list.
Click Set Conditions. The Add Conditions wizard is displayed.
Enter Title.
(Optional) Enter Description.
(Optional) Enter Condition. You can enter the condition in Basic View or Raw View.
Click the desired tab to view the instructions.
Note
Ensure the correctness of the logical expressions (conditions) you add. Neither CCKM nor GCP checks for the logical validity of the added conditions.
Provide input in valid formats. CCKM performs input data validation similar to GCP.
Select a Condition Type.
Select an Operator.
Select a Detail from the drop-down list, for the selected Condition Type. It can be Resource Type, Resource Service, Value, etc.
To add additional conditions, click Add Condition.
You can also add Group Condition, click Add Group Condition. Group condition contains details of more than one Condition.
Note
If you add multiple conditions and group conditions, you need to provide the relation between the conditions and relation between the conditions within the group condition. The relation can be AND or OR.
You can also add conditions within the conditions and group conditions and group conditions within the conditions and group conditions.
Enter the details in the text area.
Click Save.
To add additional roles, click Add More Roles.
Click Save.
If the added principals already exist, the principal/role will be assigned and you will see a success message.
Editing Roles
To edit the roles:
Expand PERMISSIONS.
Expand the desired Role.
Under the expanded role, click the overflow icon () corresponding to the desired principal.
Click Edit. The Edit Roles wizard is displayed.
Update the existing Role.
Click Set Conditions. The Add Conditions wizard is displayed.
Enter Title.
(Optional) Enter Description.
(Optional) Enter Condition. You can enter the condition in Basic View or Raw View.
Click the desired tab to view the instructions.
Note
Ensure the correctness of the logical expressions (conditions) you add. Neither CCKM nor GCP checks for the logical validity of the added conditions.
Provide input in valid formats. CCKM performs input data validation similar to GCP.
Select a Condition Type.
Select an Operator.
Select a Detail from the drop-down list, for the selected Condition Type. It can be Resource Type, Resource Service, Value, etc.
To add additional conditions, click Add Condition.
You can also add Group Condition, click Add Group Condition. Group condition contains details of more than one Condition.
Note
If you add multiple conditions and group conditions, you need to provide the relation between the conditions and relation between the conditions within the group condition. The relation can be AND or OR.
You can also add conditions within the conditions and group conditions and group conditions within the conditions and group conditions.
Enter the details in the text area.
Click Save.
To add additional roles, click Add More Roles.
Click Update.
Removing Principals
To remove the principals:
Expand PERMISSIONS.
Expand the desired Role.
Under the expanded role, click the overflow icon () corresponding to the desired principal.
Click Remove. The Remove Principal dialog box is displayed.
Click Remove.
On successful deletion, a Google key updated successfully message is displayed on the screen.
Note
After all the principals are removed from a role, the role will be deleted automatically.
Re-Importing a Google Cloud Key Version
To re-import a key version:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the expand icon () to the left of the desired key.
Click the overflow icon () corresponding to the desired version.
Click Re-lmport. The Re-lmport Key wizard is displayed.
Note
If you want to re-import the key version, ensure that the state of the version is Import Failed or Destroyed and the re-import eligibility is True. Also, even if these conditions are met, you cannot re-import all the key versions.
Under Select Method, select the desired method to re-import the key, the options are Create/Upload New Key Material and Clone Existing Key Material.
Click the desired tab to view the instructions.
Select the Source. The options are CipherTrust (Local), Vormetric DSM, and Luna HSM.
Note
For some key materials, the source might already be selected.
Click Next. The Configure Source Key tab is displayed.
CipherTrust (Local) as a source
Select the Key Type. You can select Symmetric or Asymmetric.
Enter the Key Name.
(Applicable to Asymmetric key type) Select the Algorithm. You can select RSA or EC.
Vormetric DSM as a source
Select the Encryption Type. You can select Symmetric or Asymmetric.
Enter the DSM Key Name.
(Optional) Enter the Description.
Select a DSM Domain from the list drop-down list.
- (Applicable to Asymmetric Encryption type) Select an Algorithm. You can select RSA-2048, RSA-3072, or RSA-4096.
Luna HSM as a source
Enter Luna HSM Key Label.
Select Partition ID.
Select Mechanism.
Select Key Size. The options are 2048, 3072, and 4096.
Select the Key Attributes.
Select the Source. The options are CipherTrust (Local), Vormetric DSM, and Luna HSM.
Note
For some key materials, the source might already be selected.
Click Next. The Configure Source Key tab is displayed.
Note
By default, the selected Algorithm and Key Size are AES and 256, respectively.
- Select a Key from the list.
Click Re-Import.