Managing Google EKM Endpoints

Users in the 'CCKM Admins' group can create and manage an endpoint in CCKM for Google Cloud EKM service to access a Key Encryption Key (KEK) using CCKM's GUI, CLI and REST API. After meeting some prerequisites to allow Google Cloud External Key Manager (EKM) Service to access CipherTrust Cloud Key Manager (CCKM).

After you have created an endpoint, you can:

• Edit the default policies

• Rotate the KEK

• Change the base hostname

• Enable or disable the wrapping and unwrapping operation. This allows you to avoid deleting the endpoint, and temporarily suspend Google Cloud EKM's ability to use the KEK.

• Delete the endpoint

• View activity for a wrap or unwrap endpoint. Google Cloud Key Management Service (KMS) consumes these endpoints.

Prerequisites

To allow a connection between CipherTrust Manager and Google Cloud External Key Manager Service, some network and security configuration must be in place in both entities.

Google Cloud Platform Prerequisites

• A Google Cloud Project must exist for the CCKM EKM integration's use. You can create a new project or choose an existing project in your Google Cloud account. You need to provide either a project ID or the private key file associated with the service account to add a Google project to CipherTrust Manager. The project ID is the simplest path to add the Google project just for EKM usage. The private key file is required if you want add a Google Cloud connection to CipherTrust Manager, which is optional for EKM.

  One Google project consumes one CCKM license cloud unit when the project is added to CCKM. When Google EKM service makes wrap and unwrap requests to CCKM, CCKM checks that the project ID in the request matches one of the project IDs registered with the appliance.

• The default policy for endpoints requires Key Access Justifications (KAJ) to perform wrap and unwrap operations. If you wish to use the default policies for wrap and unwrap operations and to require KAJ, you need to configure KAJ on Google Cloud. Alternatively, you can edit the policies to disable KAJ.

CipherTrust Manager Prerequisites

• The CipherTrust Manager must have a public IP address with the 443 HTTPS port open. See Network Interface Configuration for details.

• The CipherTrust Manager must be reachable through a Fully Qualified Domain Name (FQDN). Use the format ciphertrust.<your_domain>.com, for example ciphertrust.mycompany.com. Google Cloud recognizes the ciphertrust prefix and allows traffic to that domain.

• The web interface must have a TLS certificate signed by an external Certificate Authority (CA) trusted by Google Cloud Platform. Google Cloud trusts certificates issued by well-known public CAs such as Verisign. Alternatively, you can create a certificate chain with Google's Certificate Authority Service and upload the chain to CipherTrust Manager.

Create an endpoint

Below, we provide steps to create a Google endpoint in the CCKM GUI and to make the endpoint available to Google Cloud EKM.

1. Add the Google Cloud Project to CCKM. This action consumes one CCKM license cloud unit.

   Note

   These steps demonstrate the simplest configuration to add a Google Project ID to CCKM just for EKM endpoints, without using an active connection to Google Cloud. If you want to monitor and manage a Google Cloud account connection and associated resources on CipherTrust Manager, you can also add a Google Cloud connection on CipherTrust Manager, and then use the connection to retrieve project IDs.

   1. On Google Cloud, create a new project or choose an existing one.

   2. Copy the project ID.

   3. In CipherTrust Manager, open the Cloud Key Manager application.

   4. Navigate to Containers > Google and open the Projects tab.

   5. Click Add Existing Project

   6. In the popup window, under Select Method, switch to Manually Enter Project ID.

   7. Paste in the project ID and click Add Project.

2. Create the EKM endpoint in the CCKM GUI.

   You can also create the endpoint with the REST API or CLI to to associate meta information with the endpoint. Use the /v1/cckm/ekm/endpoints endpoint in the REST API, or ksctl cckm ekm endpoints create --ekm-endpoint-create-jsonfile <meta_information_filename> in the CLI.

   1. Login as a user in the 'CCKM Admins' group.

   2. Navigate to Cloud Key Manager > Services > Google Cloud EKM Endpoints.

   3. Click Create Endpoint

   4. Provide a Name and a Key URI Hostname for your endpoint. The Key URI Hostname should be the FQDN of the CipherTrust Manager instance.

      An AES-256 Key Encryption Key (KEK) is created, with a unique URI, that acts as the Google EKM endpoint key. The hostname is applied to the URI, to create a path that Google Cloud can access.

      Caution

      Do not edit this KEK through the general CipherTrust Manager key management functions. Do not modify the KEK through the Keys menu in the GUI, ksctl keys commands in the CLI, or the /v1/vault/keys2 endpoint in the REST API. This can result in the KEK becoming unavailable to the Google Cloud EKM service unexpectedly.

3. Edit the endpoint policies, if desired. By default, the endpoint allows all clients and all supported justification reasons.

   If you do not intend to use GCP's Key Access Justifications feature, we recommend removing or commenting out the input.justificationReason line.

4. Enable Key Access Justifications in your Google Account, if you require this feature, and you have not already.

5. On Google Cloud, create a Cloud EKM key, matching the URI for the KEK. Provide the full URI, including hostname. For the location, choose the region geographically closest to where the CipherTrust Manager instance is deployed.

6. Consult documentation for your desired Google CMEK service integrated with Cloud EKM to grant permissions for the CMEK service to use the KEK in Cloud KMS. Consult this documentation as well for particular encryption and decryption scenarios for the CMEK service.

   For example:

   • Protecting BigQuery data with Cloud KMS keys

   • Protecting Compute Engine resources with Cloud KMS keys

     Note

     Only CMEK services integrated with EKM are supported with CCKM EKM endpoints. These are "Hold Your Own Key" (HYOK) integrations, where you manage and control the base KEK inside of CCKM. Google Cloud has additional CMEK services that do not follow the HYOK model and do not integrate with EKM. Consult Google Cloud EKM documentation for a list of supported CMEK services.

Rotate the Key Encryption Key

After you have created the endpoint, you can create a new version of the KEK which will be applied to future wrap operations. This can be done even if the endpoint is disabled. Rotating the KEK regularly is a security best practice.

You can also post to the /v1/cckm/ekm/endpoints/{id}/rotateREST API endpoint, as described in the API Guide, or use ksctl cckm ekm endpoints rotate --id <endpoint_id> in the CLI.

In the GUI:

1. Login to the CipherTrust Manager products page as a user in the 'CCKM Admins' group.

2. Navigate to Cloud Key Manager>Services>Google Cloud EKM

3. Find the endpoint in the list, and click the overflow icon (...) at the far right for options.

   

4. Click View/Edit

5. Select Rotate.

Change the base hostname

You can also patch the /v1/cckm/ekm/endpoints/{id}REST API endpoint, as described in the API Guide, or use ksctl cckm ekm endpoints update --id <endpoint-id> --hostName <new-base-url-hostname> in the CLI.

In the GUI:

1. Login to the CipherTrust Manager products page as a user in the 'CCKM Admins' group.

2. Navigate to Cloud Key Manager>Services>Google Cloud EKM

3. Find the endpoint in the list, and click the overflow icon (...) at the far right for options.

   

4. Click View/Edit

5. In the Edit Endpoint window, enter a new Key URI hostname and click Save.

Enable or Disable Key Wrapping

You can post to the /v1/cckm/ekm/endpoints/{id}/enable and /v1/cckm/ekm/endpoints/{id}/disable REST API endpoints, as described in the API Guide. In the CLI, you can use ksctl cckm ekm endpoints enable --id <endpoint-id> and ksctl cckm ekm endpoints disable --id <endpoint-id>. This is a way to temporarily remove and restore client access to an endpoint without permanently deleting the endpoint and its KEK.

In the GUI:

1. Login to the CipherTrust Manager products page as a user in the 'CCKM Admins' group.

2. Navigate to Cloud Key Manager>Services>Google Cloud EKM

3. Find the endpoint in the list, and click the overflow icon(...) at the far right for options.

   

4. Click Enable or Disable.

Delete the Endpoint

You can delete the /v1/cckm/ekm/endpoints/{id}/REST API endpoint, as described in the API Guide. In the CLI, you can use ksctl cckm ekm endpoints delete --id <endpoint-id>. This permanently deletes the KEK.

In the GUI:

1. Login to the CipherTrust Manager products page as a user in the 'CCKM Admins' group.

2. Navigate to Cloud Key Manager>Services>Google Cloud EKM

3. Find the endpoint in the list, and click the overflow icon(...) at the far right for options.

   

4. Click Delete.

View Activity for a Wrap or Unwrap Endpoint

Google Cloud KMS calls these endpoints to perform a wrap or unwrap operation on a base64 blob, and therefore protect some data on behalf of a CMEK service integrated with Cloud EKM such as BigQuery or Compute Engine.

This functionality is available with the /v1/cckm/ekm/endpoints/{id}:wrap and /v1/cckm/ekm/endpoints/{id}:unwrap REST API endpoints, as described in the REST API endpoint.

Google Cloud KMS can find and make calls to these endpoints without user intervention, if Google Cloud KMS has correctly configured the Cloud EKM key, and the CMEK service is correctly configured to access the key on Google Cloud KMS. This configuration happens as part of creating a new endpoint.

Requests to these endpoints generate a record under Records> Server Records in the GUI, and the /v1/audit/records endpoint in the API. These records can be helpful to monitor EKM activity or troubleshoot EKM problems.