Google Cloud Keys
This section describes how to manage Google Cloud keys on CCKM. Before proceeding, you must have a Google Cloud key ring added to the CCKM. Refer to Google Cloud Key Rings for details.
Key Types
CCKM supports two types of Google Cloud keys:
Symmetric: A randomly generated key is used to encrypt and decrypt the data.
Asymmetric: A public and private RSA key pair is used to encrypt and decrypt the data. The public key encrypts while the private key decrypts the data.
Key Creation Methods and Sources
Methods to create Google Cloud keys using CCKM are:
Creating/Uploading New Key Material: Add key material by creating and uploading new source key or creating new native key. The key sources can be:
CipherTrust (Local): A new key is first created on the CipherTrust Manager. Then, this key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.Google (Native): A new key is directly created on Google Cloud using the native Google application. The key origin is
NATIVE
.Luna HSM: A new Luna HSM key is first created on the CipherTrust Manager. Then, this key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.Vormetric DSM: A new DSM key is first created on the CipherTrust Manager. Then, this key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.
Cloning Existing Key Material: Clone key material from an existing key to create a new key. The key sources can be:
CipherTrust (Local): An existing local CipherTrust Manager key is first cloned on the CipherTrust Manager. Then, the cloned key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.Luna HSM: An existing Luna HSM key is first cloned on the CipherTrust Manager. Then, the key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.Vormetric DSM: An existing DSM key is first cloned on the CipherTrust Manager. Then, the key material is uploaded to Google Cloud to create a new Google Cloud key. As the key material is uploaded from the CipherTrust Manager, the key origin is
CCKM
.
Creating/Uploading New Key Material
To add a Google Cloud key by creating/uploading new key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click Add Key. The Select Material Origin screen of the Add Google Key wizard is displayed.
Under Select Method, select Create/Upload New Key Material. The Select Source section appears. Depending on your requirements, select from the following sources:
CipherTrust (Local): Refer to Uploading CipherTrust (Local) Key Material for details.
Google (Native): Refer to Creating Google (Native) Key Material for details.
Luna HSM: Refer to Uploading Luna HSM Key Material for details.
Vormetric DSM: Refer to Uploading Vormetric DSM Key Material for details.
Refer to Key Creation Methods and Sources for details on key sources.
Uploading CipherTrust (Local) Key Material
Upload the local key material using the CipherTrust Manager to configure the source key.
Select Material Origin > Select Source
Select CipherTrust (Local).
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Select Key Type. The options are Symmetric and Asymmetric.
Symmetric: Creates and uploads a symmetric key.
Asymmetric: Creates and uploads an asymmetric key. Additional fields Algorithm and Key Size are displayed.
Enter a Key Name. A new key with this name will be created on the CipherTrust Manager and its key material will be uploaded to Google Cloud.
(Applicable to Asymmetric keys) Select the Algorithm. The options are RSA and EC.
(Applicable to Asymmetric keys) Select the Key Size / Key Curve based on the algorithm:
For the RSA algorithm, select the Key Size. The options are 2048, 3072, and 4096.
For the EC algorithm, select the Key Curve. The options are prime256v1, secp384r1, and secp265k1.
Click Next.
Configure Destination (Google) Key
(Applicable to Asymmetric keys) Select the Key Purpose. A key purpose specifies the operation that the key can be used to perform. Depending on the key algorithm selected on the previous screen, the options are:
Decrypt: Enables the key for RSA encryption. This option is not applicable to EC algorithms.
Sign: Enables the key for elliptic curve signing and RSA signing.
Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the Key Name you specified on the previous screen is populated.
The key name can only contain alphanumeric characters and dashes.
Select the desired Key Ring from the drop-down list.
(Optional, applicable to Symmetric keys) Select Google Automatic Rotation and specify the following:
Select Rotation Period from the drop-down list. This is the time period (in days) after which the key will rotate automatically, after the date specified in Starting on (see below). The options are 30, 90, 180, and 365 days.
To specify a custom frequency, select Custom and specify the rotation frequency in the Rotate key every (days) field that appears. The default value is
1
day.Click the Starting on field, and select the key expiration date and time from the on-screen calendar.
This is the time when the automatic key rotation becomes effective. Next automatic key rotation will happen after the specified Rotation Period.
For example, if you set Rotation Period as 30 days and set Starting on as today, the key will automatically rotate after 30 days from today.
Select a Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:
Software: Crypto operations are performed in software.
HSM: Crypto operations are performed in an HSM.
(Applicable to Asymmetric keys) Select an Algorithm for the key. The options vary based on the Algorithm, Key Size / Key Curve (selected on the Configure Source Key screen), and key purpose.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add Google Key wizard is closed.
The newly created key is displayed in the list of Google Cloud keys.
Creating Google (Native) Key Material
Create the key material directly using native Google application.
Select Material Origin > Select Source
Select Google (Native).
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Select Key Type. The options are:
Symmetric: Creates a symmetric key. Additional field Google Automatic Rotation is displayed.
Asymmetric: Creates an asymmetric key. Additional fields Select Key Purpose and Algorithm are displayed.
(Applicable to Asymmetric keys) Select Key Purpose. A key purpose specifies the operation that the key can be used to perform. The options are:
Decrypt: Enables the key for RSA encryption.
Sign: Enables the key for elliptic curve signing and RSA signing.
Enter the Key Name. This name helps uniquely identify a key.
Select the desired Key Ring from the drop-down list.
(Optional, applicable to Symmetric keys) Select Google Automatic Rotation and specify the following:
Select Rotation Period from the drop-down list. This is the time period (in days) after which the key will rotate automatically, after the date specified in Starting on (see below). The options are 30, 90, 180, and 365 days.
To specify a custom frequency, select Custom and specify the rotation frequency in the Rotate key every (days) field that appears. The default value is
1
day.Click the Starting on field, and select the key expiration date and time from the on-screen calendar.
This is the time when the automatic key rotation becomes effective. Next automatic key rotation will happen after the specified Rotation Period.
For example, if you set Rotation Period as 30 days and set Starting on as today, the key will automatically rotate after 30 days from today.
Select a Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:
Software: Crypto operations are performed in software.
HSM: Crypto operations are performed in an HSM.
(Applicable to Asymmetric keys) Select an Algorithm for the key. The options vary based on the selected key purpose.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN and NATIVE KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the NATIVE KEY section and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the NATIVE KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click Close. The Add Google Key wizard is closed.
The newly created key is displayed in the list of Google Cloud keys. The origin of the key is NATIVE
.
Uploading Luna HSM Key Material
Upload the key material using Luna HSM to configure the source key.
Select Material Origin > Select Source
Select Luna HSM.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Enter a Luna HSM Key Label. A new key with this name will be created on the Luna HSM and its key material will be uploaded to Google Cloud.
Select the Partition ID of the desired Luna HSM partition.
Select the key Mechanism. The supported key mechanisms are:
CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN
CKM_RSA_X9_31_KEY_PAIR_GEN
CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN
CKM_RSA_PKCS_KEY_PAIR_GEN
Select the Key Size from the available options. The supported sizes are 2048, 3072, and 4096.
Select the Key Attributes. The options are:
Modifiable, Extractable, Sensitive (all three are selected for a BYOK Compatible key)
Encrypt, Decrypt, Wrap, Unwrap
Sign, Verify, Derive
Click Next.
Configure Destination (Google) Key
Select Key Purpose. A key purpose specifies the operation that the key can be used to perform. The options are:
Decrypt: Enables the key for RSA encryption. This option is not applicable to EC algorithms.
Sign: Enables the key for elliptic curve signing and RSA signing.
Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the Luna HSM Key Label you specified on the previous screen is populated.
The key name can only contain alphanumeric characters and dashes.
Select the desired Key Ring from the drop-down list.
Select the Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:
Software: Crypto operations are performed in software.
HSM: Crypto operations are performed in an HSM.
Select an Algorithm for the key. The options vary based on the key size and the purpose.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add Google Key wizard is closed.
The newly created key is displayed in the list of Google Cloud keys.
Uploading Vormetric DSM Key Material
Upload the key material using Vormetric DSM to configure the source key.
Select Material Origin > Select Source
Select Vormetric DSM.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Select Encryption Type. The options are Symmetric and Asymmetric.
Symmetric: Creates and uploads a symmetric key.
Asymmetric: Creates and uploads an asymmetric key. Additional fields Algorithm and Key Size are displayed.
Enter a DSM Key Name. A new key with this name will be created on the DSM and its key material will be uploaded to Google Cloud.
(Optional) Provide a Description for the key.
Select a DSM Domain for the key. The drop-down list shows the DSM domains linked with the configured DSM connection.
(Optional) Select the Expiration Date check box, select the key expiration date and time from the on-screen calendar.
(Applicable to Asymmetric keys) Select an Algorithm for the key. The options are RSA-2048, RSA-3072, and RSA-4096.
Click Next.
Configure Destination (Google) Key
(Applicable to Asymmetric keys) Select Key Purpose. A key purpose specifies the operation that the key can be used to perform. The options are:
Decrypt: Enables the key for RSA encryption. This option is not applicable to EC algorithms.
Sign: Enables the key for elliptic curve signing and RSA signing.
Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the DSM Key Name you specified on the previous screen is populated.
The key name can only contain alphanumeric characters and dashes.
Select the desired Key Ring from the drop-down list.
(Optional, applicable to Symmetric keys) Select Google Automatic Rotation and specify the following:
Select Rotation Period from the drop-down list. This is the time period (in days) after which the key will rotate automatically, after the date specified in Starting on (see below). The options are 30, 90, 180, and 365 days.
To specify a custom frequency, select Custom and specify the rotation frequency in the Rotate key every (days) field that appears. The default value is
1
day.Click the Starting on field, and select the key expiration date and time from the on-screen calendar.
This is the time when the automatic key rotation becomes effective. Next automatic key rotation will happen after the specified Rotation Period.
For example, if you set Rotation Period as 30 days and set Starting on as today, the key will automatically rotate after 30 days from today.
Select a Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:
Software: Crypto operations are performed in software.
HSM: Crypto operations are performed in an HSM.
(Applicable to Asymmetric keys) Select an Algorithm for the key. The options vary based on the key purpose.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY and DESTINATION KEY sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add Google Key wizard is closed.
The newly created key is displayed in the list of Google Cloud keys.
Cloning Existing Key Material
To add a new Google Cloud key by cloning key material existing on the CipherTrust Manager, Luna HSM, or the DSM:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click Add Key. The Select Material Origin screen of the Add Google Key wizard is displayed.
Under Select Method, select Clone Existing Key Material. The Select Source section appears. Depending on your requirements, select from the following sources:
CipherTrust (Local): Refer to Cloning CipherTrust (Local) Key Material for details.
Luna HSM: Refer to Cloning Luna HSM Key Material for details.
Vormetric DSM: Refer to Cloning Vormetric DSM Key Material for details.
Refer to Key Creation Methods and Sources for details on these key sources.
Cloning CipherTrust (Local) Key Material
Clone and upload the local key material using the CipherTrust Manager to configure the source key.
Select Material Origin > Select Source
Select CipherTrust (Local).
Click Next. The Select CipherTrust Key screen is displayed.
Select CipherTrust Key
Select the desired key from the CipherTrust Key Name drop-down list. This field shows the available local CipherTrust Manager keys.
Click Next. The Configure Destination (Google) Key screen is displayed.
Configure Destination (Google) Key
Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the CipherTrust Key Name you specified on the previous screen is populated.
The key name can only contain alphanumeric characters and dashes.
Select the desired Key Ring. The drop-down list shows the key rings in the project location linked with the configured Google Cloud connection.
(Optional) Select Google Automatic Rotation and specify the following:
Select Rotation Period from the drop-down list. This is the time period (in days) after which the key will rotate automatically, after the date specified in Starting on (see below). The options are 30, 90, 180, and 365 days.
To specify a custom frequency, select Custom and specify the rotation frequency in the Rotate key every (days) field that appears. The default value is
1
day.Click the Starting on field, and select the key expiration date and time from the on-screen calendar.
This is the time when the automatic key rotation becomes effective. Next automatic key rotation will happen after the specified Rotation Period.
For example, if you set Rotation Period as 30 days and set Starting on as today, the key will automatically rotate after 30 days from today.
Select a Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:
Software: Crypto operations are performed in software.
HSM: Crypto operations are performed in an HSM.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click Close. The Add Google Key wizard is closed.
The newly created key is displayed in the list of Google Cloud keys.
Cloning Luna HSM Key Material
Clone and upload the Luna HSM key material using the CipherTrust Manager to configure the source key.
Select Material Origin > Select Source
Select Luna DSM.
Click Next. The Select Luna HSM Key screen is displayed.
Select Luna HSM Key
Select the desired key from the HSM Key Name drop-down list. This field displays the available Luna HSM keys.
Click Next. The Configure Destination (Google) Key screen is displayed.
Configure Destination (Google) Key
Select Key Purpose. A key purpose specifies the operation that the key can be used to perform. The options are:
Decrypt: Enables the key for RSA encryption. This option is not applicable to EC algorithms.
Sign: Enables the key for elliptic curve signing and RSA signing.
Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the DSM Key Name you specified on the previous screen is populated.
The key name can only contain alphanumeric characters and dashes.
Select the desired Key Ring. The drop-down list shows the key rings in the project location linked with the configured Google Cloud connection.
Select the Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:
Software: Crypto operations are performed in software.
HSM: Crypto operations are performed in an HSM.
Select the Algorithm for the key. The options vary based on the key purpose.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into SOURCE KEY and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click Close. The Add Google Key wizard is closed.
The newly created key is displayed in the list of Google Cloud keys.
Cloning Vormetric DSM Key Material
Clone and upload the DSM key material using the CipherTrust Manager to configure the source key.
Select Material Origin > Select Source
Select Vormetric DSM.
Click Next. The Select DSM Key screen is displayed.
Select DSM Key
Select the desired key from the DSM Key Name drop-down list. This field displays the available DSM keys.
Click Next. The Configure Destination (Google) Key screen is displayed.
Configure Destination (Google) Key
Enter a user-friendly alias as the Key Name. This will be the key name on Google Cloud. This name helps uniquely identify a Google Cloud key. By default, the DSM Key Name you specified on the previous screen is populated.
The key name can only contain alphanumeric characters and dashes.
(Optional) Provide a basic Description of the key.
Select the desired Key Ring. The drop-down list shows the key rings in the project location linked with the configured Google Cloud connection.
(Optional) Select Google Automatic Rotation and specify the following:
Select Rotation Period from the drop-down list. This is the time period (in days) after which the key will rotate automatically, after the date specified in Starting on (see below). The options are 30, 90, 180, and 365 days.
To specify a custom frequency, select Custom and specify the rotation frequency in the Rotate key every (days) field that appears. The default value is
1
day.Click the Starting on field, and select the key expiration date and time from the on-screen calendar.
This is the time when the automatic key rotation becomes effective. Next automatic key rotation will happen after the specified Rotation Period.
For example, if you set Rotation Period as 30 days and set Starting on as today, the key will automatically rotate after 30 days from today.
Select a Protection Level for the key. A protection level specifies how cryptographic operations are performed. The options are:
Software: Crypto operations are performed in software.
HSM: Crypto operations are performed in an HSM.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add a tag:
Specify a tag name.
Specify the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, and DESTINATION KEY sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click Close. The Add Google Key wizard is closed.
The newly created key is displayed in the list of Google Cloud keys.
Viewing Google Cloud Keys
The Google Keys page shows the list of Google Cloud keys available on the CipherTrust Manager.
To view the Google Cloud keys:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google. The list of available Google Cloud keys is displayed. The Google Keys page displays the following details:
Field Description Name Unique, user-friendly name of the Google Cloud key. Click the link to view additional details of the key or edit the key. Refer to Viewing or Editing Details of Google Cloud Keys. This name is useful in searching for specific keys. Status State of the Google Cloud key. The status can be:
• Available
• Not Available
• DeletedPurpose Purpose of the Google Cloud key. The purpose can be:
•Encrypt Decrypt
•Asymmetric Sign
•Asymmetric DecryptProtection Protection level of the Google Cloud key. The protection level can be Software or HSM. Algorithm Algorithm of the Google Cloud key. A number of algorithms are supported. Key Ring Name of the Google Cloud key ring where the key resides. Location Location where the Google Cloud key is created. Project Project where the Google Cloud key is created. Organization Organization where the Google Cloud key is created. Creation Date Date and time when the Google Cloud key is created. Next Google Rotation Date and time of the next Google Cloud key rotation.
Sometimes, you might notice certain Google Cloud keys are displayed as grayed out. This happens when the keys are no longer accessible. For example, when:
Any cloud permissions on the keys are changed. The keys are no longer accessible from the Google Cloud connection.
Connection is changed in KMS. The new connection does not have permissions to access the keys.
When Google Cloud locations are changed or removed. The keys from the configured location are no longer accessible.
Refreshing Google Cloud Keys
Refreshing is the process of downloading keys created in Google Cloud key rings to CCKM. You can refresh keys from all Google Cloud key rings at once.
To refresh keys:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google. The Google Keys page is displayed. This page displays the list of Google Cloud keys.
Click Refresh All. The This may take a while... message is displayed.
Note
Refresh all keys is a time intensive operation that could take several hours or days to complete. It will continue running in the background.
Click Refresh All to continue.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > Google > Google Keys page.
Viewing Versions of a Key
To view the versions of a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the expand icon to the left of the desired key. The key version details are displayed:
Field Description Version Version number of the key. State State of the key version. The state can be Aborted, Enabled, Disabled, Destroy Scheduled, or Destroyed. Algorithm Algorithm used for the key version. Origin Source of the key material used for the version. The origin can be:
• CCKM: Key material is created on CCKM.
• Native: Key material is created on the cloud.
• External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud.
Refer to Key Creation Methods and Sources for details.Creation Date Date and time when the key version is created. Version Resource URL URL of the key version resource on the CipherTrust Manager.
Disabling a Key Version
If required, you can disable an enabled version of a key. An aborted, destroy scheduled, or destroyed key version cannot be disabled.
A disabled version cannot operate on data. After the key version is disabled, there is a delay of up to a few hours during which it can still operate on data. You can again enable the version later. All versions of a key can also be disable at once. Refer to Disabling All Versions of a Key.
To disable a key version:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the expand icon () to the left of the desired key.
Click the overflow icon () corresponding to the desired version.
Click Disable Version. The Disable Key Version dialog box is displayed.
Click Yes, Disable to confirm the action.
The state of the key version changes to Disabled.
Enabling a Key Version
If required, you can enable a disabled version of a key. An aborted, destroy scheduled, or destroyed key version cannot be enabled.
To enable a key version:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the expand icon () to the left of the desired key.
Click the overflow icon () corresponding to the desired version.
Click Enable Version. The Enable Key Version dialog box is displayed.
Click Yes, Enable to confirm the action.
The state of the key version changes to Enabled.
Downloading Public Key of an Asymmetric Version
The public key of asymmetric versions of a Google Cloud key can be downloaded.
To download the public key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the expand icon () to the left of the desired key.
Click the overflow icon () corresponding to the desired asymmetric version.
Click Get Public Key.
The public key of (public-key.pem
) the asymmetric key version is downloaded to your machine.
Scheduling Destruction of a Key Version
With CCKM, you can schedule destruction of a Google Cloud key version. The version will be destroyed 24 hours after you schedule the destruction. However, you can cancel the schedule destruction before the scheduled destruction time.
Caution
When a key version is destroyed, the version is immediately disabled, and cannot be recovered. Any data encrypted or signed by the version cannot decrypted or verified.
To schedule destruction of a key version:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the expand icon () to the left of the desired key.
Click the overflow icon () corresponding to the desired version.
Click Schedule Destruction. The Schedule Key Version Destruction dialog box is displayed.
Note
If you confirm scheduled destruction, the version will be destroyed after 24 hours and cannot be recovered.
Click Yes, Schedule Destruction to confirm the action.
The state of the key version changes to Destroy Scheduled. After 24 hours, the state will become Destroyed.
Canceling Scheduled Destruction of a Key Version
A scheduled destruction of a key version can be canceled before the destruction time arrives (that is, within 24 hours after you scheduled destruction).
To cancel the schedule destruction of a key version:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the expand icon () to the left of the desired key.
Click the overflow icon () corresponding to the desired version with the Destroy Scheduled state.
Click Cancel Destruction. The Cancel Key Version Destruction dialog box is displayed.
Click Yes, Cancel Destruction to confirm the action.
The state of the key version changes to Disabled. The disabled key version can be enabled, if required. Refer to Enabling a Key Version.
Enabling All Versions of a Key
With CCKM, you can enable all disabled versions of a key at once. Aborted, destroy scheduled, or destroyed key versions cannot be enabled.
To enable all disabled versions of a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the overflow () icon corresponding to the desired key.
Click Enable All Key Versions. The Enable All Versions dialog box is displayed.
Click Yes, Enable.
All the key versions disabled earlier are now enabled. The status of the key versions changes to Enabled.
Disabling All Versions of a Key
With CCKM, you can disable all enabled versions of a key at once. Aborted, destroy scheduled, or destroyed key versions cannot be disabled.
A disabled version cannot operate on data. After the key version is disabled, there is a delay of up to a few hours during which it can still operate on data. You can again enable the version later. Individual versions of a key can also be disabled. Refer to Disabling a Key Version.
To disable all enabled versions of a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the overflow () icon corresponding to the desired key.
Click Disable All Key Versions. The Disable All Versions dialog box is displayed.
Click Yes, Disable.
All the key versions enabled earlier are now disabled. The status of the key versions changes to Disabled.
Scheduling Destruction of All Versions of a Key
With CCKM, you can schedule destruction of all versions of key at once. The versions will be destroyed 24 hours after you schedule the destruction. However, you can cancel the schedule destruction before the scheduled destruction time.
Caution
When a key version is destroyed, the version is immediately disabled, and cannot be recovered. Any data encrypted or signed by the version cannot decrypted or verified.
To schedule destruction of all versions of a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the overflow () icon corresponding to the desired key.
Click Destroy All Versions. The Schedule Destruction dialog box is displayed.
Click Yes, Schedule Destruction.
All the key versions are scheduled for destruction. The status of the key versions changes to Destroy Scheduled.
Canceling Scheduled Destruction of All Key Versions
A scheduled destruction of all key versions can be canceled before the destruction time arrives (that is, within 24 hours after you scheduled destruction).
To cancel the schedule destruction of all key versions:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the overflow icon () corresponding to the desired key.
Click Cancel Destruction. The Cancel Key Version Destruction dialog box is displayed.
Click Yes, Cancel Destruction to confirm the action.
The state of all enabled key versions changes to Disabled. The disabled key versions can be enabled, if required. Refer to Enabling All Versions of a Key.
Adding a Key Version
CCKM provides two methods to add a new version to a key. Refer to Key Creation Methods and Sources for details on key creation methods and key sources.
To add a new key version:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google.
Click the overflow icon () corresponding to the desired version.
Click Add Version. The Add Version dialog box is displayed.
Select Method. The options are:
Create/Upload New Key Material: Refer to Adding Key Version by Creating/Uploading Key Material.
Clone Existing Key Material: Refer to Adding Key Version by Creating/Uploading Key Material.
Adding Key Version by Creating New Key Material
Select Create/Upload New Key Material as the method.
Select Source. The options are:
CipherTrust (Local): Select this option, select the Algorithm, and specify Key Name for the new key version.
Google (Native): Select this option to create a new native Google Cloud key.
Luna HSM: Select this option, select the Algorithm, select the Partition ID, select Key Attributes, and specify Key Name for the new key version.
The key attributes Modifiable, Extractable, and Sensitive are selected for a BYOK Compatible key.
Vormetric DSM: Select this option, select the Algorithm, select the Domain, and specify Key Name for the new key version.
Click Add Version.
A new version is added to the key.
Adding Key Version by Cloning Existing Key Material
Select Clone Existing Key Material as the method.
Select Source. The options are:
CipherTrust (Local): Select this option, select the Algorithm, and Select a key source for the new key version.
Luna HSM: Select this option and Select a key source for the new key version.
Vormetric DSM: Select this option, select the Algorithm, and Select a key source for the new key version.
Click Add Version.
A new version is added to the key.
Viewing or Editing Details of Google Cloud Keys
After a key is created, you can add or update tags and key rotation schedules, and also rotate key versions in the edit view. You can perform various operations on key versions.
In the edit view of a key, you can view all the key details such as its purpose, protection level, and location etc.
To view or edit an Google Cloud key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Google. The list of available Google Cloud keys is displayed.
Click the overflow icon () corresponding to the desired key and click View/Edit. Alternatively, you can click the key name link. The edit view of the key is displayed. The edit view is divided into:
LABELS: View, add, and update labels. Refer to Adding or Updating Labels.
ALGORITHM: Update the default algorithm for the new key version. Refer to Updating Default Algorithm for New Key Versions for details.
ROTATION: Update a key rotation schedule. Refer to Updating Key Rotation Schedule for details.
Key Versions: Perform operations on key versions. Refer to Performing Key Version Operations.
Updating Default Algorithm for New Key Versions
To update the default algorithm for the new versions of the key, in the ALGORITHM section:
Select the desired algorithm from the Select Default Algorithm for New Version drop-down list.
Click Update.
The default algorithm is updated for the new versions of the key.
The key labels are updated.
Adding or Updating Labels
A label is a tag assigned to the key, which consists of a user-defined key and a value.
Note
For Google label requirements, refer to Labeling keys | Cloud KMS Documentation | Google Cloud.
To add or update key labels, in the LABELS section:
Under Label, specify a tag key.
Enter the tag value.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Update.
The key labels are updated.
Updating Key Rotation Schedule
To update a key rotation schedule, in the ROTATION section:
Select Rotation Schedule. The drop-down list shows the available key rotation schedules.
Select the Key Origin. The options are CipherTrust, Native (Google), Luna, and DSM. Refer to Key Creation Methods and Sources for details on sources.
Select the Algorithm for the key.
(Applicable to the DSM) Select the desired DSM Domain.
(Applicable to the Luna HSM) Select the desired Luna HSM Partition.
Click Update.
The key rotation schedule is updated.
Performing Key Version Operations
With CCKM, you enable/disable, add or rotate, and schedule destruction of key versions. Also, you can download public key of asymmetric versions of a key.
To perform a operation on a key version, under the Key Versions section:
Click the overflow icon () corresponding to the desired version. A popup menu appears.
Select the desired operation. Depending on the current state, the options can be Disable Version, Enable Version, and Schedule Destruction. An Aborted version cannot be enabled, disabled, or scheduled for destruction.
To download the public key of an asymmetric key version, click Get Public Key. The public key of (
public-key.pem
) the asymmetric key version is downloaded to your machine.Confirm the operation.
To rotate all versions of a key, click Rotate under the Key Versions section.