- DPoD Documentation
- CipherTrust Key Management Services
- CipherTrust Key Broker for Google Cloud EKM
- Key Setup Guide
Key Setup Guide
This guide provides instructions on creating an AES256 encryption key in CipherTrust Key Broker for Google Cloud EKM service. The key can then be used as an external key in Google Cloud EKM. This document provides details and guidelines on:
- Creating an EKM policy
- Choosing a Key Store
- Creating a Key Ring
- Creating a Key
- Rotating the Key
- Updating the Key URI
When creating a key in CipherTrust Key Broker for Google Cloud EKM you create a Key and assign it to a Key Ring that exists in a Key Store. The Key Ring, where the Key resides, has a set of EKM Policies applied to it which restrict access and use, increasing the security of the external key and any wrapped keys.
Follow the Before you Begin page in the Managing Cloud EKM Keys section of the Google documentation for detailed instructions on getting started, using the google cloud platform, and using the external key. Refer back to the CipherTrust Key Broker for Google Cloud EKM documentation for more information about using the service and generating the master key.
Verify billing for your Google Cloud Project is enabled. If not, please enable billing before integrating with CipherTrust Key Broker for Google Cloud EKM.
Creating an EKM policy
An EKM policy is a set of rules for usage enforced on a Key Ring. An EKM Policy is bound to a Google Cloud Platform Service Account and allows for configuration of Key Access Justification. The Service Account allows an application to access the policy bound key rings, instead of an end user. The service account acts as a resource identity in Google Cloud Platform for the CipherTrust Key Broker for Google Cloud EKM key ring and any associated keys.
We recommend binding your EKM policy to a service account with the
cryptoKeyDecrypter IAM roles. These roles allow the associated service account to complete encrypt and decrypt operations using the associated key ring keys. See Permissions and Roles as they relate to cryptographic keys, for more information about providing the minimal set of permissions to the service account in Google Cloud Platform.
You can +ADD, REFRESH, or DELETE policies from the EKM Policy page. Click +ADD on the Policies page in CipherTrust Key Broker for Google Cloud EKM to create a new policy. When you add a new policy you specify the following details:
- Name - provide a name for the policy.
- Kind - set the key policy to GCP for use with Google Cloud Platform.
- Approved Client Ids - provide a comma separated list of service accounts from Google Cloud Platform that are allowed to use the key.
- Require Key Access Justification - enable or disable Key Access Justification for external keys on this key ring on the Google Cloud Platform. This setting should align with the policy setting on Google Cloud Platform.
- Justification reason codes - provide a set of approved justification reason codes for Key Access Justification. See Access Justification for more information.
If using wildcard characters when adding service accounts to a policy, ensure you only authorize the correct service accounts when adding to the list of Approved Client Ids.
Key Access Justification works with Cloud EKM to greatly advance the control you have over your data. Key Access Justification is currently restricted by Google. To use Key Access Justification you need to register and complete the onboarding. Contact Google for more information about registering for Key Access Justification in Google EKM.
Choosing a Key Store
The Key Store secures your CipherTrust Key Broker for Google Cloud EKM master key inside of a FIPS certified Thales DPoD HSMoD serivce. Click on Key Stores to view available keystores and the regions where they are available.
When you create a Key Ring, use a Key Store in a region that is geographically near the Google Cloud Platform region you are using to reduce network latency issues between your Google Cloud Project and the CipherTrust Key Broker for Google Cloud EKM key store. Review the External key managers and regions documentation for more information about choosing a suitable location.
Creating a Key Ring
The Key Ring allows you to configure policy enforced key operation jurisdictions. The key ring must be associated with a EKM Policy to be used in Google Cloud EKM. The key ring contains a set of customer managed encryption keys and uses them for wrap/unwrap operations on encryption keys in Google Cloud Platform.
The location for a key is determined by the location of the key ring. Keys cannot be moved from one key ring to another after creation and cannot be exported.
Click +ADD on the Key Rings page in CipherTrust Key Broker for Google Cloud EKM to create a new key ring. When you create a new key ring you provide:
- Name - provide a name for the key ring.
- KeyStore - select a key store where the external key will be stored. Review Choosing a Key Store for more information.
- Enforced Policies - select and enforce a policy set from the available policies. Review Creating an EKM Policy for more information.
Creating a Key
The Key is an AES256 encryption key that can be used in Google Cloud EKM as an external key to secure your data at rest. When you create the key, it appears on the Keys page with a unique Key URI. Both the Cloud EKM key version and the external key are required for each encryption and decryption request. If you lose access to either key, your data cannot be recovered. It is not possible to re-create an identical Cloud EKM key version by using the same external key URI. The CipherTrust Key Broker for Google Cloud EKM key appears alongside your other Cloud KMS and Cloud HSM keys, with protection level EXTERNAL, inside of the Google Cloud Platform. The external key is never exposed to Google.
Click +ADD on the Keys page in CipherTrust Key Broker for Google Cloud EKM to create a master key. When you create a master key you provide:
- Name - provide a name for the key.
- KeyRing - select and bind the key to an existing keyring, its region, and its policies. Review Creating a Key Ring for more information.
Key Resource Id Format
When using a key over the SDK or REST API, you must refer to the key by its fully-qualified resource ID. See Cloud KMS resources for more information about the format of the resource ID. Once you have a key in the service, you can retrieve the key resource ID of the new key and begin using it to protect data. The key resource id appears in the format:
Rotating the Key
You can rotate a CipherTrust Key Broker for Google Cloud EKM key in Google Cloud Platform. Rotating a Cloud EKM key in Google automatically and transparently rotates the key in the service. The result of a key rotation is a new key version.
After you rotate a Cloud EKM key, you can still decrypt data that was encrypted using a previous version of the external key, as long as the previous version of the external key is still available at the external key URI on the CipherTrust Key Broker for Google Cloud EKM service.
For more information see about rotating keys in Google Cloud Platform see Rotate an external key.
Updating the Key URI
You can update a CipherTrust Key Broker for Google Cloud EKM Key URI in Google Cloud Platform. However, you cannot change a Key URI in the CipherTrust Key Broker for Google Cloud EKM service, so you will not need to update the Key URI in Google Cloud Platform.
For more information about updating key URIs in Google Cloud Platform see Update the URI for a key version