Reputation: 2820
Google cloud KMS store custom keys
Is it possible to store my AES-256 keys generated manually to google cloud kms. I was successful on creating keys fully managed and created by Google but how to deal with keys generated before adopting google cloud?
Upvotes: 1
Views: 1408
Answers (2)
Reputation: 26997
Tim's answer was correct at the time, but Cloud KMS now supports Key Import.
Create an import job:
$ gcloud kms import-jobs create "my-job" \
--location "us-central1" \
--keyring "my-keyring" \
--import-method "rsa-oaep-4096-sha1-aes-256" \
--protection-level "hsm"
Import your key:
$ gcloud kms keys versions import \
--import-job "my-job" \
--location "us-central1" \
--keyring "my-keyring" \
--key "my-key" \
--algorithm "<algorithm>" \
--target-key-file ./path/to/my.key
Upvotes: 4
Reputation: 2251
We don't currently support importing keys, but even if we did, we don't currently document the format of encrypted data, so we can't support interoperability with data you have encrypted yourself.
The solution to this use case is usually to use a master key in KMS which you use to wrap your AES keys, then store the wrapped keys in a data store. You can then bootstrap from the service account identities provisioned into your deployed code, using them to authorize the use of KMS to unwrap your AES keys, then use the unwrapped keys to encrypt/decrypt your data.
Upvotes: 0
Related Questions
- Permission denied on Cloud KMS key when using cloud storage
- Data Encryption Keys and Key Encryption Keys
- Grant permission to use specific KMS key in GCP
- How do I store a private key using Google Cloud's Cloud KMS?
- Share GCP KMS key among projects
- How to store a custom key in AWS KMS
- How should I store secrets for use in Google Cloud Platform?
- How to generate Google Cloud KMS keys and attach cloud storage bucket
- Created key from wrong file, how could I modify it / work around the issue?
- Google cloud key management - Redundant storage of keys