Output Format

The plugin outputs discovered keys in JSON format with detailed metadata:

Symmetric Key Example

{
    "type": "symkey",
    "timestamp": "2025-12-15T12:23:41-05:00",
    "urn": "urn:symkey:name:ouldriw-gcp-test-ekm-aes-3:1",
    "url": "https://console.cloud.google.com/security/kms/key/manage/us/gcp-byok-entrust-kc-key-ring/ouldriw-gcp-test-ekm-aes-3?project=htdc-project",
    "extra": {
      "account_id": "htdc-project",
      "created_date": "2025-10-02T14:01:56Z",
      "cryptographic_algorithm": "AES",
      "cryptographic_length": 256,
      "external_protection_level_options": {
        "external_key_uri": "https://xkc8.entrust.com/v0/ekm/422c5783-36d5-40cf-82a9-632ff382b8ae"
      },
      "generated_date": "2025-10-02T14:01:56Z",
      "hsm_backed": false,
      "key_ring": "projects/htdc-project/locations/us/keyRings/gcp-byok-entrust-kc-key-ring",
      "key_version": "1",
      "location": "us",
      "name": "ouldriw-gcp-test-ekm-aes-3",
      "origin": "gcp_kms",
      "platform_type": "gcp",
      "project_id": "htdc-project",
      "protection_level": "external",
      "purpose": "encrypt_decrypt",
      "reimport_eligible": false,
      "status": "enabled"
    }
}

Asymmetric Key Example

{
    "type": "pubkey",
    "timestamp": "2025-12-15T12:23:42-05:00",
    "urn": "urn:pubkey:sha256:9b11b522b4888047012b525c54554767042f0184b9246672a6ab2b99dfadbaa8",
    "url": "https://console.cloud.google.com/security/kms/key/manage/us/gcp-byok-entrust-kc-key-ring/ouldriw-gcp-test-ekm-ec?project=htdc-project",
    "extra": {
      "account_id": "htdc-project",
      "created_date": "2025-10-02T13:53:51Z",
      "external_protection_level_options": {
        "external_key_uri": "https://xkc8.entrust.com/v0/ekm/db685b6f-7cc0-4883-8634-e2139c5a9bfb"
      },
      "generated_date": "2025-10-02T13:53:51Z",
      "hsm_backed": false,
      "key_ring": "projects/htdc-project/locations/us/keyRings/gcp-byok-entrust-kc-key-ring",
      "key_version": "projects/htdc-project/locations/us/keyRings/gcp-byok-entrust-kc-key-ring/cryptoKeys/ouldriw-gcp-test-ekm-ec/cryptoKeyVersions/1",
      "location": "us",
      "name": "ouldriw-gcp-test-ekm-ec",
      "origin": "gcp_kms",
      "platform_type": "gcp",
      "project_id": "htdc-project",
      "protection_level": "external",
      "purpose": "sign_verify",
      "reimport_eligible": false,
      "status": "enabled"
    },
    "pubkey_pem": "MFkwEwYHKoZI...."
}

Output Fields

Field

Description

type

Key type (symkey for symmetric/MAC keys, pubkey for asymmetric keys)

timestamp

RFC3339 timestamp of when the scan was performed

urn

Unique resource name for the key (SHA256 hash of public key for asymmetric keys, name-based for symmetric keys)

url

Direct link to GCP Console for the key

pubkey_pem

Public key in RFC 7468 PEM format (base64 body without headers/footers) - asymmetric keys only

extra

Additional metadata (see Extra Fields section below)

Extra Fields

The extra object contains GCP-specific metadata about the key. The fields differ based on key type.

Common Fields (Present in All Keys)

  • platform_type (string): Always "gcp" indicating the key is from GCP KMS
  • name (string): Key name from GCP KMS
  • status (string): Current key state (values: "enabled", "disabled", "destroyed", "destroy_scheduled", "pending_generation", "pending_import", "import_failed")
  • origin (string): Key origin (value: "gcp_kms")
  • account_id (string): GCP project ID
  • location (string): GCP location/region (e.g., "us", "us-east1", "global")
  • key_ring (string): Full resource name of the key ring (e.g., "projects/my-project/locations/us/keyRings/my-keyring")
  • protection_level (string): Protection level (values: "software", "hsm", "external", "external_vpc")
  • purpose (string): Key usage purpose
  • hsm_backed (boolean): Whether the key is backed by a Hardware Security Module
  • created_date (string): ISO 8601 timestamp of when the key version was created
  • reimport_eligible (boolean): Whether the key can be reimported

Conditional Common Fields

The following fields are only present when the data is available:

  • generated_date (string): ISO 8601 timestamp of key generation (only present if key was generated)
  • destroy_time (string): ISO 8601 timestamp when key will be destroyed (only present if scheduled for destruction)
  • destroy_event_time (string): ISO 8601 timestamp when destroy event occurred (only present if applicable)
  • import_job (string): Import job resource name (only present for imported keys)
  • import_time (string): ISO 8601 timestamp of key import (only present for imported keys)
  • import_failure_reason (string): Reason for import failure (only present if import failed)
  • external_protection_level_options (object): External key manager options (only present for external keys)
    • external_key_uri (string): URI of the external key
  • labels (object): Key-value pairs of user-defined labels (only present if labels exist)

Asymmetric Key-Specific Fields (type: "pubkey")

In addition to the common fields, asymmetric keys include:

  • key_version (string): Full resource name of the specific key version (e.g., "projects/.../cryptoKeys/.../cryptoKeyVersions/1")
  • project_id (string): GCP project identifier
  • purpose (string): Key purpose (values: "sign_verify", "encrypt_decrypt")

Note: Intrinsic cryptographic properties like cryptographic_algorithm, cryptographic_length, and cryptographic_curve are NOT included in extras as they can be derived from the pubkey_pem field.

Symmetric Key-Specific Fields (type: "symkey")

In addition to the common fields, symmetric keys include:

  • project_id (string): GCP project identifier from resource name
  • key_version (string): Version number (e.g., "1", "2")
  • purpose (string): Key purpose (values: "encrypt_decrypt", "mac")
  • cryptographic_algorithm (string): Algorithm type (values: "AES", "HMAC") (only present if determinable)
  • cryptographic_length (integer): Key length in bits (only present if determinable)