GCP Key Management Service (GCP KMS) is a cloud-hosted key management service provided by Google Cloud Platform (GCP) that allows you to manage symmetric and asymmetric cryptographic keys for their cloud services. These can be either compatible Google cloud services or your own applications.
Google Cloud KMS supports:
- Google-owned and Google-managed encryption keys
- Customer-managed encryption keys (CMEKs)
- Cloud KMS keys
- Cloud HSM keys
- Customer-supplied encryption keys
The GCP KMS plugin:
- Connects to your GCP account using a Service account key and IAM permissions.
Discovers cryptographic keys stored in Google Cloud KMS for specified region.
Asymmetric Keys—The plugin discovers the following types of asymmetric keys:
Algorithm
Description
RSA Keys
RSA_SIGN_PKCS1_2048_SHA256, RSA_SIGN_PKCS1_3072_SHA256, RSA_SIGN_PKCS1_4096_SHA256, RSA_SIGN_PKCS1_4096_SHA512, RSA_SIGN_PSS_2048_SHA256, RSA_SIGN_PSS_3072_SHA256, RSA_SIGN_PSS_4096_SHA256, RSA_SIGN_PSS_4096_SHA512
RSA Decryption
RSA_DECRYPT_OAEP_2048_SHA256, RSA_DECRYPT_OAEP_3072_SHA256, RSA_DECRYPT_OAEP_4096_SHA256, RSA_DECRYPT_OAEP_4096_SHA512
EC Keys
EC_SIGN_P256_SHA256, EC_SIGN_P384_SHA384, EC_SIGN_SECP256K1_SHA256
- Symmetric Keys—The plugin discovers the following types of symmetric keys:
Algorithm
Description
AES
GOOGLE_SYMMETRIC_ENCRYPTION
HMAC
HMAC_SHA1, HMAC_SHA224, HMAC_SHA256, HMAC_SHA384, HMAC_SHA512
Retrieves key metadata
Exports public key data for asymmetric keys in PEM format.
The plugin does not support incremental scanning.