Creating a CloudKey for GCP
Before you can create a CloudKey, you must have created a Key Set. See Creating a Key Set.
This procedure is for creating a customer managed key. If you are using an External Key Manager (EKM), see Using KeyControl as a GCP EKM Provider.
-
Log into the KeyControl Vault for Cloud Keys webGUI using an account with Cloud Admin privileges.
- In the top menu bar, click CloudKeys.
-
Click the CloudKeys tab and select the Key Set and Key Ring.
Note: If you do not finish the selections on the CloudKeys page, you will need to add them on the Details tab of the Create CloudKey dialog box.
- Select Actions > Create CloudKey.
-
On the Details tab of the Create CloudKey dialog box, enter the following:
Field
Description
Key Ring
If you did not finish selecting the Key Set prompts, you will need to select the Region here.
Name Enter the name for the CloudKey. Description
Enter the optional description for the CloudKey
Key Management
Choose Customer Managed Key.
- Click Continue.
-
On the Purpose tab, complete the following:
Field
Description
Protection Level Choose whether your key will be protected with software or an HSM.
Purpose
This can be one of the following:
-
Symmetric encrypt/decrypt
-
Asymmetric decrypt
-
Asymmetric Sign
-
MAC signing/verification
Algorithm Choose the algorithm that matches the purpose you selected. This can be one of the following:
For Symmetric encrypt/decrypt:
-
Google symmetric key
For Asymmetric decrypt:
-
2048 bit RSA - OAEP Padding - SHA1 Digest
-
2048 bit RSA - OAEP Padding - SHA256 Digest
-
3072 bit RSA - OAEP Padding - SHA1 Digest
-
3072 bit RSA - OAEP Padding - SHA256 Digest
-
4096 bit RSA - OAEP Padding - SHA1 Digest
-
4096 bit RSA - OAEP Padding - SHA256 Digest
-
4096 bit RSA - OAEP Padding - SHA512 Digest
For Asymmetric Sign:
-
Elliptic Curve P-256 - SHA256 Digest
-
Elliptic Curve P-384 - SHA384 Digest
-
2048 bit RSA - PKCS#1 v1.5 padding - SHA256 Digest
-
3072 bit RSA - PKCS#1 v1.5 padding - SHA256 Digest
-
4096 bit RSA - PKCS#1 v1.5 padding - SHA256 Digest
-
4096 bit RSA - PKCS#1 v1.5 padding - SHA512 Digest
-
2048 bit RSA - PSS Padding - SHA256 Digest
-
3072 bit RSA - PSS Padding - SHA256 Digest
-
4096 bit RSA - PSS Padding - SHA256 Digest
-
4096 bit RSA - PSS Padding - SHA512 Digest
For MAC signing/verification:
-
HMAC - SHA256 Digest
-
- Click Continue.
-
On the Schedule tab, determine the rotation schedule for the CloudKey. This can be one of the following:
- Inherit from Key Set—The CloudKey will use the default schedule from the Key Set. If the Key Set schedule changes after the CloudKey is created, the CloudKey schedule will not be updated.
- Never—The CloudKey will never be rotated.
- Once a year—The CloudKey will be rotated once a year.
- Every 6 months—The CloudKey will be rotated once every 6 months.
- Every 30 days—The CloudKey will be rotated once every 30 days.
- Other—The CloudKey will be rotated at the interval you select.
-
Choose when the CloudKey should expire. This can be Never, or you can choose a specific date.
-
If you selected an expiration date, choose the Expire Action to define what happens to the CloudKey when it expires. This can be one of the following:
-
Disable—The key will remain in the cloud, but is disabled and cannot be used by any applications.
-
Delete—The key is disabled in the cloud and cannot be used by any applications. You can set the date when the key is permanently deleted.
-
Delete from Cloud—Removes the key material from the KMS, and applications can no longer use this key from the cloud. However, KeyControl retains a copy of the key which can be uploaded back to the cloud.
Note: When the CloudKey expires, the selected Expire Action is performed on the key. The KeyControl handles the expiration date and expire action. The expire date is not set in the cloud service provider.
-
- Click Apply.
