To set up Akeyless KMS Integration with GCP KMS, follow these steps:

  1. Create a new GCP Target in the Akeyless Vault. You can do it either from the Akeyless CLI or in the Akeyless Console. Make sure you have a GCP Keyring to target.

๐Ÿ“˜

Note

Remember to give the GCP Target the cloud KMS admin permissions to manage the keyring.

  1. Create a Classic Key in the Akeyless Vault. You can do it either from the Akeyless CLI or in the Akeyless console. Alternatively, You can also use an existing Classic Key if it fits the target's accepted algorithm types.

GCP supports the following algorithm types: AES256GCM, RSA2048, RSA3072, RSA4096, EC256, EC384.

๐Ÿ‘

Tip

Any classic key will be protected using the Akeyless DFC key (you can select a DFC key with Zero-Knowledge Encryption).

  1. Associate the key with the GCP Target. When you attach a key, a copy of the key material is securely transferred to the GCP Keyring KMS in accordance with its key import specification.

If you are using the CLI in order to associate the key and the target, please note to use all of the GCP mandatory parameters as described in the CLI Reference:

  • project-id: A project ID of the GCP KMS (from the keyring created in the first step).
  • location-id: A location ID of the GCP KMS (from the keyring created in the first step).
  • keyring-name: A keyring name of the GCP KMS (from the keyring created in the first step).
  • purpose: A purpose of the key in GCP KMS.
  • kms-algorithm: An algorithm of the key in GCP KMS.

The value of the --purpose parameter depends on the key type:

  • For AES keys, possible values are: ENCRYPT_DECRYPT, MAC

  • For RSA keys, possible values are: ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT

  • For ECC keys, possible values are: ASYMMETRIC_SIGN

The value of the --kms-algorithm parameter depends on the key type, key size, and the selected purpose:

Key Type + PurposeKMS Algorithm
AES ENCRYPT_DECRYPTGOOGLE_SYMMETRIC_ENCRYPTION
AES MACHMAC_SHA256
RSA ASYMMETRIC_SIGNRSA_SIGN_PSS_2048_SHA256
RSA_SIGN_PSS_3072_SHA256
RSA_SIGN_PSS_4096_SHA256
RSA_SIGN_PSS_4096_SHA512
RSA_SIGN_PKCS1_2048_SHA256
RSA_SIGN_PKCS1_3072_SHA256
RSA_SIGN_PKCS1_4096_SHA256
RSA_SIGN_PKCS1_4096_SHA256
RSA_SIGN_PKCS1_4096_SHA512
RSA_SIGN_RAW_PKCS1_2048
RSA_SIGN_RAW_PKCS1_3072
RSA_SIGN_RAW_PKCS1_4096
RSA ASYMMETRIC_DECRYPTRSA_DECRYPT_OAEP_2048_SHA256
RSA_DECRYPT_OAEP_3072_SHA256
RSA_DECRYPT_OAEP_4096_SHA256
RSA_DECRYPT_OAEP_4096_SHA512
RSA_DECRYPT_OAEP_2048_SHA1
RSA_DECRYPT_OAEP_3072_SHA1
RSA_DECRYPT_OAEP_4096_SHA1
ECC SYMMETRIC_SIGNEC_SIGN_P256_SHA256
EC_SIGN_P384_SHA384

Whatโ€™s Next