GCP KMS
To set up Akeyless KMS Integration with GCP KMS, follow these steps:
-
Create a new keyring in GCP.
-
Create a new GCP Target in the Akeyless Vault. You can do it either from the Akeyless CLI or in the Akeyless Console.
Note
Remember to give the GCP Target the cloudkms.admin permissions to manage the keyring.
- Create a classic key in the Akeyless Vault. You can do it either from the Akeyless CLI or in the Gateway Configuration Manager.
You can also upload the keys that currently exist outside of the Akeyless Vault.
Tip
Any classic key will be protected using the Akeyless DFC key (you can select a DFC key with Zero-Knowledge Encryption).
The following key types are supported: AES256GCM, RSA2048, RSA3072, RSA4096, EC256, EC384.
- Make sure to associate the key with the GCP Target. When you attach a key, a copy of the key material is securely transferred to the GCP keyring in accordance with the GCP key import specification.
For GCP targets, you'll need the following parameters for the assoc-target-item
command:
- project-id: A project ID of the GCP KMS (from the keyring created in the first step).
- location-id: A location ID of the GCP KMS (from the keyring created in the first step).
- keyring-name: A keyring name of the GCP KMS (from the keyring created in the first step).
- purpose: A purpose of the key in GCP KMS.
- kms-algorithm: An algorithm of the key in GCP KMS.
The value of the --purpose
parameter depends on the key type:
-
For AES keys, possible values are: ENCRYPT_DECRYPT, MAC
-
For RSA keys, possible values are: ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT
-
For ECC keys, possible values are: ASYMMETRIC_SIGN
The value of the --kms-algorithm
parameter depends on the key type, key size, and the selected purpose:
Key Type + Purpose | KMS Algorithm |
---|---|
AES ENCRYPT_DECRYPT | GOOGLE_SYMMETRIC_ENCRYPTION |
AES MAC | HMAC_SHA256 |
RSA ASYMMETRIC_SIGN | RSA_SIGN_PSS_2048_SHA256 |
RSA ASYMMETRIC_DECRYPT | RSA_DECRYPT_OAEP_2048_SHA256 |
ECC SYMMETRIC_SIGN | EC_SIGN_P256_SHA256 |
Updated 17 days ago