This topic describes how to retrieve the endorsement key (EKPub) from a Shielded VMinstance.
You can retrieve the endorsement key for both the encryption key and the signing key. You can use the encryption key to encrypt data so that only the vTPM can read it, or the signing key to verify signatures that the vTPM makes. You can also use the key to ascertain the identity of a VM instance before sending sensitive information to it.
You must have the getShieldedInstanceIdentity
permission to retrieve
endorsement keys.
Retrieving endorsement keys using the Google Cloud CLI
Use the gcloud compute instances get-shielded-identity
command to retrieve
the public portion of the endorsement key from a Shielded VM instance.
gcloud compute instances get-shielded-identity [INSTANCE_NAME]
The results returned look similar to the following:
encryptionKey: ekPub: | -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4ucWqhLjIkcEJyqc8KJM 12345678abcdefghijklmnopqrstuvwxyz12345678abcdefghijklmnopqrstu oBSrm0swIu3x4LWR/Ebl5KA0EKe9YFGaS9Pguun1m6X8Ld2zAqmoIwnxDiOqxQEU mx2wxkjf0bbjxG5ZI1i3t/c/QzeaE2WWTlKdgnUDyxSloDBq63yywtoIrp1nbDLj X8qdBymixu8jXXp1iGwmEUltnEnx779JKTpKgKTEednri+NcfRmXHrnPCxfiPudQ 4wIDAQAB -----END PUBLIC KEY----- kind: compute#shieldedInstanceIdentity signingKey: ekPub: | -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzQvcD+2LAnsXAgdsVYAc 12345678abcdefghijklmnopqrstuvwxyz12345678abcdefghijklmnopqrstu V/7WHasUuGlkbqiDOuDWgb15FAn35PU64HGey67McZTUT9EvrkT/ryXi4kZgBtoM lQIDAQAB -----END PUBLIC KEY-----
Retrieving endorsement keys using the Compute Engine API
You can use the Compute Engine API to view endorsement key information. For more information on how to use the API, see the How-to guides.
GET /compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]/getShieldedInstanceIdentity
{
"signingKey": {
"ekPub": [PEM-formatted key]
},
"encryptionKey": {
"ekPub": [PEM-formatted key]
},
"kind": "compute#shieldedInstanceIdentity"
}
What's next
- Learn about modifying options on a Shielded VM instance.
- Learn about one approach to automating responses to integrity monitoring events.