Hardware security modules API overview

The hardware security modules (HSM) API provides the resources that the Platform Administrator (PA) uses to control the security keys in their organization. Storage systems in Google Distributed Cloud Hosted (GDCH), such as Server Keys for disk encryption and storage data management software for block storage, create the keys and represent them as resources.

The PA views the keys, pulls their audit logs, and deletes them to erase data graphically. The PA cannot directly create keys. The storage systems create them as necessary.

GDCH encrypts all data at rest. It uses the HSM for all data at rest and all servers. Because you have access to the resource for keys, you can manage the keys that protect your data at rest. For more details on encryption in GDCH, see Encryption at rest.

Service endpoint and discovery document

Use the kubectl proxy command to access the following HSM API endpoint in your browser and obtain the discovery document for the KMS API:

https://GDCH_API_SERVER_ENDPOINT/apis/hsm.gdc.goog/v1

Replace GDCH_API_SERVER_ENDPOINT with the endpoint of the GDCH API server.

The kubectl proxy command opens a proxy to the Kubernetes API server on your local machine. When the command is running, access the document through the following URL:

http://127.0.0.1:8001/apis/hsm.gdc.goog/v1