Stay organized with collections
Save and categorize content based on your preferences.
The hardware security modules (HSM) API provides the resources that the
Platform Administrator (PA) uses to control the security keys in their organization.
Storage systems in Google Distributed Cloud (GDC) air-gapped, such as Server Keys for
disk encryption and storage data management software for block storage,
create the keys and represent them as resources.
The PA views the keys, pulls their audit logs, and deletes them to erase data
graphically. The PA cannot directly create keys. The storage systems create them
as necessary.
GDC encrypts all data at rest. It uses the HSM for all
data at rest and all servers. Because you have access to the resource for keys,
you can manage the keys that protect your data at rest. For more details on
encryption in GDC, see
Encryption at rest.
Service endpoint and discovery document
Use the kubectl proxy command to access the following HSM API endpoint in your
browser and obtain the discovery document for the KMS API:
Replace MANAGEMENT_API_SERVER_ENDPOINT with the endpoint of the
Management API server.
The kubectl proxy command opens a proxy to the Kubernetes API server on your
local machine. When the command is running, access the document through the
following URL:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eThe HSM API enables Platform Administrators (PAs) to manage security keys within their organization, which are created by storage systems in Google Distributed Cloud (GDC).\u003c/p\u003e\n"],["\u003cp\u003ePAs can view keys, access audit logs, and delete keys via the HSM API, but they cannot directly create new keys as the storage systems manage key creation automatically.\u003c/p\u003e\n"],["\u003cp\u003eGDC encrypts all data at rest, using the HSM for all data and servers, and this resource access provides the PA with the ability to manage the keys that protect the data.\u003c/p\u003e\n"],["\u003cp\u003eDeleting keys results in the permanent loss of the associated data, therefore extreme caution is required when performing this action.\u003c/p\u003e\n"],["\u003cp\u003eThe HSM API endpoint can be accessed via the \u003ccode\u003ekubectl proxy\u003c/code\u003e command, enabling retrieval of the discovery document for the KMS API.\u003c/p\u003e\n"]]],[],null,["# Hardware security modules API overview\n\nThe hardware security modules (HSM) API provides the resources that the\nPlatform Administrator (PA) uses to control the security keys in their organization.\nStorage systems in Google Distributed Cloud (GDC) air-gapped, such as Server Keys for\ndisk encryption and storage data management software for block storage,\ncreate the keys and represent them as resources.\n\nThe PA views the keys, pulls their audit logs, and deletes them to erase data\ngraphically. The PA cannot directly create keys. The storage systems create them\nas necessary.\n| **Note:** After the storage systems create the keys, it might take a few minutes for them to appear in each resource.\n\nGDC encrypts all data at rest. It uses the HSM for all\ndata at rest and all servers. Because you have access to the resource for keys,\nyou can manage the keys that protect your data at rest. For more details on\nencryption in GDC, see\n[Encryption at rest](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/encryption-at-rest).\n| **Warning:** Deleting keys wipes out your entire data. Delete your keys with caution for the stability of the system.\n\nService endpoint and discovery document\n---------------------------------------\n\nUse the `kubectl proxy` command to access the following HSM API endpoint in your\nbrowser and obtain the discovery document for the KMS API: \n\n https://\u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_ENDPOINT\u003c/var\u003e/apis/hsm.gdc.goog/v1\n\nReplace \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_ENDPOINT\u003c/var\u003e with the endpoint of the\nManagement API server.\n\nThe `kubectl proxy` command opens a proxy to the Kubernetes API server on your\nlocal machine. When the command is running, access the document through the\nfollowing URL:\n\n`http://127.0.0.1:8001/apis/hsm.gdc.goog/v1`"]]
