The Key Management System (KMS) service centrally manages cryptographic keys and runs in the org admin cluster.
Supported keys
KMS supports the following keys for its data-plane operations:
| Key primitive | Key primitive (API) | Description | Default algorithm |
|---|---|---|---|
AEAD |
aeadkey |
The authenticated encryption with associated data (AEAD)
key that performs authenticated encryption using AES-256.The key's components represent the following:
|
AES_256_GCM |
Signing |
signingkey |
The signing key that provides asymmetric signing using elliptic curve
support. The key's components represent the following:
|
EC_SIGN_P384_SHA384 |
Root key types
The KMS uses root keys internally to encrypt key material before writing the material to the disk, and decrypts the material when reading from the disk. The KMS retrieves the root key for each operation.
The KMS supports a single root key per organization. The root key wraps all
non-root keys. Use the RootKeyID field on each key to
identify the root key.
See rotate a root key for more information about rotating root keys.
| Root Key Type | Root Key Type (API) | Description |
|---|---|---|
Local Root (default) |
kms.gdc.goog/local-root |
The root key cryptographic material is stored in the org admin cluster as a Kubernetes Secret. |