The Key Management System (KMS) service centrally manages cryptographic keys and runs in the Management API server.
This page is for audiences within the platform administrator group, such as IT admins or security engineers, who are responsible for managing and using cryptographic keys within Google Distributed Cloud (GDC) air-gapped. For more information, see Audiences for GDC air-gapped documentation.
Supported keys
KMS supports the following keys for its data-plane operations:
| Key primitive | Key primitive (API) | Description | Default algorithm |
|---|---|---|---|
AEAD |
aeadkey |
The authenticated encryption with associated data (AEAD)
key that performs authenticated encryption using AES-256.The key's components represent the following:
|
AES_256_GCM |
Signing |
signingkey |
The signing key that provides asymmetric signing using elliptic curve
support. The key's components represent the following:
|
EC_SIGN_P384_SHA384 |
Root key types
The KMS uses root keys internally to encrypt key material before writing the material to the disk, and decrypts the material when reading from the disk. The KMS retrieves the root key for each operation.
The KMS supports a single root key per organization, which is automatically
created when a KMS is deployed. The root key wraps all non-root keys. Use the
RootKeyID field on each key to identify the root key.
If your root key becomes compromised or for periodic rotation, you can rotate a root key. This process replaces the old root key with a new one, which becomes the primary key and wraps all non-root keys.
| Root Key Type | Root Key Type (API) | Description |
|---|---|---|
Local Root (default) |
kms.gdc.goog/local-root |
The root key cryptographic material is stored in the Management API
server as a Kubernetes Secret. |