이 빠른 시작에서는 소유한 프로젝트에서 Cloud Key Management Service로 암호화 키를 만들고 사용하는 방법을 보여줍니다. 이 안내에서는 Google Cloud 콘솔을 사용하여 Cloud KMS에 키링, 키, 키 버전을 만듭니다. 다른 방법을 사용하는 안내는 안내 가이드를 참조하세요.
이 빠른 시작 가이드에서는 명령줄을 사용하여 Cloud KMS API에 요청을 보냅니다. 클라이언트 라이브러리를 사용하여 요청을 Cloud KMS API에 보내는 프로그래밍 예는 암호화 및 복호화를 참조하세요.
시작하기 전에
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[],[],null,["Create encryption keys with Cloud KMS This quickstart shows you how to create and use encryption keys with\nCloud Key Management Service in a project you own. These instructions use the\nGoogle Cloud console to create key rings, keys, and key versions in\nCloud KMS. For instructions that use other methods,\nsee [Autokey overview](/kms/docs/autokey-overview), [Create a key\nring](/kms/docs/create-key-ring), and [Create a key](/kms/docs/create-key).\n\nThis quickstart uses the command line to send requests to the\nCloud KMS API. For programming examples that use the client\nlibraries to send requests to the Cloud KMS API, see [Encrypting\nand Decrypting](/kms/docs/encrypt-decrypt).\n\nBefore you begin\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Cloud KMS API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=cloudkms.googleapis.com&redirect=https://console.cloud.google.com)\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Cloud KMS API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=cloudkms.googleapis.com&redirect=https://console.cloud.google.com)\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n\u003cbr /\u003e\n\n| **Important:** This quickstart creates Cloud KMS resources such as key rings and keys. Once created, these resources cannot be deleted. For more information, see [Why can't I delete keys or key rings?](/kms/docs/faq#cannot_delete).\n\nKey rings and keys\n\nTo encrypt and decrypt content you will need a Cloud KMS key, which\nis part of a key ring.\n\nCreate a key ring named `test`, and a key named `quickstart`. Refer to the\n[object hierarchy overview](/kms/docs/object-hierarchy) for more\ninformation about these objects and how they are related. \n\n gcloud kms keyrings create \"test\" \\\n --location \"global\"\n\n gcloud kms keys create \"quickstart\" \\\n --location \"global\" \\\n --keyring \"test\" \\\n --purpose \"encryption\"\n\nYou can use the `list` option to view the name and metadata for the key that you\njust created. \n\n gcloud kms keys list \\\n --location \"global\" \\\n --keyring \"test\"\n\nYou should see: \n\n```\nNAME PURPOSE PRIMARY_STATE\nprojects/PROJECT_ID/locations/global/keyRings/test/cryptoKeys/quickstart ENCRYPT_DECRYPT ENABLED\n```\n\nEncrypt data\n\nNow that you have a key, you can use that key to encrypt text or binary\ncontent.\n\nStore some text to be encrypted in a file called \"mysecret.txt\". \n\n echo -n \"Some text to be encrypted\" \u003e mysecret.txt\n\nTo encrypt the data with `gcloud kms encrypt`, provide your key information,\nspecify the name of the plaintext file to encrypt, and specify the name of the\nfile that will contain the encrypted content: \n\n gcloud kms encrypt \\\n --location \"global\" \\\n --keyring \"test\" \\\n --key \"quickstart\" \\\n --plaintext-file ./mysecret.txt \\\n --ciphertext-file ./mysecret.txt.encrypted\n\nThe `encrypt` method saves your encrypted content in the file specified by the\n`--ciphertext-file` flag.\n\nDecrypt ciphertext\n\nTo decrypt the data with `gcloud kms decrypt`, provide your key information,\nspecify the name of the encrypted file (ciphertext file) to decrypt, and specify\nthe name of the file that will contain the decrypted content: \n\n gcloud kms decrypt \\\n --location \"global\" \\\n --keyring \"test\" \\\n --key \"quickstart\" \\\n --ciphertext-file ./mysecret.txt.encrypted \\\n --plaintext-file ./mysecret.txt.decrypted\n\nThe `decrypt` method saves your decrypted content in the file specified by the\n`--plaintext-file` flag.\n\nTo decrypt encrypted content, you must use the same key that was\nused to encrypt the content.\n\nClean up\n\n\nTo avoid incurring charges to your Google Cloud account for\nthe resources used on this page, follow these steps.\n\nList the versions available for your key: \n\n gcloud kms keys versions list \\\n --location \"global\" \\\n --keyring \"test\" \\\n --key \"quickstart\"\n\nTo destroy a version, run the following command, where `1` is the number\nof the key version that you want to destroy:\n**Important:** When you destroy a key version, you can no longer decrypt content that was encrypted using that version of the key. Make sure that you no longer need a key version before you destroy it. \n\n```\ngcloud kms keys versions destroy 1 \\\n --location \"global\" \\\n --keyring \"test\" \\\n --key \"quickstart\"\n```\n\nWhat's next\n\n- Start [using the API](/kms/docs/accessing-the-api).\n- Take a look at the [API Reference](/kms/docs/reference/rest).\n- Learn more about how to [encrypt data at\n rest](https://codelabs.developers.google.com/codelabs/encrypt-and-decrypt-data-with-cloud-kms)."]]
