Buat kunci

Halaman ini menunjukkan cara membuat kunci di Cloud KMS. Kunci dapat berupa kunci enkripsi simetris atau asimetris, kunci penandatanganan asimetris, atau kunci penandatanganan MAC.

Saat membuat kunci, Anda menambahkannya ke key ring di lokasi Cloud KMS tertentu. Anda dapat membuat ring kunci baru atau menggunakan ring kunci yang ada. Di halaman ini, Anda membuat kunci Cloud KMS atau Cloud HSM baru dan menambahkannya ke key ring yang ada. Untuk membuat kunci Cloud EKM, lihat Membuat kunci eksternal. Untuk mengimpor kunci Cloud KMS atau Cloud HSM, lihat Mengimpor kunci.

Sebelum memulai

Sebelum menyelesaikan tugas di halaman ini, Anda memerlukan hal berikut:

  1. Resource project Google Cloud untuk menyimpan resource Cloud KMS Anda. Sebaiknya gunakan project terpisah untuk resource Cloud KMS Anda yang tidak berisi resource Google Cloud lainnya.
  2. Nama dan lokasi key ring tempat Anda ingin membuat kunci. Pilih keychain di lokasi yang dekat dengan resource Anda yang lain dan mendukung tingkat perlindungan yang Anda pilih. Untuk melihat lokasi yang tersedia dan tingkat perlindungan yang didukungnya, lihat Lokasi Cloud KMS. Untuk membuat key ring, lihat Membuat key ring.
  3. Opsional: Untuk menggunakan gcloud CLI, siapkan lingkungan Anda.

    In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

Peran yang diperlukan

Untuk mendapatkan izin yang diperlukan untuk membuat kunci, minta administrator untuk memberi Anda peran IAM Cloud KMS Admin (roles/cloudkms.admin) di project atau resource induk. Untuk mengetahui informasi selengkapnya tentang cara memberikan peran, lihat Mengelola akses ke project, folder, dan organisasi.

Peran bawaan ini berisi izin yang diperlukan untuk membuat kunci. Untuk melihat izin yang benar-benar diperlukan, luaskan bagian Izin yang diperlukan:

Izin yang diperlukan

Izin berikut diperlukan untuk membuat kunci:

  • cloudkms.cryptoKeys.create
  • cloudkms.cryptoKeys.get
  • cloudkms.cryptoKeys.list
  • cloudkms.cryptoKeyVersions.create
  • cloudkms.cryptoKeyVersions.get
  • cloudkms.cryptoKeyVersions.list
  • cloudkms.keyRings.get
  • cloudkms.keyRings.list
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get
  • Untuk mengambil kunci publik: cloudkms.cryptoKeyVersions.viewPublicKey

Anda mungkin juga bisa mendapatkan izin ini dengan peran khusus atau peran bawaan lainnya.

Membuat kunci enkripsi simetris


  1. Di konsol Google Cloud, buka halaman Key Management.

    Buka Key Management

  2. Klik nama key ring yang akan Anda buat kunci.

  3. Klik Create key.

  4. Untuk Key name, masukkan nama untuk kunci Anda.

  5. Untuk Protection level, pilih Software atau HSM.

  6. Untuk Materi kunci, pilih Kunci yang dibuat.

  7. Untuk Tujuan, pilih Symmetric encrypt/decrypt.

  8. Setujui nilai default untuk Rotation period dan Starting on.

  9. Klik Buat.


Untuk menggunakan Cloud KMS di command line, pertama-tama Instal atau upgrade ke Google Cloud CLI versi terbaru.

gcloud kms keys create KEY_NAME \
    --keyring KEY_RING \
    --location LOCATION \
    --purpose "encryption" \
    --protection-level "PROTECTION_LEVEL"

Ganti kode berikut:

  • KEY_NAME: nama kunci.
  • KEY_RING: nama key ring yang berisi kunci.
  • LOCATION: lokasi Cloud KMS key ring.
  • PROTECTION_LEVEL: tingkat perlindungan yang akan digunakan untuk kunci—misalnya, software atau hsm. Anda dapat menghilangkan tanda --protection-level untuk kunci software.

Untuk mengetahui informasi tentang semua flag dan kemungkinan nilai, jalankan perintah dengan flag --help.


Untuk menjalankan kode ini, siapkan lingkungan pengembangan C# terlebih dahulu dan instal Cloud KMS C# SDK.

using Google.Cloud.Kms.V1;

public class CreateKeySymmetricEncryptDecryptSample
    public CryptoKey CreateKeySymmetricEncryptDecrypt(
      string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
      string id = "my-symmetric-encryption-key")
        // Create the client.
        KeyManagementServiceClient client = KeyManagementServiceClient.Create();

        // Build the parent key ring name.
        KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);

        // Build the key.
        CryptoKey key = new CryptoKey
            Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt,
            VersionTemplate = new CryptoKeyVersionTemplate
                Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.GoogleSymmetricEncryption,

        // Call the API.
        CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);

        // Return the result.
        return result;


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Go terlebih dahulu, lalu instal Cloud KMS Go SDK.

import (

	kms "cloud.google.com/go/kms/apiv1"

// createKeySymmetricEncryptDecrypt creates a new symmetric encrypt/decrypt key
// on Cloud KMS.
func createKeySymmetricEncryptDecrypt(w io.Writer, parent, id string) error {
	// parent := "projects/my-project/locations/us-east1/keyRings/my-key-ring"
	// id := "my-symmetric-encryption-key"

	// Create the client.
	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create kms client: %w", err)
	defer client.Close()

	// Build the request.
	req := &kmspb.CreateCryptoKeyRequest{
		Parent:      parent,
		CryptoKeyId: id,
		CryptoKey: &kmspb.CryptoKey{
			Purpose: kmspb.CryptoKey_ENCRYPT_DECRYPT,
			VersionTemplate: &kmspb.CryptoKeyVersionTemplate{
				Algorithm: kmspb.CryptoKeyVersion_GOOGLE_SYMMETRIC_ENCRYPTION,

	// Call the API.
	result, err := client.CreateCryptoKey(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to create key: %w", err)
	fmt.Fprintf(w, "Created key: %s\n", result.Name)
	return nil


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Java terlebih dahulu dan instal Cloud KMS Java SDK.

import com.google.cloud.kms.v1.CryptoKey;
import com.google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose;
import com.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm;
import com.google.cloud.kms.v1.CryptoKeyVersionTemplate;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.KeyRingName;
import java.io.IOException;

public class CreateKeySymmetricEncryptDecrypt {

  public void createKeySymmetricEncryptDecrypt() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    String keyRingId = "my-key-ring";
    String id = "my-key";
    createKeySymmetricEncryptDecrypt(projectId, locationId, keyRingId, id);

  // Create a new key that is used for symmetric encryption and decryption.
  public void createKeySymmetricEncryptDecrypt(
      String projectId, String locationId, String keyRingId, String id) throws IOException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the parent name from the project, location, and key ring.
      KeyRingName keyRingName = KeyRingName.of(projectId, locationId, keyRingId);

      // Build the symmetric key to create.
      CryptoKey key =

      // Create the key.
      CryptoKey createdKey = client.createCryptoKey(keyRingName, id, key);
      System.out.printf("Created symmetric key %s%n", createdKey.getName());


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Node.js terlebih dahulu dan instal Cloud KMS Node.js SDK.

// TODO(developer): Uncomment these variables before running the sample.
// const projectId = 'my-project';
// const locationId = 'us-east1';
// const keyRingId = 'my-key-ring';
// const id = 'my-symmetric-encryption-key';

// Imports the Cloud KMS library
const {KeyManagementServiceClient} = require('@google-cloud/kms');

// Instantiates a client
const client = new KeyManagementServiceClient();

// Build the parent key ring name
const keyRingName = client.keyRingPath(projectId, locationId, keyRingId);

async function createKeySymmetricEncryptDecrypt() {
  const [key] = await client.createCryptoKey({
    parent: keyRingName,
    cryptoKeyId: id,
    cryptoKey: {
      purpose: 'ENCRYPT_DECRYPT',
      versionTemplate: {

  console.log(`Created symmetric key: ${key.name}`);
  return key;

return createKeySymmetricEncryptDecrypt();


Untuk menjalankan kode ini, pelajari terlebih dahulu cara menggunakan PHP di Google Cloud dan menginstal Cloud KMS PHP SDK.

use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
use Google\Cloud\Kms\V1\CreateCryptoKeyRequest;
use Google\Cloud\Kms\V1\CryptoKey;
use Google\Cloud\Kms\V1\CryptoKey\CryptoKeyPurpose;
use Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionAlgorithm;
use Google\Cloud\Kms\V1\CryptoKeyVersionTemplate;

function create_key_symmetric_encrypt_decrypt(
    string $projectId = 'my-project',
    string $locationId = 'us-east1',
    string $keyRingId = 'my-key-ring',
    string $id = 'my-symmetric-key'
): CryptoKey {
    // Create the Cloud KMS client.
    $client = new KeyManagementServiceClient();

    // Build the parent key ring name.
    $keyRingName = $client->keyRingName($projectId, $locationId, $keyRingId);

    // Build the key.
    $key = (new CryptoKey())
        ->setVersionTemplate((new CryptoKeyVersionTemplate())

    // Call the API.
    $createCryptoKeyRequest = (new CreateCryptoKeyRequest())
    $createdKey = $client->createCryptoKey($createCryptoKeyRequest);
    printf('Created symmetric key: %s' . PHP_EOL, $createdKey->getName());

    return $createdKey;


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Python terlebih dahulu dan instal Cloud KMS Python SDK.

from google.cloud import kms

def create_key_symmetric_encrypt_decrypt(
    project_id: str, location_id: str, key_ring_id: str, key_id: str
) -> kms.CryptoKey:
    Creates a new symmetric encryption/decryption key in Cloud KMS.

        project_id (string): Google Cloud project ID (e.g. 'my-project').
        location_id (string): Cloud KMS location (e.g. 'us-east1').
        key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring').
        key_id (string): ID of the key to create (e.g. 'my-symmetric-key').

        CryptoKey: Cloud KMS key.


    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the parent key ring name.
    key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)

    # Build the key.
    purpose = kms.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
    algorithm = (
    key = {
        "purpose": purpose,
        "version_template": {
            "algorithm": algorithm,

    # Call the API.
    created_key = client.create_crypto_key(
        request={"parent": key_ring_name, "crypto_key_id": key_id, "crypto_key": key}
    print(f"Created symmetric key: {created_key.name}")
    return created_key


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Ruby terlebih dahulu, lalu instal Cloud KMS Ruby SDK.

# TODO(developer): uncomment these values before running the sample.
# project_id  = "my-project"
# location_id = "us-east1"
# key_ring_id = "my-key-ring"
# id          = "my-symmetric-key"

# Require the library.
require "google/cloud/kms"

# Create the client.
client = Google::Cloud::Kms.key_management_service

# Build the parent key ring name.
key_ring_name = client.key_ring_path project: project_id, location: location_id, key_ring: key_ring_id

# Build the key.
key = {
  purpose:          :ENCRYPT_DECRYPT,
  version_template: {

# Call the API.
created_key = client.create_crypto_key parent: key_ring_name, crypto_key_id: id, crypto_key: key
puts "Created symmetric key: #{created_key.name}"


Contoh ini menggunakan curl sebagai klien HTTP untuk menunjukkan penggunaan API. Untuk informasi selengkapnya tentang kontrol akses, lihat Mengakses Cloud KMS API.

Untuk membuat kunci, gunakan metode CryptoKey.create:

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys?crypto_key_id=KEY_NAME" \
    --request "POST" \
    --header "authorization: Bearer TOKEN" \
    --header "content-type: application/json" \
    --data '{"purpose": "ENCRYPT_DECRYPT", "versionTemplate": { "protectionLevel": "PROTECTION_LEVEL", "algorithm": "ALGORITHM" }}'

Ganti kode berikut:

  • PROJECT_ID: ID project yang berisi key ring.
  • LOCATION: lokasi Cloud KMS key ring.
  • KEY_RING: nama key ring yang berisi kunci.
  • KEY_NAME: nama kunci.
  • PROTECTION_LEVEL: tingkat perlindungan kunci—misalnya, SOFTWARE atau HSM.
  • ALGORITHM: algoritma penandatanganan HMAC—misalnya, HMAC_SHA256. Untuk melihat semua algoritma HMAC yang didukung, lihat Algoritma penandatanganan HMAC.

Membuat kunci enkripsi simetris dengan rotasi otomatis kustom

Saat membuat kunci, Anda dapat menentukan periode rotasi, yaitu waktu antara pembuatan otomatis versi kunci baru. Anda juga dapat menentukan waktu rotasi berikutnya secara independen, sehingga rotasi berikutnya terjadi lebih awal atau lebih lambat dari satu periode rotasi dari sekarang.


Saat Anda menggunakan konsol Google Cloud untuk membuat kunci, Cloud KMS akan menetapkan periode rotasi dan waktu rotasi berikutnya secara otomatis. Anda dapat memilih untuk menggunakan nilai default atau menentukan nilai yang berbeda.

Untuk menentukan periode rotasi dan waktu mulai yang berbeda, saat Anda membuat kunci, tetapi sebelum mengklik tombol Create:

  1. Untuk Periode rotasi kunci, pilih salah satu opsi.

  2. Untuk Mulai, pilih tanggal saat Anda ingin rotasi otomatis pertama terjadi. Anda dapat membiarkan Mulai pada pada nilai defaultnya untuk memulai rotasi otomatis pertama satu periode rotasi kunci sejak Anda membuat kunci.


Untuk menggunakan Cloud KMS di command line, pertama-tama Instal atau upgrade ke Google Cloud CLI versi terbaru.

gcloud kms keys create KEY_NAME \
    --keyring KEY_RING \
    --location LOCATION \
    --purpose "encryption" \
    --rotation-period ROTATION_PERIOD \
    --next-rotation-time NEXT_ROTATION_TIME

Ganti kode berikut:

  • KEY_NAME: nama kunci.
  • KEY_RING: nama key ring yang berisi kunci.
  • LOCATION: lokasi Cloud KMS key ring.
  • ROTATION_PERIOD: interval untuk memutar kunci—misalnya, 30d untuk memutar kunci setiap 30 hari. Periode rotasi harus minimal 1 hari dan maksimal 100 tahun. Untuk informasi selengkapnya, lihat CryptoKey.rotationPeriod.
  • NEXT_ROTATION_TIME: stempel waktu saat rotasi pertama selesai—misalnya, 2023-01-01T01:02:03. Anda dapat menghilangkan --next-rotation-time untuk menjadwalkan rotasi pertama selama satu periode rotasi sejak Anda menjalankan perintah. Untuk informasi selengkapnya, lihat CryptoKey.nextRotationTime.

Untuk mengetahui informasi tentang semua flag dan kemungkinan nilai, jalankan perintah dengan flag --help.


Untuk menjalankan kode ini, siapkan lingkungan pengembangan C# terlebih dahulu dan instal Cloud KMS C# SDK.

using Google.Cloud.Kms.V1;
using Google.Protobuf.WellKnownTypes;
using System;

public class CreateKeyRotationScheduleSample
    public CryptoKey CreateKeyRotationSchedule(
      string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
      string id = "my-key-with-rotation-schedule")
        // Create the client.
        KeyManagementServiceClient client = KeyManagementServiceClient.Create();

        // Build the parent key ring name.
        KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);

        // Build the key.
        CryptoKey key = new CryptoKey
            Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt,
            VersionTemplate = new CryptoKeyVersionTemplate
                Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.GoogleSymmetricEncryption,

            // Rotate the key every 30 days.
            RotationPeriod = new Duration
                Seconds = 60 * 60 * 24 * 30, // 30 days

            // Start the first rotation in 24 hours.
            NextRotationTime = new Timestamp
                Seconds = new DateTimeOffset(DateTime.UtcNow.AddHours(24)).ToUnixTimeSeconds(),

        // Call the API.
        CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);

        // Return the result.
        return result;


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Go terlebih dahulu, lalu instal Cloud KMS Go SDK.

import (

	kms "cloud.google.com/go/kms/apiv1"

// createKeyRotationSchedule creates a key with a rotation schedule.
func createKeyRotationSchedule(w io.Writer, parent, id string) error {
	// name := "projects/my-project/locations/us-east1/keyRings/my-key-ring"
	// id := "my-key-with-rotation-schedule"

	// Create the client.
	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create kms client: %w", err)
	defer client.Close()

	// Build the request.
	req := &kmspb.CreateCryptoKeyRequest{
		Parent:      parent,
		CryptoKeyId: id,
		CryptoKey: &kmspb.CryptoKey{
			Purpose: kmspb.CryptoKey_ENCRYPT_DECRYPT,
			VersionTemplate: &kmspb.CryptoKeyVersionTemplate{
				Algorithm: kmspb.CryptoKeyVersion_GOOGLE_SYMMETRIC_ENCRYPTION,

			// Rotate the key every 30 days
			RotationSchedule: &kmspb.CryptoKey_RotationPeriod{
				RotationPeriod: &durationpb.Duration{
					Seconds: int64(60 * 60 * 24 * 30), // 30 days

			// Start the first rotation in 24 hours
			NextRotationTime: &timestamppb.Timestamp{
				Seconds: time.Now().Add(24 * time.Hour).Unix(),

	// Call the API.
	result, err := client.CreateCryptoKey(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to create key: %w", err)
	fmt.Fprintf(w, "Created key: %s\n", result.Name)
	return nil


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Java terlebih dahulu dan instal Cloud KMS Java SDK.

import com.google.cloud.kms.v1.CryptoKey;
import com.google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose;
import com.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm;
import com.google.cloud.kms.v1.CryptoKeyVersionTemplate;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.KeyRingName;
import com.google.protobuf.Duration;
import com.google.protobuf.Timestamp;
import java.io.IOException;
import java.time.temporal.ChronoUnit;

public class CreateKeyRotationSchedule {

  public void createKeyRotationSchedule() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    String keyRingId = "my-key-ring";
    String id = "my-key";
    createKeyRotationSchedule(projectId, locationId, keyRingId, id);

  // Create a new key that automatically rotates on a schedule.
  public void createKeyRotationSchedule(
      String projectId, String locationId, String keyRingId, String id) throws IOException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the parent name from the project, location, and key ring.
      KeyRingName keyRingName = KeyRingName.of(projectId, locationId, keyRingId);

      // Calculate the date 24 hours from now (this is used below).
      long tomorrow = java.time.Instant.now().plus(24, ChronoUnit.HOURS).getEpochSecond();

      // Build the key to create with a rotation schedule.
      CryptoKey key =

              // Rotate every 30 days.

              // Start the first rotation in 24 hours.

      // Create the key.
      CryptoKey createdKey = client.createCryptoKey(keyRingName, id, key);
      System.out.printf("Created key with rotation schedule %s%n", createdKey.getName());


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Node.js terlebih dahulu dan instal Cloud KMS Node.js SDK.

// TODO(developer): Uncomment these variables before running the sample.
// const projectId = 'my-project';
// const locationId = 'us-east1';
// const keyRingId = 'my-key-ring';
// const id = 'my-rotating-encryption-key';

// Imports the Cloud KMS library
const {KeyManagementServiceClient} = require('@google-cloud/kms');

// Instantiates a client
const client = new KeyManagementServiceClient();

// Build the parent key ring name
const keyRingName = client.keyRingPath(projectId, locationId, keyRingId);

async function createKeyRotationSchedule() {
  const [key] = await client.createCryptoKey({
    parent: keyRingName,
    cryptoKeyId: id,
    cryptoKey: {
      purpose: 'ENCRYPT_DECRYPT',
      versionTemplate: {

      // Rotate the key every 30 days.
      rotationPeriod: {
        seconds: 60 * 60 * 24 * 30,

      // Start the first rotation in 24 hours.
      nextRotationTime: {
        seconds: new Date().getTime() / 1000 + 60 * 60 * 24,

  console.log(`Created rotating key: ${key.name}`);
  return key;

return createKeyRotationSchedule();


Untuk menjalankan kode ini, pelajari terlebih dahulu cara menggunakan PHP di Google Cloud dan menginstal Cloud KMS PHP SDK.

use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
use Google\Cloud\Kms\V1\CreateCryptoKeyRequest;
use Google\Cloud\Kms\V1\CryptoKey;
use Google\Cloud\Kms\V1\CryptoKey\CryptoKeyPurpose;
use Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionAlgorithm;
use Google\Cloud\Kms\V1\CryptoKeyVersionTemplate;
use Google\Protobuf\Duration;
use Google\Protobuf\Timestamp;

function create_key_rotation_schedule(
    string $projectId = 'my-project',
    string $locationId = 'us-east1',
    string $keyRingId = 'my-key-ring',
    string $id = 'my-key-with-rotation-schedule'
): CryptoKey {
    // Create the Cloud KMS client.
    $client = new KeyManagementServiceClient();

    // Build the parent key ring name.
    $keyRingName = $client->keyRingName($projectId, $locationId, $keyRingId);

    // Build the key.
    $key = (new CryptoKey())
        ->setVersionTemplate((new CryptoKeyVersionTemplate())

        // Rotate the key every 30 days.
        ->setRotationPeriod((new Duration())
            ->setSeconds(60 * 60 * 24 * 30)

        // Start the first rotation in 24 hours.
        ->setNextRotationTime((new Timestamp())
            ->setSeconds(time() + 60 * 60 * 24)

    // Call the API.
    $createCryptoKeyRequest = (new CreateCryptoKeyRequest())
    $createdKey = $client->createCryptoKey($createCryptoKeyRequest);
    printf('Created key with rotation: %s' . PHP_EOL, $createdKey->getName());

    return $createdKey;


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Python terlebih dahulu dan instal Cloud KMS Python SDK.

import time

from google.cloud import kms

def create_key_rotation_schedule(
    project_id: str, location_id: str, key_ring_id: str, key_id: str
) -> kms.CryptoKey:
    Creates a new key in Cloud KMS that automatically rotates.

        project_id (string): Google Cloud project ID (e.g. 'my-project').
        location_id (string): Cloud KMS location (e.g. 'us-east1').
        key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring').
        key_id (string): ID of the key to create (e.g. 'my-rotating-key').

        CryptoKey: Cloud KMS key.


    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the parent key ring name.
    key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)

    # Build the key.
    purpose = kms.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
    algorithm = (
    key = {
        "purpose": purpose,
        "version_template": {
            "algorithm": algorithm,
        # Rotate the key every 30 days.
        "rotation_period": {"seconds": 60 * 60 * 24 * 30},
        # Start the first rotation in 24 hours.
        "next_rotation_time": {"seconds": int(time.time()) + 60 * 60 * 24},

    # Call the API.
    created_key = client.create_crypto_key(
        request={"parent": key_ring_name, "crypto_key_id": key_id, "crypto_key": key}
    print(f"Created labeled key: {created_key.name}")
    return created_key


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Ruby terlebih dahulu, lalu instal Cloud KMS Ruby SDK.

# TODO(developer): uncomment these values before running the sample.
# project_id  = "my-project"
# location_id = "us-east1"
# key_ring_id = "my-key-ring"
# id          = "my-key-with-rotation"

# Require the library.
require "google/cloud/kms"

# Create the client.
client = Google::Cloud::Kms.key_management_service

# Build the parent key ring name.
key_ring_name = client.key_ring_path project: project_id, location: location_id, key_ring: key_ring_id

# Build the key.
key = {
  purpose:            :ENCRYPT_DECRYPT,
  version_template:   {

  # Rotate the key every 30 days.
  rotation_period:    {
    seconds: 60 * 60 * 24 * 30

  # Start the first rotation in 24 hours.
  next_rotation_time: {
    seconds: (Time.now + (60 * 60 * 24)).to_i

# Call the API.
created_key = client.create_crypto_key parent: key_ring_name, crypto_key_id: id, crypto_key: key
puts "Created rotating key: #{created_key.name}"


Contoh ini menggunakan curl sebagai klien HTTP untuk menunjukkan penggunaan API. Untuk informasi selengkapnya tentang kontrol akses, lihat Mengakses Cloud KMS API.

Untuk membuat kunci, gunakan metode CryptoKey.create:

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys?crypto_key_id=KEY_NAME" \
    --request "POST" \
    --header "authorization: Bearer TOKEN" \
    --header "content-type: application/json" \
    --data '{"purpose": "PURPOSE", "rotationPeriod": "ROTATION_PERIOD", "nextRotationTime": "NEXT_ROTATION_TIME"}'

Ganti kode berikut:

  • PURPOSE: tujuan kunci.
  • ROTATION_PERIOD: interval untuk memutar kunci—misalnya, 30d untuk memutar kunci setiap 30 hari. Periode rotasi harus minimal 1 hari dan maksimal 100 tahun. Untuk informasi selengkapnya, lihat CryptoKey.rotationPeriod.
  • NEXT_ROTATION_TIME: stempel waktu saat rotasi pertama selesai—misalnya, 2023-01-01T01:02:03. Untuk informasi selengkapnya, lihat CryptoKey.nextRotationTime.

Menetapkan durasi status 'dijadwalkan untuk dimusnahkan'

Secara default, versi kunci di Cloud KMS menghabiskan waktu 30 hari dalam status dijadwalkan untuk dihancurkan (DESTROY_SCHEDULED) sebelum dihancurkan. Status dijadwalkan untuk dihancurkan terkadang disebut sebagai status penghapusan sementara. Durasi versi kunci yang tetap berada dalam status ini dapat dikonfigurasi, dengan batasan berikut:

  • Anda hanya dapat menetapkan durasi selama pembuatan kunci.
  • Setelah ditentukan, durasi kunci tidak dapat diubah.
  • Durasi berlaku untuk semua versi kunci yang dibuat pada masa mendatang.
  • Durasi minimumnya adalah 24 jam untuk semua kunci, kecuali untuk kunci khusus impor yang memiliki durasi minimum 0.
  • Durasi maksimumnya adalah 120 hari.
  • Durasi defaultnya adalah 30 hari.

Organisasi Anda mungkin memiliki nilai durasi minimum yang dijadwalkan untuk dimusnahkan yang ditentukan oleh kebijakan organisasi. Untuk mengetahui informasi selengkapnya, lihat Mengontrol pemusnahan kunci.

Untuk membuat kunci yang menggunakan durasi kustom untuk status dijadwalkan untuk dihancurkan, gunakan langkah-langkah berikut:


  1. Di konsol Google Cloud, buka halaman Key Management.

    Buka Key Management

  2. Klik nama key ring yang akan Anda buat kunci.

  3. Klik Create key.

  4. Konfigurasikan setelan kunci untuk aplikasi Anda.

  5. Klik Setelan tambahan.

  6. Di Durasi status 'dijadwalkan untuk dihancurkan', pilih jumlah hari saat kunci akan tetap dijadwalkan untuk dihancurkan sebelum dihancurkan secara permanen.

  7. Klik Create key.


Untuk menggunakan Cloud KMS di command line, pertama-tama Instal atau upgrade ke Google Cloud CLI versi terbaru.

gcloud kms keys create KEY_NAME \
    --keyring KEY_RING \
    --location LOCATION \
    --purpose PURPOSE \
    --destroy-scheduled-duration DURATION

Ganti kode berikut:

  • KEY_NAME: nama kunci.
  • KEY_RING: nama key ring yang berisi kunci.
  • LOCATION: lokasi Cloud KMS key ring.
  • PURPOSE: tujuan kunci—misalnya, encryption.
  • DURATION: jumlah waktu yang diperlukan kunci untuk tetap berada dalam status dijadwalkan untuk dihancurkan sebelum dihancurkan secara permanen.

Untuk mengetahui informasi tentang semua flag dan kemungkinan nilai, jalankan perintah dengan flag --help.

Sebaiknya gunakan durasi default 30 hari untuk semua kunci, kecuali jika Anda memiliki persyaratan peraturan atau aplikasi tertentu yang memerlukan nilai yang berbeda.

Membuat kunci asimetris

Bagian berikut menunjukkan cara membuat kunci asimetris.

Membuat kunci dekripsi asimetris

Ikuti langkah-langkah berikut untuk membuat kunci dekripsi asimetris pada ring kunci dan lokasi yang ditentukan. Contoh ini dapat disesuaikan untuk menentukan level perlindungan atau algoritma yang berbeda. Untuk informasi selengkapnya dan nilai alternatif, lihat Algoritma dan Tingkat perlindungan.

Saat Anda pertama kali membuat kunci, versi kunci awal memiliki status Pembuatan tertunda. Saat status berubah menjadi Enabled, Anda dapat menggunakan kunci. Untuk mempelajari status versi kunci lebih lanjut, lihat Status versi kunci.


  1. Di konsol Google Cloud, buka halaman Key Management.

    Buka Key Management

  2. Klik nama key ring yang akan Anda buat kunci.

  3. Klik Create key.

  4. Untuk Key name, masukkan nama untuk kunci Anda.

  5. Untuk Protection level, pilih Software atau HSM.

  6. Untuk Materi kunci, pilih Kunci yang dibuat.

  7. Untuk Tujuan, pilih Dekripsi asimetris.

  8. Untuk Algorithm, pilih 3072 bit RSA - OAEP Padding - SHA256 Digest. Anda dapat mengubah nilai ini pada versi kunci mendatang.

  9. Klik Buat.


Untuk menggunakan Cloud KMS di command line, pertama-tama Instal atau upgrade ke Google Cloud CLI versi terbaru.

gcloud kms keys create KEY_NAME \
    --keyring KEY_RING \
    --location LOCATION \
    --purpose "asymmetric-encryption" \
    --default-algorithm "ALGORITHM"

Ganti kode berikut:

  • KEY_NAME: nama kunci.
  • KEY_RING: nama key ring yang berisi kunci.
  • LOCATION: lokasi Cloud KMS key ring.
  • ALGORITHM: algoritma yang akan digunakan untuk kunci—misalnya, rsa-decrypt-oaep-3072-sha256. Untuk daftar algoritma enkripsi asimetris yang didukung, lihat Algoritma enkripsi asimetris.

Untuk mengetahui informasi tentang semua flag dan kemungkinan nilai, jalankan perintah dengan flag --help.


Untuk menjalankan kode ini, siapkan lingkungan pengembangan C# terlebih dahulu dan instal Cloud KMS C# SDK.

using Google.Cloud.Kms.V1;
using Google.Protobuf.WellKnownTypes;

public class CreateKeyAsymmetricDecryptSample
    public CryptoKey CreateKeyAsymmetricDecrypt(
      string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
      string id = "my-asymmetric-encrypt-key")
        // Create the client.
        KeyManagementServiceClient client = KeyManagementServiceClient.Create();

        // Build the parent key ring name.
        KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);

        // Build the key.
        CryptoKey key = new CryptoKey
            Purpose = CryptoKey.Types.CryptoKeyPurpose.AsymmetricDecrypt,
            VersionTemplate = new CryptoKeyVersionTemplate
                Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.RsaDecryptOaep2048Sha256,

            // Optional: customize how long key versions should be kept before destroying.
            DestroyScheduledDuration = new Duration
                Seconds = 24 * 60 * 60,

        // Call the API.
        CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);

        // Return the result.
        return result;


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Go terlebih dahulu, lalu instal Cloud KMS Go SDK.

import (

	kms "cloud.google.com/go/kms/apiv1"

// createKeyAsymmetricDecrypt creates a new asymmetric RSA encrypt/decrypt key
// pair where the private key is stored in Cloud KMS.
func createKeyAsymmetricDecrypt(w io.Writer, parent, id string) error {
	// parent := "projects/my-project/locations/us-east1/keyRings/my-key-ring"
	// id := "my-asymmetric-encryption-key"

	// Create the client.
	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create kms client: %w", err)
	defer client.Close()

	// Build the request.
	req := &kmspb.CreateCryptoKeyRequest{
		Parent:      parent,
		CryptoKeyId: id,
		CryptoKey: &kmspb.CryptoKey{
			Purpose: kmspb.CryptoKey_ASYMMETRIC_DECRYPT,
			VersionTemplate: &kmspb.CryptoKeyVersionTemplate{
				Algorithm: kmspb.CryptoKeyVersion_RSA_DECRYPT_OAEP_2048_SHA256,

			// Optional: customize how long key versions should be kept before destroying.
			DestroyScheduledDuration: durationpb.New(24 * time.Hour),

	// Call the API.
	result, err := client.CreateCryptoKey(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to create key: %w", err)
	fmt.Fprintf(w, "Created key: %s\n", result.Name)
	return nil


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Java terlebih dahulu dan instal Cloud KMS Java SDK.

import com.google.cloud.kms.v1.CryptoKey;
import com.google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose;
import com.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm;
import com.google.cloud.kms.v1.CryptoKeyVersionTemplate;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.KeyRingName;
import com.google.protobuf.Duration;
import java.io.IOException;

public class CreateKeyAsymmetricDecrypt {

  public void createKeyAsymmetricDecrypt() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    String keyRingId = "my-key-ring";
    String id = "my-asymmetric-decryption-key";
    createKeyAsymmetricDecrypt(projectId, locationId, keyRingId, id);

  // Create a new asymmetric key for the purpose of encrypting and decrypting
  // data.
  public void createKeyAsymmetricDecrypt(
      String projectId, String locationId, String keyRingId, String id) throws IOException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the parent name from the project, location, and key ring.
      KeyRingName keyRingName = KeyRingName.of(projectId, locationId, keyRingId);

      // Build the asymmetric key to create.
      CryptoKey key =

              // Optional: customize how long key versions should be kept before destroying.
              .setDestroyScheduledDuration(Duration.newBuilder().setSeconds(24 * 60 * 60))

      // Create the key.
      CryptoKey createdKey = client.createCryptoKey(keyRingName, id, key);
      System.out.printf("Created asymmetric key %s%n", createdKey.getName());


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Node.js terlebih dahulu dan instal Cloud KMS Node.js SDK.

// TODO(developer): Uncomment these variables before running the sample.
// const projectId = 'my-project';
// const locationId = 'us-east1';
// const keyRingId = 'my-key-ring';
// const id = 'my-asymmetric-decrypt-key';

// Imports the Cloud KMS library
const {KeyManagementServiceClient} = require('@google-cloud/kms');

// Instantiates a client
const client = new KeyManagementServiceClient();

// Build the parent key ring name
const keyRingName = client.keyRingPath(projectId, locationId, keyRingId);

async function createKeyAsymmetricDecrypt() {
  const [key] = await client.createCryptoKey({
    parent: keyRingName,
    cryptoKeyId: id,
    cryptoKey: {
      purpose: 'ASYMMETRIC_DECRYPT',
      versionTemplate: {
        algorithm: 'RSA_DECRYPT_OAEP_2048_SHA256',

      // Optional: customize how long key versions should be kept before
      // destroying.
      destroyScheduledDuration: {seconds: 60 * 60 * 24},

  console.log(`Created asymmetric key: ${key.name}`);
  return key;

return createKeyAsymmetricDecrypt();


Untuk menjalankan kode ini, pelajari terlebih dahulu cara menggunakan PHP di Google Cloud dan menginstal Cloud KMS PHP SDK.

use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
use Google\Cloud\Kms\V1\CreateCryptoKeyRequest;
use Google\Cloud\Kms\V1\CryptoKey;
use Google\Cloud\Kms\V1\CryptoKey\CryptoKeyPurpose;
use Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionAlgorithm;
use Google\Cloud\Kms\V1\CryptoKeyVersionTemplate;
use Google\Protobuf\Duration;

function create_key_asymmetric_decrypt(
    string $projectId = 'my-project',
    string $locationId = 'us-east1',
    string $keyRingId = 'my-key-ring',
    string $id = 'my-asymmetric-decrypt-key'
): CryptoKey {
    // Create the Cloud KMS client.
    $client = new KeyManagementServiceClient();

    // Build the parent key ring name.
    $keyRingName = $client->keyRingName($projectId, $locationId, $keyRingId);

    // Build the key.
    $key = (new CryptoKey())
        ->setVersionTemplate((new CryptoKeyVersionTemplate())

        // Optional: customize how long key versions should be kept before destroying.
        ->setDestroyScheduledDuration((new Duration())
            ->setSeconds(24 * 60 * 60)

    // Call the API.
    $createCryptoKeyRequest = (new CreateCryptoKeyRequest())
    $createdKey = $client->createCryptoKey($createCryptoKeyRequest);
    printf('Created asymmetric decryption key: %s' . PHP_EOL, $createdKey->getName());

    return $createdKey;


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Python terlebih dahulu dan instal Cloud KMS Python SDK.

import datetime

# Import the client library.
from google.cloud import kms
from google.protobuf import duration_pb2  # type: ignore

def create_key_asymmetric_decrypt(
    project_id: str, location_id: str, key_ring_id: str, key_id: str
) -> kms.CryptoKey:
    Creates a new asymmetric decryption key in Cloud KMS.

        project_id (string): Google Cloud project ID (e.g. 'my-project').
        location_id (string): Cloud KMS location (e.g. 'us-east1').
        key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring').
        key_id (string): ID of the key to create (e.g. 'my-asymmetric-decrypt-key').

        CryptoKey: Cloud KMS key.


    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the parent key ring name.
    key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)

    # Build the key.
    purpose = kms.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT
    algorithm = (
    key = {
        "purpose": purpose,
        "version_template": {
            "algorithm": algorithm,
        # Optional: customize how long key versions should be kept before
        # destroying.
        "destroy_scheduled_duration": duration_pb2.Duration().FromTimedelta(

    # Call the API.
    created_key = client.create_crypto_key(
        request={"parent": key_ring_name, "crypto_key_id": key_id, "crypto_key": key}
    print(f"Created asymmetric decrypt key: {created_key.name}")
    return created_key


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Ruby terlebih dahulu, lalu instal Cloud KMS Ruby SDK.

# TODO(developer): uncomment these values before running the sample.
# project_id  = "my-project"
# location_id = "us-east1"
# key_ring_id = "my-key-ring"
# id          = "my-asymmetric-decrypt-key"

# Require the library.
require "google/cloud/kms"

# Create the client.
client = Google::Cloud::Kms.key_management_service

# Build the parent key ring name.
key_ring_name = client.key_ring_path project: project_id, location: location_id, key_ring: key_ring_id

# Build the key.
key = {
  purpose:          :ASYMMETRIC_DECRYPT,
  version_template: {
    algorithm: :RSA_DECRYPT_OAEP_2048_SHA256

  # Optional: customize how long key versions should be kept before destroying.
  destroy_scheduled_duration: {
    seconds: 24 * 60 * 60

# Call the API.
created_key = client.create_crypto_key parent: key_ring_name, crypto_key_id: id, crypto_key: key
puts "Created asymmetric decryption key: #{created_key.name}"


Contoh ini menggunakan curl sebagai klien HTTP untuk menunjukkan penggunaan API. Untuk informasi selengkapnya tentang kontrol akses, lihat Mengakses Cloud KMS API.

Buat kunci dekripsi asimetris dengan memanggil CryptoKey.create.

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys?crypto_key_id=KEY_NAME" \
    --request "POST" \
    --header "authorization: Bearer TOKEN" \
    --header "content-type: application/json" \
    --data '{"purpose": "ASYMMETRIC_DECRYPT", "versionTemplate": {"algorithm": "ALGORITHM"}}'

Ganti kode berikut:

  • PROJECT_ID: ID project yang berisi key ring.
  • LOCATION: lokasi Cloud KMS key ring.
  • KEY_RING: nama key ring yang berisi kunci.
  • KEY_NAME: nama kunci.
  • ALGORITHM: algoritma yang akan digunakan untuk kunci—misalnya, RSA_DECRYPT_OAEP_3072_SHA256. Untuk mengetahui daftar algoritma enkripsi asimetris yang didukung, lihat Algoritma enkripsi asimetris.

Membuat kunci penandatanganan asimetris

Ikuti langkah-langkah berikut untuk membuat kunci penandatanganan asimetris di key ring dan lokasi yang ditentukan. Contoh ini dapat disesuaikan untuk menentukan level perlindungan atau algoritma yang berbeda. Untuk informasi selengkapnya dan nilai alternatif, lihat Algoritma dan Tingkat perlindungan.

Saat Anda pertama kali membuat kunci, versi kunci awal memiliki status Pembuatan tertunda. Saat status berubah menjadi Enabled, Anda dapat menggunakan kunci. Untuk mempelajari status versi kunci lebih lanjut, lihat Status versi kunci.


  1. Di konsol Google Cloud, buka halaman Key Management.

    Buka Key Management

  2. Klik nama key ring yang akan Anda buat kunci.

  3. Klik Create key.

  4. Untuk Key name, masukkan nama untuk kunci Anda.

  5. Untuk Protection level, pilih Software atau HSM.

  6. Untuk Materi kunci, pilih Kunci yang dibuat.

  7. Untuk Tujuan, pilih Asymmetric sign.

  8. Untuk Algorithm, pilih Elliptic Curve P-256 - SHA256 Digest. Anda dapat mengubah nilai ini pada versi kunci mendatang.

  9. Klik Buat.


Untuk menggunakan Cloud KMS di command line, pertama-tama Instal atau upgrade ke Google Cloud CLI versi terbaru.

gcloud kms keys create KEY_NAME \
    --keyring KEY_RING \
    --location LOCATION \
    --purpose "asymmetric-signing" \
    --default-algorithm "ALGORITHM"

Ganti kode berikut:

  • KEY_NAME: nama kunci.
  • KEY_RING: nama key ring yang berisi kunci.
  • LOCATION: lokasi Cloud KMS key ring.
  • ALGORITHM: algoritma yang akan digunakan untuk kunci—misalnya, ec-sign-p256-sha256. Untuk mengetahui daftar algoritma yang didukung, lihat Algoritma penandatanganan asimetris.

Untuk mengetahui informasi tentang semua flag dan kemungkinan nilai, jalankan perintah dengan flag --help.


Untuk menjalankan kode ini, siapkan lingkungan pengembangan C# terlebih dahulu dan instal Cloud KMS C# SDK.

using Google.Cloud.Kms.V1;
using Google.Protobuf.WellKnownTypes;

public class CreateKeyAsymmetricSignSample
    public CryptoKey CreateKeyAsymmetricSign(
      string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
      string id = "my-asymmetric-signing-key")
        // Create the client.
        KeyManagementServiceClient client = KeyManagementServiceClient.Create();

        // Build the parent key ring name.
        KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);

        // Build the key.
        CryptoKey key = new CryptoKey
            Purpose = CryptoKey.Types.CryptoKeyPurpose.AsymmetricSign,
            VersionTemplate = new CryptoKeyVersionTemplate
                Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.RsaSignPkcs12048Sha256,

            // Optional: customize how long key versions should be kept before destroying.
            DestroyScheduledDuration = new Duration
                Seconds = 24 * 60 * 60,

        // Call the API.
        CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);

        // Return the result.
        return result;


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Go terlebih dahulu, lalu instal Cloud KMS Go SDK.

import (

	kms "cloud.google.com/go/kms/apiv1"

// createKeyAsymmetricSign creates a new asymmetric RSA sign/verify key pair
// where the private key is stored in Cloud KMS.
func createKeyAsymmetricSign(w io.Writer, parent, id string) error {
	// parent := "projects/my-project/locations/us-east1/keyRings/my-key-ring"
	// id := "my-asymmetric-signing-key"

	// Create the client.
	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create kms client: %w", err)
	defer client.Close()

	// Build the request.
	req := &kmspb.CreateCryptoKeyRequest{
		Parent:      parent,
		CryptoKeyId: id,
		CryptoKey: &kmspb.CryptoKey{
			Purpose: kmspb.CryptoKey_ASYMMETRIC_SIGN,
			VersionTemplate: &kmspb.CryptoKeyVersionTemplate{
				Algorithm: kmspb.CryptoKeyVersion_RSA_SIGN_PKCS1_2048_SHA256,

			// Optional: customize how long key versions should be kept before destroying.
			DestroyScheduledDuration: durationpb.New(24 * time.Hour),

	// Call the API.
	result, err := client.CreateCryptoKey(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to create key: %w", err)
	fmt.Fprintf(w, "Created key: %s\n", result.Name)
	return nil


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Java terlebih dahulu dan instal Cloud KMS Java SDK.

import com.google.cloud.kms.v1.CryptoKey;
import com.google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose;
import com.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm;
import com.google.cloud.kms.v1.CryptoKeyVersionTemplate;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.KeyRingName;
import com.google.protobuf.Duration;
import java.io.IOException;

public class CreateKeyAsymmetricSign {

  public void createKeyAsymmetricSign() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    String keyRingId = "my-key-ring";
    String id = "my-asymmetric-signing-key";
    createKeyAsymmetricSign(projectId, locationId, keyRingId, id);

  // Create a new asymmetric key for the purpose of signing and verifying data.
  public void createKeyAsymmetricSign(
      String projectId, String locationId, String keyRingId, String id) throws IOException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the parent name from the project, location, and key ring.
      KeyRingName keyRingName = KeyRingName.of(projectId, locationId, keyRingId);

      // Build the asymmetric key to create.
      CryptoKey key =

              // Optional: customize how long key versions should be kept before destroying.
              .setDestroyScheduledDuration(Duration.newBuilder().setSeconds(24 * 60 * 60))

      // Create the key.
      CryptoKey createdKey = client.createCryptoKey(keyRingName, id, key);
      System.out.printf("Created asymmetric key %s%n", createdKey.getName());


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Node.js terlebih dahulu dan instal Cloud KMS Node.js SDK.

// TODO(developer): Uncomment these variables before running the sample.
// const projectId = 'my-project';
// const locationId = 'us-east1';
// const keyRingId = 'my-key-ring';
// const id = 'my-asymmetric-sign-key';

// Imports the Cloud KMS library
const {KeyManagementServiceClient} = require('@google-cloud/kms');

// Instantiates a client
const client = new KeyManagementServiceClient();

// Build the parent key ring name
const keyRingName = client.keyRingPath(projectId, locationId, keyRingId);

async function createKeyAsymmetricSign() {
  const [key] = await client.createCryptoKey({
    parent: keyRingName,
    cryptoKeyId: id,
    cryptoKey: {
      purpose: 'ASYMMETRIC_SIGN',
      versionTemplate: {
        algorithm: 'RSA_SIGN_PKCS1_2048_SHA256',

      // Optional: customize how long key versions should be kept before
      // destroying.
      destroyScheduledDuration: {seconds: 60 * 60 * 24},

  console.log(`Created asymmetric key: ${key.name}`);
  return key;

return createKeyAsymmetricSign();


Untuk menjalankan kode ini, pelajari terlebih dahulu cara menggunakan PHP di Google Cloud dan menginstal Cloud KMS PHP SDK.

use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
use Google\Cloud\Kms\V1\CreateCryptoKeyRequest;
use Google\Cloud\Kms\V1\CryptoKey;
use Google\Cloud\Kms\V1\CryptoKey\CryptoKeyPurpose;
use Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionAlgorithm;
use Google\Cloud\Kms\V1\CryptoKeyVersionTemplate;
use Google\Protobuf\Duration;

function create_key_asymmetric_sign(
    string $projectId = 'my-project',
    string $locationId = 'us-east1',
    string $keyRingId = 'my-key-ring',
    string $id = 'my-asymmetric-signing-key'
): CryptoKey {
    // Create the Cloud KMS client.
    $client = new KeyManagementServiceClient();

    // Build the parent key ring name.
    $keyRingName = $client->keyRingName($projectId, $locationId, $keyRingId);

    // Build the key.
    $key = (new CryptoKey())
        ->setVersionTemplate((new CryptoKeyVersionTemplate())

        // Optional: customize how long key versions should be kept before destroying.
        ->setDestroyScheduledDuration((new Duration())
            ->setSeconds(24 * 60 * 60)

    // Call the API.
    $createCryptoKeyRequest = (new CreateCryptoKeyRequest())
    $createdKey = $client->createCryptoKey($createCryptoKeyRequest);
    printf('Created asymmetric signing key: %s' . PHP_EOL, $createdKey->getName());

    return $createdKey;


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Python terlebih dahulu dan instal Cloud KMS Python SDK.

import datetime

# Import the client library.
from google.cloud import kms
from google.protobuf import duration_pb2  # type: ignore

def create_key_asymmetric_sign(
    project_id: str, location_id: str, key_ring_id: str, key_id: str
) -> kms.CryptoKey:
    Creates a new asymmetric signing key in Cloud KMS.

        project_id (string): Google Cloud project ID (e.g. 'my-project').
        location_id (string): Cloud KMS location (e.g. 'us-east1').
        key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring').
        key_id (string): ID of the key to create (e.g. 'my-asymmetric-signing-key').

        CryptoKey: Cloud KMS key.


    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the parent key ring name.
    key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)

    # Build the key.
    purpose = kms.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN
    algorithm = (
    key = {
        "purpose": purpose,
        "version_template": {
            "algorithm": algorithm,
        # Optional: customize how long key versions should be kept before
        # destroying.
        "destroy_scheduled_duration": duration_pb2.Duration().FromTimedelta(

    # Call the API.
    created_key = client.create_crypto_key(
        request={"parent": key_ring_name, "crypto_key_id": key_id, "crypto_key": key}
    print(f"Created asymmetric signing key: {created_key.name}")
    return created_key


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Ruby terlebih dahulu, lalu instal Cloud KMS Ruby SDK.

# TODO(developer): uncomment these values before running the sample.
# project_id  = "my-project"
# location_id = "us-east1"
# key_ring_id = "my-key-ring"
# id          = "my-asymmetric-signing-key"

# Require the library.
require "google/cloud/kms"

# Create the client.
client = Google::Cloud::Kms.key_management_service

# Build the parent key ring name.
key_ring_name = client.key_ring_path project: project_id, location: location_id, key_ring: key_ring_id

# Build the key.
key = {
  purpose:          :ASYMMETRIC_SIGN,
  version_template: {
    algorithm: :RSA_SIGN_PKCS1_2048_SHA256

  # Optional: customize how long key versions should be kept before destroying.
  destroy_scheduled_duration: {
    seconds: 24 * 60 * 60

# Call the API.
created_key = client.create_crypto_key parent: key_ring_name, crypto_key_id: id, crypto_key: key
puts "Created asymmetric signing key: #{created_key.name}"


Contoh ini menggunakan curl sebagai klien HTTP untuk menunjukkan penggunaan API. Untuk informasi selengkapnya tentang kontrol akses, lihat Mengakses Cloud KMS API.

Buat kunci penandatanganan asimetris dengan memanggil CryptoKey.create.

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys?crypto_key_id=KEY_NAME" \
    --request "POST" \
    --header "authorization: Bearer TOKEN" \
    --header "content-type: application/json" \
    --data '{"purpose": "ASYMMETRIC_SIGN", "versionTemplate": {"algorithm": "ALGORITHM"}}'

Ganti kode berikut:

  • PROJECT_ID: ID project yang berisi key ring.
  • LOCATION: lokasi Cloud KMS key ring.
  • KEY_RING: nama key ring yang berisi kunci.
  • KEY_NAME: nama kunci.
  • ALGORITHM: algoritma yang akan digunakan untuk kunci—misalnya, EC_SIGN_P256_SHA256. Untuk mengetahui daftar algoritma yang didukung, lihat Algoritma penandatanganan assimetris.

Mengambil kunci publik

Saat Anda membuat kunci asimetris, Cloud KMS akan membuat pasangan kunci publik/pribadi. Anda dapat mengambil kunci publik kunci asimetris yang diaktifkan kapan saja setelah kunci dibuat.

Kunci publik dalam format Privacy-enhanced Electronic Mail (PEM). Untuk mengetahui informasi selengkapnya, lihat bagian RFC 7468 Pertimbangan Umum dan Encoding Teks Info Kunci Publik Subjek.

Untuk mendownload kunci publik untuk versi kunci asimetris yang ada, ikuti langkah-langkah berikut:


  1. Di konsol Google Cloud, buka halaman Key Management.

    Buka Key Management

  2. Klik nama key ring yang berisi kunci asimetris yang kunci publiknya ingin Anda ambil.

  3. Klik nama kunci yang kunci publiknya ingin Anda ambil.

  4. Pada baris yang sesuai dengan versi kunci yang kunci publiknya ingin Anda ambil, klik Lihat Selengkapnya .

  5. Klik Dapatkan kunci publik.

  6. Kunci publik ditampilkan di perintah. Anda dapat menyalin kunci publik ke papan klip. Untuk mendownload kunci publik, klik Download.

Jika Anda tidak melihat opsi Dapatkan kunci publik, verifikasi hal berikut:

  • Kunci ini adalah kunci asimetris.
  • Versi kunci diaktifkan.
  • Anda memiliki izin cloudkms.cryptoKeyVersions.viewPublicKey.

Nama file kunci publik yang didownload dari konsol Google Cloud memiliki format:


Setiap bagian nama file dipisahkan dengan tanda hubung, misalnya ringname-keyname-version.pub


Untuk menggunakan Cloud KMS di command line, pertama-tama Instal atau upgrade ke Google Cloud CLI versi terbaru.

gcloud kms keys versions get-public-key KEY_VERSION \
    --key KEY_NAME \
    --keyring KEY_RING \
    --location LOCATION \
    --public-key-format PUBLIC_KEY_FORMAT \
    --output-file OUTPUT_FILE_PATH

Ganti kode berikut:

  • KEY_VERSION: nomor versi kunci.
  • KEY_NAME: nama kunci.
  • KEY_RING: nama key ring yang berisi kunci.
  • LOCATION: lokasi Cloud KMS key ring.
  • PUBLIC_KEY_FORMAT: format yang ingin Anda gunakan untuk mengekspor kunci publik. Untuk algoritma PQC (Pratinjau), gunakan nist-pqc. Untuk semua kunci lainnya, Anda dapat menggunakan pem atau menghilangkan parameter ini.
  • OUTPUT_FILE_PATH: jalur tempat Anda ingin menyimpan file kunci publik—misalnya, public-key.pub.

Untuk mengetahui informasi tentang semua flag dan kemungkinan nilai, jalankan perintah dengan flag --help.


Untuk menjalankan kode ini, siapkan lingkungan pengembangan C# terlebih dahulu dan instal Cloud KMS C# SDK.

using Google.Cloud.Kms.V1;

public class GetPublicKeySample
    public PublicKey GetPublicKey(string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring", string keyId = "my-key", string keyVersionId = "123")
        // Create the client.
        KeyManagementServiceClient client = KeyManagementServiceClient.Create();

        // Build the key version name.
        CryptoKeyVersionName keyVersionName = new CryptoKeyVersionName(projectId, locationId, keyRingId, keyId, keyVersionId);

        // Call the API.
        PublicKey result = client.GetPublicKey(keyVersionName);

        // Return the ciphertext.
        return result;


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Go terlebih dahulu, lalu instal Cloud KMS Go SDK.

import (

	kms "cloud.google.com/go/kms/apiv1"

// getPublicKey retrieves the public key from an asymmetric key pair on
// Cloud KMS.
func getPublicKey(w io.Writer, name string) error {
	// name := "projects/my-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key/cryptoKeyVersions/123"

	// Create the client.
	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create kms client: %w", err)
	defer client.Close()

	// Build the request.
	req := &kmspb.GetPublicKeyRequest{
		Name: name,

	// Call the API.
	result, err := client.GetPublicKey(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to get public key: %w", err)

	// The 'Pem' field is the raw string representation of the public key.
	// Convert 'Pem' into bytes for further processing.
	key := []byte(result.Pem)

	// Optional, but recommended: perform integrity verification on result.
	// For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit:
	// https://cloud.google.com/kms/docs/data-integrity-guidelines
	crc32c := func(data []byte) uint32 {
		t := crc32.MakeTable(crc32.Castagnoli)
		return crc32.Checksum(data, t)
	if int64(crc32c(key)) != result.PemCrc32C.Value {
		return fmt.Errorf("getPublicKey: response corrupted in-transit")

	// Optional - parse the public key. This transforms the string key into a Go
	// PublicKey.
	block, _ := pem.Decode(key)
	publicKey, err := x509.ParsePKIXPublicKey(block.Bytes)
	if err != nil {
		return fmt.Errorf("failed to parse public key: %w", err)
	fmt.Fprintf(w, "Retrieved public key: %v\n", publicKey)
	return nil


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Java terlebih dahulu dan instal Cloud KMS Java SDK.

import com.google.cloud.kms.v1.CryptoKeyVersionName;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.PublicKey;
import java.io.IOException;
import java.security.GeneralSecurityException;

public class GetPublicKey {

  public void getPublicKey() throws IOException, GeneralSecurityException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    String keyRingId = "my-key-ring";
    String keyId = "my-key";
    String keyVersionId = "123";
    getPublicKey(projectId, locationId, keyRingId, keyId, keyVersionId);

  // Get the public key associated with an asymmetric key.
  public void getPublicKey(
      String projectId, String locationId, String keyRingId, String keyId, String keyVersionId)
      throws IOException, GeneralSecurityException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the key version name from the project, location, key ring, key,
      // and key version.
      CryptoKeyVersionName keyVersionName =
          CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);

      // Get the public key.
      PublicKey publicKey = client.getPublicKey(keyVersionName);
      System.out.printf("Public key: %s%n", publicKey.getPem());


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Node.js terlebih dahulu dan instal Cloud KMS Node.js SDK.

// TODO(developer): Uncomment these variables before running the sample.
// const projectId = 'my-project';
// const locationId = 'us-east1';
// const keyRingId = 'my-key-ring';
// const keyId = 'my-key';

// Imports the Cloud KMS library
const {KeyManagementServiceClient} = require('@google-cloud/kms');

// Instantiates a client
const client = new KeyManagementServiceClient();

// Build the key version name
const versionName = client.cryptoKeyVersionPath(

async function getPublicKey() {
  const [publicKey] = await client.getPublicKey({
    name: versionName,

  // Optional, but recommended: perform integrity verification on publicKey.
  // For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit:
  // https://cloud.google.com/kms/docs/data-integrity-guidelines
  const crc32c = require('fast-crc32c');
  if (publicKey.name !== versionName) {
    throw new Error('GetPublicKey: request corrupted in-transit');
  if (crc32c.calculate(publicKey.pem) !== Number(publicKey.pemCrc32c.value)) {
    throw new Error('GetPublicKey: response corrupted in-transit');

  console.log(`Public key pem: ${publicKey.pem}`);

  return publicKey;

return getPublicKey();


Untuk menjalankan kode ini, pelajari terlebih dahulu cara menggunakan PHP di Google Cloud dan menginstal Cloud KMS PHP SDK.

use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
use Google\Cloud\Kms\V1\GetPublicKeyRequest;

function get_public_key(
    string $projectId = 'my-project',
    string $locationId = 'us-east1',
    string $keyRingId = 'my-key-ring',
    string $keyId = 'my-key',
    string $versionId = '123'
) {
    // Create the Cloud KMS client.
    $client = new KeyManagementServiceClient();

    // Build the key version name.
    $keyVersionName = $client->cryptoKeyVersionName($projectId, $locationId, $keyRingId, $keyId, $versionId);

    // Call the API.
    $getPublicKeyRequest = (new GetPublicKeyRequest())
    $publicKey = $client->getPublicKey($getPublicKeyRequest);
    printf('Public key: %s' . PHP_EOL, $publicKey->getPem());

    return $publicKey;


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Python terlebih dahulu dan instal Cloud KMS Python SDK.

from google.cloud import kms

def get_public_key(
    project_id: str, location_id: str, key_ring_id: str, key_id: str, version_id: str
) -> kms.PublicKey:
    Get the public key for an asymmetric key.

        project_id (string): Google Cloud project ID (e.g. 'my-project').
        location_id (string): Cloud KMS location (e.g. 'us-east1').
        key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring').
        key_id (string): ID of the key to use (e.g. 'my-key').
        version_id (string): ID of the key to use (e.g. '1').

        PublicKey: Cloud KMS public key response.


    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the key version name.
    key_version_name = client.crypto_key_version_path(
        project_id, location_id, key_ring_id, key_id, version_id

    # Call the API.
    public_key = client.get_public_key(request={"name": key_version_name})

    # Optional, but recommended: perform integrity verification on public_key.
    # For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit:
    # https://cloud.google.com/kms/docs/data-integrity-guidelines
    if not public_key.name == key_version_name:
        raise Exception("The request sent to the server was corrupted in-transit.")
    # See crc32c() function defined below.
    if not public_key.pem_crc32c == crc32c(public_key.pem.encode("utf-8")):
        raise Exception(
            "The response received from the server was corrupted in-transit."
    # End integrity verification

    print(f"Public key: {public_key.pem}")
    return public_key

def crc32c(data: bytes) -> int:
    Calculates the CRC32C checksum of the provided data.
        data: the bytes over which the checksum should be calculated.
        An int representing the CRC32C checksum of the provided bytes.
    import crcmod  # type: ignore

    crc32c_fun = crcmod.predefined.mkPredefinedCrcFun("crc-32c")
    return crc32c_fun(data)


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Ruby terlebih dahulu, lalu instal Cloud KMS Ruby SDK.

# TODO(developer): uncomment these values before running the sample.
# project_id  = "my-project"
# location_id = "us-east1"
# key_ring_id = "my-key-ring"
# key_id      = "my-key"
# version_id  = "123"

# Require the library.
require "google/cloud/kms"

# Create the client.
client = Google::Cloud::Kms.key_management_service

# Build the key version name.
key_version_name = client.crypto_key_version_path project:            project_id,
                                                  location:           location_id,
                                                  key_ring:           key_ring_id,
                                                  crypto_key:         key_id,
                                                  crypto_key_version: version_id

# Call the API.
public_key = client.get_public_key name: key_version_name
puts "Public key: #{public_key.pem}"


Contoh ini menggunakan curl sebagai klien HTTP untuk menunjukkan penggunaan API. Untuk informasi selengkapnya tentang kontrol akses, lihat Mengakses Cloud KMS API.

Ambil kunci publik dengan memanggil metode CryptoKeyVersions.getPublicKey.

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME/cryptoKeyVersions/KEY_VERSION/publicKey?public_key_format=PUBLIC_KEY_FORMAT" \
    --request "GET" \
    --header "authorization: Bearer TOKEN"

Ganti kode berikut:

  • PROJECT_ID: ID project yang berisi key ring.
  • LOCATION: lokasi Cloud KMS key ring.
  • KEY_RING: nama key ring yang berisi kunci.
  • KEY_NAME: nama kunci.
  • KEY_VERSION: nomor versi kunci.
  • PUBLIC_KEY_FORMAT: format yang ingin Anda gunakan untuk mengekspor kunci publik. Untuk algoritma PQC (Pratinjau), gunakan NIST_PQC. Untuk semua kunci lainnya, Anda dapat menggunakan PEM atau menghilangkan parameter ini.

Jika format kunci publik dihilangkan untuk kunci non-PQC, outputnya akan mirip dengan hal berikut:

  "pem": "-----BEGIN PUBLIC KEY-----\nQ29uZ3JhdHVsYXRpb25zLCB5b3UndmUgZGlzY292ZX
          ZSBkYXkgOik=\n-----END PUBLIC KEY-----\n",
  "algorithm": "ALGORITHM",
  "pemCrc32c": "2561089887",
  "name": "projects/PROJECT_ID/locations/LOCATION/keyRings/
  "protectionLevel": "PROTECTION_LEVEL"

Untuk algoritma PQC dengan format kunci publik NIST_PQC, output-nya mirip dengan berikut:

  "publicKeyFormat": "NIST_PQC",
  "publicKey": {
    "crc32cChecksum": "1985843562",
    "data": "kdcOIrFCC5kN8S4i0+R+AoSc9gYIJ9jEQ6zG235ZmCQ="
  "algorithm": "ALGORITHM",
  "name": "projects/PROJECT_ID/locations/LOCATION/keyRings/
  "protectionLevel": "PROTECTION_LEVEL"

Mengonversi kunci publik ke format JWK

Cloud KMS memungkinkan Anda mengambil kunci publik dalam format PEM. Beberapa aplikasi mungkin memerlukan format kunci lain seperti Kunci Web JSON (JWK). Untuk informasi selengkapnya tentang format JWK, lihat RFC 7517.

Untuk mengonversi kunci publik ke format JWK, ikuti langkah-langkah berikut:


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Go terlebih dahulu, lalu instal Cloud KMS Go SDK.

import (

	kms "cloud.google.com/go/kms/apiv1"

// getPublicKeyJwk retrieves the public key from an asymmetric key pair on Cloud KMS.
func getPublicKeyJwk(w io.Writer, cryptoKeyVersionName string) error {
	// name := "projects/my-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key/cryptoKeyVersions/123"

	// Create the client.
	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create kms client: %w", err)
	defer client.Close()

	// Build the request.
	req := &kmspb.GetPublicKeyRequest{
		Name: cryptoKeyVersionName,

	// Call the API to get the public key.
	result, err := client.GetPublicKey(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to get public key: %w", err)

	// The 'Pem' field is the raw string representation of the public key.
	// Convert 'Pem' into bytes for further processing.
	key := []byte(result.Pem)

	// Optional, but recommended: perform integrity verification on result.
	// For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit:
	// https://cloud.google.com/kms/docs/data-integrity-guidelines
	crc32c := func(data []byte) uint32 {
		t := crc32.MakeTable(crc32.Castagnoli)
		return crc32.Checksum(data, t)
	if int64(crc32c(key)) != result.PemCrc32C.Value {
		return fmt.Errorf("getPublicKey: response corrupted in-transit")

	// Optional - parse the public key.
	// This transforms the string key into a Go PublicKey.
	block, _ := pem.Decode(key)
	_, err = x509.ParsePKIXPublicKey(block.Bytes)
	if err != nil {
		return fmt.Errorf("failed to parse public key: %w", err)

	// If all above checks pass, convert it into JWK format.
	jwkKey, err := jwk.ParseKey(key, jwk.WithPEM(true))
	if err != nil {
		return fmt.Errorf("Failed to parse the PEM public key: %w", err)

	fmt.Fprintf(w, "The public key in JWK format: ")
	return nil


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Java terlebih dahulu dan instal Cloud KMS Java SDK.

import com.google.cloud.kms.v1.CryptoKeyVersionName;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.PublicKey;
// NOTE: The library nimbusds is NOT endorsed for anything beyond conversion to JWK.
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.jwk.JWK;
import java.io.IOException;
import java.security.GeneralSecurityException;

public class ConvertPublicKeyToJwk {

  public void convertPublicKey() throws IOException, GeneralSecurityException, JOSEException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    String keyRingId = "my-key-ring";
    String keyId = "my-key";
    String keyVersionId = "123";
    convertPublicKey(projectId, locationId, keyRingId, keyId, keyVersionId);

  // (Get and) Convert the public key associated with an asymmetric key.
  public void convertPublicKey(
      String projectId, String locationId, String keyRingId, String keyId, String keyVersionId)
      throws IOException, GeneralSecurityException, JOSEException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the key version name from the project, location, key ring, key,
      // and key version.
      CryptoKeyVersionName keyVersionName =
          CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);

      // Get the public key and convert it to JWK format.
      PublicKey publicKey = client.getPublicKey(keyVersionName);
      JWK jwk = JWK.parseFromPEMEncodedObjects(publicKey.getPem());


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Python terlebih dahulu dan instal Cloud KMS Python SDK.

from google.cloud import kms
from jwcrypto import jwk

def get_public_key_jwk(
    project_id: str, location_id: str, key_ring_id: str, key_id: str, version_id: str
) -> kms.PublicKey:
    Get the public key of an asymmetric key in JWK format.

        project_id (string): Google Cloud project ID (e.g. 'my-project').
        location_id (string): Cloud KMS location (e.g. 'us-east1').
        key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring').
        key_id (string): ID of the key to use (e.g. 'my-key').
        version_id (string): ID of the key to use (e.g. '1').

        PublicKey: Cloud KMS public key response.


    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the key version name.
    key_version_name = client.crypto_key_version_path(
        project_id, location_id, key_ring_id, key_id, version_id

    # Call the API.
    public_key = client.get_public_key(request={"name": key_version_name})

    # Optional, but recommended: perform integrity verification on public_key.
    # For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit:
    # https://cloud.google.com/kms/docs/data-integrity-guidelines
    if not public_key.name == key_version_name:
        raise Exception("The request sent to the server was corrupted in-transit.")
    # See crc32c() function defined below.
    if not public_key.pem_crc32c == crc32c(public_key.pem.encode("utf-8")):
        raise Exception(
            "The response received from the server was corrupted in-transit."
    # End integrity verification

    # Convert to JWK format.
    jwk_key = jwk.JWK.from_pem(public_key.pem.encode())
    return jwk_key.export(private_key=False)

def crc32c(data: bytes) -> int:
    Calculates the CRC32C checksum of the provided data.
        data: the bytes over which the checksum should be calculated.
        An int representing the CRC32C checksum of the provided bytes.
    import crcmod  # type: ignore

    crc32c_fun = crcmod.predefined.mkPredefinedCrcFun("crc-32c")
    return crc32c_fun(data)

Mengontrol akses ke kunci asimetris

Penanda tangan atau validator memerlukan izin atau peran yang sesuai pada kunci asimetris.

  • Untuk pengguna atau layanan yang akan melakukan penandatanganan, berikan izin cloudkms.cryptoKeyVersions.useToSign pada kunci asimetris.

  • Untuk pengguna atau layanan yang akan mengambil kunci publik, berikan cloudkms.cryptoKeyVersions.viewPublicKey pada kunci asimetris. Kunci publik diperlukan untuk validasi tanda tangan.

Pelajari izin dan peran dalam rilis Cloud KMS di Izin dan peran.

Membuat kunci penandatanganan MAC


  1. Di konsol Google Cloud, buka halaman Key Management.

    Buka Key Management

  2. Klik nama key ring yang akan Anda buat kunci.

  3. Klik Create key.

  4. Untuk Key name, masukkan nama untuk kunci Anda.

  5. Untuk Protection level, pilih Software atau HSM.

  6. Untuk Materi kunci, pilih Kunci yang dibuat.

  7. Untuk Tujuan, pilih Penandatanganan/verifikasi MAC.

  8. Opsional: untuk Algorithm, pilih algoritme penanda tanganan HMAC.

  9. Klik Buat.


Untuk menggunakan Cloud KMS di command line, pertama-tama Instal atau upgrade ke Google Cloud CLI versi terbaru.

gcloud kms keys create KEY_NAME \
    --keyring KEY_RING \
    --location LOCATION \
    --purpose "mac" \
    --default-algorithm "ALGORITHM" \
    --protection-level "PROTECTION_LEVEL"

Ganti kode berikut:

  • KEY_NAME: nama kunci.
  • KEY_RING: nama key ring yang berisi kunci.
  • LOCATION: lokasi Cloud KMS key ring.
  • ALGORITHM: algoritma penandatanganan HMAC—misalnya, hmac-sha256. Untuk melihat semua algoritma HMAC yang didukung, lihat Algoritma penandatanganan HMAC.
  • PROTECTION_LEVEL: tingkat perlindungan kunci—misalnya, hsm. Anda dapat menghapus tanda --protection-level untuk kunci software.

Untuk mengetahui informasi tentang semua flag dan kemungkinan nilai, jalankan perintah dengan flag --help.


Untuk menjalankan kode ini, siapkan lingkungan pengembangan C# terlebih dahulu dan instal Cloud KMS C# SDK.

using Google.Cloud.Kms.V1;
using Google.Protobuf.WellKnownTypes;

public class CreateKeyMacSample
    public CryptoKey CreateKeyMac(
      string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring",
      string id = "my-mac-key")
        // Create the client.
        KeyManagementServiceClient client = KeyManagementServiceClient.Create();

        // Build the parent key ring name.
        KeyRingName keyRingName = new KeyRingName(projectId, locationId, keyRingId);

        // Build the key.
        CryptoKey key = new CryptoKey
            Purpose = CryptoKey.Types.CryptoKeyPurpose.Mac,
            VersionTemplate = new CryptoKeyVersionTemplate
                Algorithm = CryptoKeyVersion.Types.CryptoKeyVersionAlgorithm.HmacSha256,

            // Optional: customize how long key versions should be kept before destroying.
            DestroyScheduledDuration = new Duration
                Seconds = 24 * 60 * 60,

        // Call the API.
        CryptoKey result = client.CreateCryptoKey(keyRingName, id, key);

        // Return the result.
        return result;


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Go terlebih dahulu, lalu instal Cloud KMS Go SDK.

import (

	kms "cloud.google.com/go/kms/apiv1"

// createKeyMac creates a new key for use with MacSign.
func createKeyMac(w io.Writer, parent, id string) error {
	// parent := "projects/my-project/locations/us-east1/keyRings/my-key-ring"
	// id := "my-mac-key"

	// Create the client.
	ctx := context.Background()
	client, err := kms.NewKeyManagementClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create kms client: %w", err)
	defer client.Close()

	// Build the request.
	req := &kmspb.CreateCryptoKeyRequest{
		Parent:      parent,
		CryptoKeyId: id,
		CryptoKey: &kmspb.CryptoKey{
			Purpose: kmspb.CryptoKey_MAC,
			VersionTemplate: &kmspb.CryptoKeyVersionTemplate{
				Algorithm: kmspb.CryptoKeyVersion_HMAC_SHA256,

			// Optional: customize how long key versions should be kept before destroying.
			DestroyScheduledDuration: durationpb.New(24 * time.Hour),

	// Call the API.
	result, err := client.CreateCryptoKey(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to create key: %w", err)
	fmt.Fprintf(w, "Created key: %s\n", result.Name)
	return nil


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Java terlebih dahulu dan instal Cloud KMS Java SDK.

import com.google.cloud.kms.v1.CryptoKey;
import com.google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose;
import com.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm;
import com.google.cloud.kms.v1.CryptoKeyVersionTemplate;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.KeyRingName;
import java.io.IOException;

public class CreateKeyMac {

  public void createKeyMac() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "us-east1";
    String keyRingId = "my-key-ring";
    String id = "my-mac-key";
    createKeyMac(projectId, locationId, keyRingId, id);

  // Create a new key for use with MacSign.
  public void createKeyMac(String projectId, String locationId, String keyRingId, String id)
      throws IOException {
    // Initialize client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests. After
    // completing all of your requests, call the "close" method on the client to
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
      // Build the parent name from the project, location, and key ring.
      KeyRingName keyRingName = KeyRingName.of(projectId, locationId, keyRingId);

      // Build the mac key to create.
      CryptoKey key =

      // Create the key.
      CryptoKey createdKey = client.createCryptoKey(keyRingName, id, key);
      System.out.printf("Created mac key %s%n", createdKey.getName());


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Node.js terlebih dahulu dan instal Cloud KMS Node.js SDK.

// TODO(developer): Uncomment these variables before running the sample.
// const projectId = 'my-project';
// const locationId = 'us-east1';
// const keyRingId = 'my-key-ring';
// const id = 'my-mac-key';

// Imports the Cloud KMS library
const {KeyManagementServiceClient} = require('@google-cloud/kms');

// Instantiates a client
const client = new KeyManagementServiceClient();

// Build the parent key ring name
const keyRingName = client.keyRingPath(projectId, locationId, keyRingId);

async function createKeyMac() {
  const [key] = await client.createCryptoKey({
    parent: keyRingName,
    cryptoKeyId: id,
    cryptoKey: {
      purpose: 'MAC',
      versionTemplate: {
        algorithm: 'HMAC_SHA256',

      // Optional: customize how long key versions should be kept before
      // destroying.
      destroyScheduledDuration: {seconds: 60 * 60 * 24},

  console.log(`Created mac key: ${key.name}`);
  return key;

return createKeyMac();


Untuk menjalankan kode ini, pelajari terlebih dahulu cara menggunakan PHP di Google Cloud dan menginstal Cloud KMS PHP SDK.

use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
use Google\Cloud\Kms\V1\CreateCryptoKeyRequest;
use Google\Cloud\Kms\V1\CryptoKey;
use Google\Cloud\Kms\V1\CryptoKey\CryptoKeyPurpose;
use Google\Cloud\Kms\V1\CryptoKeyVersion\CryptoKeyVersionAlgorithm;
use Google\Cloud\Kms\V1\CryptoKeyVersionTemplate;
use Google\Protobuf\Duration;

function create_key_mac(
    string $projectId = 'my-project',
    string $locationId = 'us-east1',
    string $keyRingId = 'my-key-ring',
    string $id = 'my-mac-key'
): CryptoKey {
    // Create the Cloud KMS client.
    $client = new KeyManagementServiceClient();

    // Build the parent key ring name.
    $keyRingName = $client->keyRingName($projectId, $locationId, $keyRingId);

    // Build the key.
    $key = (new CryptoKey())
        ->setVersionTemplate((new CryptoKeyVersionTemplate())

        // Optional: customize how long key versions should be kept before destroying.
        ->setDestroyScheduledDuration((new Duration())
            ->setSeconds(24 * 60 * 60)

    // Call the API.
    $createCryptoKeyRequest = (new CreateCryptoKeyRequest())
    $createdKey = $client->createCryptoKey($createCryptoKeyRequest);
    printf('Created mac key: %s' . PHP_EOL, $createdKey->getName());

    return $createdKey;


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Python terlebih dahulu dan instal Cloud KMS Python SDK.

import datetime

from google.cloud import kms
from google.protobuf import duration_pb2  # type: ignore

def create_key_mac(
    project_id: str, location_id: str, key_ring_id: str, key_id: str
) -> kms.CryptoKey:
    Creates a new key in Cloud KMS for HMAC operations.

        project_id (string): Google Cloud project ID (e.g. 'my-project').
        location_id (string): Cloud KMS location (e.g. 'us-east1').
        key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring').
        key_id (string): ID of the key to create (e.g. 'my-mac-key').

        CryptoKey: Cloud KMS key.


    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the parent key ring name.
    key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id)

    # Build the key.
    purpose = kms.CryptoKey.CryptoKeyPurpose.MAC
    algorithm = kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.HMAC_SHA256
    key = {
        "purpose": purpose,
        "version_template": {
            "algorithm": algorithm,
        # Optional: customize how long key versions should be kept before
        # destroying.
        "destroy_scheduled_duration": duration_pb2.Duration().FromTimedelta(

    # Call the API.
    created_key = client.create_crypto_key(
        request={"parent": key_ring_name, "crypto_key_id": key_id, "crypto_key": key}
    print(f"Created mac key: {created_key.name}")
    return created_key


Untuk menjalankan kode ini, siapkan lingkungan pengembangan Ruby terlebih dahulu, lalu instal Cloud KMS Ruby SDK.

# TODO(developer): uncomment these values before running the sample.
# project_id  = "my-project"
# location_id = "us-east1"
# key_ring_id = "my-key-ring"
# id          = "my-mac-key"

# Require the library.
require "google/cloud/kms"

# Create the client.
client = Google::Cloud::Kms.key_management_service

# Build the parent key ring name.
key_ring_name = client.key_ring_path project: project_id, location: location_id, key_ring: key_ring_id

# Build the key.
key = {
  purpose:          :MAC,
  version_template: {
    algorithm: :HMAC_SHA256

# Call the API.
created_key = client.create_crypto_key parent: key_ring_name, crypto_key_id: id, crypto_key: key
puts "Created mac key: #{created_key.name}"


Contoh ini menggunakan curl sebagai klien HTTP untuk menunjukkan penggunaan API. Untuk informasi selengkapnya tentang kontrol akses, lihat Mengakses Cloud KMS API.

Untuk membuat kunci, gunakan metode CryptoKey.create:

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys?crypto_key_id=KEY_NAME" \
    --request "POST" \
    --header "authorization: Bearer TOKEN" \
    --header "content-type: application/json" \
    --data '{"purpose": "MAC", "versionTemplate": { "protectionLevel": "PROTECTION_LEVEL", "algorithm": "ALGORITHM" }}'

Ganti kode berikut:

  • PROJECT_ID: ID project yang berisi key ring.
  • LOCATION: lokasi Cloud KMS key ring.
  • KEY_RING: nama key ring yang berisi kunci.
  • KEY_NAME: nama kunci.
  • PROTECTION_LEVEL: tingkat perlindungan kunci, misalnya SOFTWARE atau HSM.
  • ALGORITHM: algoritma penandatanganan HMAC, misalnya HMAC_SHA256. Untuk melihat semua algoritma HMAC yang didukung, lihat Algoritma penandatanganan HMAC.

Langkah berikutnya