Creating asymmetric keys

This page shows how to create an asymmetric key. You can use an asymmetric key for encryption or for signing.

You can also create a symmetric key, a Cloud HSM key, or a Cloud External Key Manager key.

Overview

When you create a key, you add it to a key ring in a given Google Cloud location. You can create a new key ring or use an existing one. In this topic, you create a new key ring and add a new key to it.

Create a key ring

Follow these steps to create a key ring for your new key. If you want to use an existing key ring instead, you can create a key.

console

  1. Go to the Cryptographic Keys page in the Cloud Console.

  2. Click Create key ring.

  3. In the Key ring name field, enter the name for your key ring.

  4. From the Location dropdown, select a location.

  5. Click Create.

command line

Create a new key ring with name keyring-name in location location.

gcloud kms keyrings create keyring-name \
  --location location

API

Create a key ring by calling the KeyRing.create method.

Create an asymmetric key

Follow these steps to create an asymmetric key on the specified key ring and location.

console

  1. Go to the Cryptographic Keys page in the Cloud Console.

  2. Click the name of the key ring for which you will create a key.

  3. Click Create key.

  4. In the Key name field, enter the name for your key.

  5. Click the Purpose dropdown. Select an asymmetric key purpose, for example Asymmetric sign or Asymmetric decrypt. To learn more about key purposes, see Key purposes.

  6. Click the Algorithm dropdown. Select the algorithm for your key. You can change this for future key versions. The choice of Purpose determines which algorithms are available. For example, if your key purpose is Asymmetric sign, one of the supported algorithms is Elliptic Curve P-256 - SHA256 Digest. To learn more about algorithms for an asymmetric key, see Key purposes and algorithms.

  7. For Protection level, select either Software or HSM. To learn more about protection levels, see Protection levels.
    Your Cryptographic Keys page should look similar to:

    Create an asymmetric key

  8. [Optional] In the Labels field, click Add label if you want to add labels to your key.

  9. Click Create.

command line

Create a new key key-name for the key ring keyring-name.

To create an asymmetric key:

  • Set --purpose to asymmetric-signing or asymmetric-encryption. For the list of values supported for --purpose, see --purpose. To learn more about key purposes in general, see Key purposes.
  • Set --default-algorithm to the algorithm you want to use. You can change this for future key versions. The choice of key purpose determines which algorithms are supported. For example, if your key purpose is asymmetric- signing, one of the supported algorithms is ec-sign-p256-sha256. For the list of values supported for --default-algorithm, see --default- algorithm. To learn more about algorithms for a key, see Key purposes and algorithms.
  • Set --protection-level to either software or hsm. You can learn more about protection levels in Protection levels.
gcloud kms keys create key-name \
  --location location \
  --keyring keyring-name  \
  --purpose purpose \
  --default-algorithm algorithm \
  --protection-level protection-level

API

Create an asymmetric key by calling the CryptoKey.create method.

When you first create the key, the key's initial version has a state of pending generation. When the state changes to enabled, you can use the key. To learn more about key version states, see Key states.

You can learn more about Retrieving the public key portion of an asymmetric key.

Control access to asymmetric keys

A signer or validator requires the appropriate permission or role on the asymmetric key.

  • For a user or service that will perform signing, grant the cloudkms.cryptoKeyVersions.useToSign permission on the asymmetric key.

  • For a user or service that will retrieve the public key, grant the cloudkms.cryptoKeyVersions.viewPublicKey on the asymmetric key. The public key is required for signature validation.

Learn about permissions and roles in Cloud KMS release at Permissions and Roles.

What's next