Creating asymmetric keys

This topic provides information about creating asymmetric keys. If you want to create symmetric keys, see the Creating Keys and Key Rings topic.

Create a key ring

A key ring is defined by its location and name.

console

  1. Go to the Cryptographic Keys page in the GCP Console.

  2. Click Create key ring.

  3. In the Key ring name field, enter the name for your key ring.

  4. From the Location dropdown, select a location.

  5. Click Create.

command line

Create a new key ring with name [KEYRING_NAME] in location [LOCATION].

gcloud kms keyrings create [KEYRING_NAME] \
  --location [LOCATION]

API

Create a key ring by calling the KeyRing.create method.

Create a key

A key must be created in a key ring.

console

  1. Go to the Cryptographic Keys page in the GCP Console.

  2. Click the name of the key ring for which you will create a key.

  3. Click Create key.

  4. In the Key name field, enter the name for your key.

  5. Click the Purpose dropdown. Select an asymmetric key purpose, for example Asymmetric sign or Asymmetric decrypt. To learn more about key purposes, see Key purposes.

  6. Click the Algorithm dropdown. Select the algorithm for your key. You can change this for future key versions. The choice of Purpose determines which algorithms are available. For example, if your key purpose is Asymmetric sign, one of the supported algorithms is Elliptic Curve P-256 - SHA256 Digest. To learn more about algorithms for an asymmetric key, see Key purposes and algorithms.

  7. For Protection level, select either Software or HSM. To learn more about protection levels, see Protection levels.
    Your Cryptographic Keys page should look similar to:

    Create an asymmetric key

  8. [Optional] In the Labels field, click Add label if you want to add labels to your key.

  9. Click Create.

command line

Create a new key [KEY_NAME] for the key ring [KEYRING_NAME].

To create an asymmetric key:

  • Set --purpose to asymmetric-signing or asymmetric-encryption. For the list of values supported for --purpose, see --purpose. To learn more about key purposes in general, see Key purposes.
  • Set --default-algorithm to the algorithm you want to use. You can change this for future key versions. The choice of key purpose determines which algorithms are supported. For example, if your key purpose is asymmetric- signing, one of the supported algorithms is ec-sign-p256-sha256. For the list of values supported for --default-algorithm, see --default- algorithm. To learn more about algorithms for a key, see Key purposes and algorithms.
  • Set --protection-level to either software or hsm. You can learn more about protection levels in Protection levels.
gcloud kms keys create [KEY_NAME] \
  --location [LOCATION] \
  --keyring [KEYRING_NAME] \
  --purpose [PURPOSE] \
  --default-algorithm [ALGORITHM] \
  --protection-level [PROTECTION_LEVEL]

API

Create an asymmetric key by calling the CryptoKey.create method.

When you create an asymmetric key, the initial state for the key version is pending generation. When Cloud KMS finishes generating the key version, its state automatically changes to enabled. Learn more about key version states at Key states.

If you want to retrieve the public key portion of the newly created key version, follow the instructions at Retrieving a public key.

Access control to asymmetric keys

A signer or validator requires the appropriate permission or role on the asymmetric key.

  • For a user or service that will perform signing, grant the cloudkms.cryptoKeyVersions.useToSign permission on the asymmetric key.

  • For a user or service that will retrieve the public key, grant the cloudkms.cryptoKeyVersions.viewPublicKey on the asymmetric key. The public key is required for signature validation.

Learn about permissions and roles in Cloud KMS release at Permissions and Roles.

Next steps

Was this page helpful? Let us know how we did:

Send feedback about...

This page
Documentation feedback
Cloud KMS
Product feedback