This topic provides information about creating asymmetric keys. If you want to create symmetric keys, see the Creating Keys and Key Rings topic.
Create a key ring
A key ring is defined by its location and name.
console
Go to the Cryptographic Keys page in the Cloud Console.
Click Create key ring.
In the Key ring name field, enter the name for your key ring.
From the Location dropdown, select a location.
Click Create.
command line
Create a new key ring with name [KEYRING_NAME]
in location [LOCATION]
.
gcloud kms keyrings create [KEYRING_NAME] \
--location [LOCATION]
API
Create a key ring by calling the KeyRing.create method.
Create a key
A key must be created in a key ring.
console
Go to the Cryptographic Keys page in the Cloud Console.
Click the name of the key ring for which you will create a key.
Click Create key.
In the Key name field, enter the name for your key.
Click the Purpose dropdown. Select an asymmetric key purpose, for example Asymmetric sign or Asymmetric decrypt. To learn more about key purposes, see Key purposes.
Click the Algorithm dropdown. Select the algorithm for your key. You can change this for future key versions. The choice of Purpose determines which algorithms are available. For example, if your key purpose is Asymmetric sign, one of the supported algorithms is Elliptic Curve P-256 - SHA256 Digest. To learn more about algorithms for an asymmetric key, see Key purposes and algorithms.
For Protection level, select either Software or HSM. To learn more about protection levels, see Protection levels.
Your Cryptographic Keys page should look similar to:[Optional] In the Labels field, click Add label if you want to add labels to your key.
Click Create.
command line
Create a new key [KEY_NAME]
for the key ring [KEYRING_NAME]
.
To create an asymmetric key:
- Set
--purpose
toasymmetric-signing
orasymmetric-encryption
. For the list of values supported for--purpose
, see--purpose
. To learn more about key purposes in general, see Key purposes. - Set
--default-algorithm
to the algorithm you want to use. You can change this for future key versions. The choice of key purpose determines which algorithms are supported. For example, if your key purpose isasymmetric- signing
, one of the supported algorithms isec-sign-p256-sha256
. For the list of values supported for--default-algorithm
, see--default- algorithm
. To learn more about algorithms for a key, see Key purposes and algorithms. - Set
--protection-level
to eithersoftware
orhsm
. You can learn more about protection levels in Protection levels.
gcloud kms keys create [KEY_NAME] \
--location [LOCATION] \
--keyring [KEYRING_NAME] \
--purpose [PURPOSE] \
--default-algorithm [ALGORITHM] \
--protection-level [PROTECTION_LEVEL]
API
Create an asymmetric key by calling the CryptoKey.create method.
- Specify a key purpose of
ASYMMETRIC_SIGN
orASYMMETRIC_DECRYPT
using the CryptoKeyPurpose type. To learn more about key purposes, see Key purposes. - Specify an algorithm using the CryptoKeyVersionAlgorithm type.
You can changes this for future versions. The choice of key purpose
determines which algorithms are supported. For example, if your key purpose
is
ASYMMETRIC_SIGN
, one of the supported algorithms isEC_SIGN_P256_SHA256
. To learn more about algorithms for a key, see Key purposes and algorithms. - Specify a protection level of either software or HSM using the ProtectionLevel type.
When you create an asymmetric key, the initial state for the key version is pending generation. When Key Management Service finishes generating the key version, its state automatically changes to enabled. Learn more about key version states at Key states.
If you want to retrieve the public key portion of the newly created key version, follow the instructions at Retrieving a public key.
Access control to asymmetric keys
A signer or validator requires the appropriate permission or role on the asymmetric key.
For a user or service that will perform signing, grant the
cloudkms.cryptoKeyVersions.useToSign
permission on the asymmetric key.For a user or service that will retrieve the public key, grant the
cloudkms.cryptoKeyVersions.viewPublicKey
on the asymmetric key. The public key is required for signature validation.
Learn about permissions and roles in KMS release at Permissions and Roles.
Next steps
- Learn about Creating and validating signatures.
- Learn about Encrypting and decrypting data with an RSA key.
- Learn about Retrieving a public key.