Cloud Key Management Service uses an object hierarchy, such that a key belongs to a key ring, which resides in a particular location.
Create a key ring
A key ring is defined by its location and name.
Console
Go to the Cryptographic Keys page in the Cloud Console.
Go to the Cryptographic Keys pageClick Create key ring.
In the Key ring name field, enter the name for your key ring.
From the Location dropdown, select a location.
Your Create key ring page should look similar to:Click Create.
Command-line
Create a new key ring with name[KEYRING_NAME]
in location
[LOCATION]
.
gcloud kms keyrings create [KEYRING_NAME] --location [LOCATION]
C#
Go
Java
Node.js
PHP
Python
Ruby
Create a key
A key must be created in a key ring.
Console
Go to the Cryptographic Keys page in the Cloud Console.
Go to the Cryptographic Keys pageClick the name of the key ring for which you will create a key.
Click Create key.
In the Key name field, enter the name for your key.
Accept the default values for Rotation period and Starting on, or set a key rotation period and starting time if you want to use different values. The default rotation period is 90 days, and the default date for the first rotation is 90 days from today's date.
[Optional] In the Labels field, click Add label if you want to add labels to your key.
Your Create key page should look similar to:Click Create.
Command-line
Create a new key[KEY_NAME]
for the key ring [KEYRING_NAME]
.
gcloud kms keys create [KEY_NAME] --location [LOCATION] \
--keyring [KEYRING_NAME] --purpose encryption
C#
Go
Java
Node.js
PHP
Python
Ruby
Set a key rotation period and starting time
A key can be created with a specified rotation period, which is the time between when new key versions are generated automatically. A key can also be created with a specified next rotation time.
Console
When you use the Google Cloud Console to create a key, if you don't specify your own rotation period and next rotation time, Cloud KMS will set the key's rotation period and next rotation time automatically.
To specify a different rotation period and starting time, when you are creating your key, but before you click the Create button:
- Click the Rotation period dropdown and then select a value for the rotation period.
- Click the date in the Starting on field and then select a date for the next rotation.
Command-line
gcloud kms keys create [KEY_NAME] --location [LOCATION] \
--keyring [KEYRING_NAME] \
--purpose encryption \
--rotation-period [ROTATION_PERIOD] \
--next-rotation-time [NEXT_ROTATION_TIME]
Windows cmd.exe
gcloud kms keys create [KEY_NAME] --location [LOCATION] ^
--keyring [KEYRING_NAME] ^
--purpose encryption ^
--rotation-period [ROTATION_PERIOD] ^
--next-rotation-time [NEXT_ROTATION_TIME]
PowerShell
gcloud kms keys create [KEY_NAME] --location [LOCATION] ` --keyring [KEYRING_NAME] ` --purpose encryption ` --rotation-period [ROTATION_PERIOD] ` --next-rotation-time [NEXT_ROTATION_TIME]
Manually create new key versions
In addition to automatic rotation, you can manually rotate keys. For more details, see Rotating keys.