Including the Pyca cryptography library

This page describes how to update the Google Cloud CLI to enable support for automatically wrapping keys for secure import into Cloud Key Management Service, by installing the Pyca cryptography library. Version 2.2.0 or higher adds support for the required aes_key_wrap_with_padding wrapping mechanism.

Before you begin

• Install or upgrade the Google Cloud CLI to version 253.0.0 or higher.
• Install the pip command if possible. pip is the platform-independent command-line interface to the Python Package Index. The package manager provided by your operating system may not provide version 2.2.0 or higher of the Pyca cryptographic library.

Installing and using pip

You can install and use pip on Linux, macOS, or Windows systems.

This command installs the library into your user environment, specifying the minimum version to install. To install system-wide, omit the --user flag. You may need to install pip as a privileged user.

pip install --user "cryptography>=2.2.0"

After installing the Pyca cryptographic libraries, you must enable site packages so the gcloud CLI can use the libraries.

Installing on Linux using a package manager

Follow these instructions on Linux systems if you can't use the pip command.

Debian or Ubuntu

If you use a system based on Debian or Ubuntu, you can install the Pyca cryptographic library using the apt-get command.

1. Check the versions of the python-cryptography package available in the package database. Version 2.2.0 or higher is required.

   apt policy python-cryptography
   

2. Install the package.

   sudo apt-get install python-cryptography
   

   If necessary, specify the version to install.

   sudo apt-get install python-cryptography=version
   

After installing the Pyca cryptographic libraries, you must enable site packages so the gcloud CLI can use the libraries.

Red Hat, CentOS, or SUSE

If your system uses RPMs for package management, you can install the Pyca crytographic library using the yum command.

1. Check the versions of python-cryptography available in the package database. Version 2.2.0 or higher is required.

   yum --showduplicates list python2-cryptography
   

2. Install the package.

   sudo yum install python2-cryptography
   

   If necessary, specify the version to install.

   sudo yum install python2-cryptography-version
   

After installing the Pyca cryptographic libraries, you must enable site packages so the gcloud CLI can use the libraries.

Enabling site packages

By default, the Google Cloud CLI ignores Python libraries installed on your local system. To allow the Google Cloud CLI to use the Pyca cryptographic library, you need to enable site packages.

To enable site packages, set the CLOUDSDK_PYTHON_SITEPACKAGES environment variable to 1. With site packages enabled, the gcloud CLI can use extra libraries outside of the google-cloud-sdk/lib directory.

export CLOUDSDK_PYTHON_SITEPACKAGES=1

export CLOUDSDK_PYTHON_SITEPACKAGES=1

set CLOUDSDK_PYTHON_SITEPACKAGES=1

Enabling site packages may cause some gcloud CLI commands to fail. It is recommended that you disable site packages after importing your keys.

Disabling site packages

After you finish importing keys, it is recommended that you disable site packages on systems where you use the gcloud CLI. To disable site packages, set CLOUDSDK_PYTHON_SITEPACKAGES to 0.

export CLOUDSDK_PYTHON_SITEPACKAGES=0

export CLOUDSDK_PYTHON_SITEPACKAGES=0

set CLOUDSDK_PYTHON_SITEPACKAGES=0