Create an EKM connection

This page shows you how to set up Cloud External Key Manager (Cloud EKM) to connect to your external key management (EKM) provider over a Virtual Private Cloud (VPC) network.

You can use external keys over VPC in Cloud KMS locations that support EKM via VPC. For more information, see the Cloud KMS Locations page.

Terminology

• EKM connection

  The Cloud KMS resource used to configure a connection to your external key manager. In the Google Cloud console, this is referred to as an EKM via VPC connection.

• VPC project

  The project that holds the VPC resource that is used to connect to your external key manager.

• Key projects

  The projects that hold EKM connection resources and Cloud EKM keys in Cloud KMS. A key project can be the same as a VPC project, but it is not required.

• Crypto space

  A container for your resources within your external key management partner. Your crypto space is identified by a unique crypto space path. The format of the crypto space path varies by external key management partner—for example, v0/cryptospaces/YOUR_UNIQUE_PATH.

Before you begin

After you complete the steps below, you can begin using Cloud EKM keys to protect your data.

Create a new project

1. In the Google Cloud console, go to the Manage Resources page.

   Go to the Manage Resources page

2. Create a new Google Cloud project or select an existing project.

   ...see naming guidelines

3. Make sure that billing is enabled for your Google Cloud project.

You can learn more about Cloud EKM pricing.

Enable Cloud KMS

1. Enable the Cloud Key Management Service API for the project.

   Enable the Cloud Key Management Service API

2. Make a note of your project's Cloud EKM service account. In the following example, replace PROJECT_NUMBER with your Google Cloud project's project number. This information is also visible each time you use the Google Cloud console to create a Cloud EKM key.

   service-PROJECT_NUMBER@gcp-sa-ekms.iam.gserviceaccount.com
   

Ensure gcloud CLI is up to date

If you're going to use the Google Cloud CLI, ensure that it's up-to-date with the following command:

gcloud components update

Prepare a VPC network

There are two options when setting up a VPC network:

• Auto mode network
• Custom mode network

By default, new projects contain an auto mode network that is pre-populated with firewall rules. If the VPC network will not be used for production purposes, the default auto mode network is the quickest way to get started.

If your external key manager is running on-premises and you will connect to it via hybrid connectivity, you should use a custom mode network because it provides control over the subnet IP address ranges.

Follow these steps for setting up your VPC:

1. Enable Private Google Access

   The external key manager must verify the OIDC token contained in each request. To verify the token, it needs to retrieve the OAuth2 public key from the www.googleapis.com domain name. If the external key manager runs in Google Cloud and does not have access via the internet (e.g. a VM without an external IP or blocked by a firewall), follow the instructions for configuring private Google access.

2. Firewall configuration for IP range 35.199.192.0/19

   Requests from Cloud EKM will come from this range. Create both ingress and egress allow firewall rules for TCP for the port on which the external key manager is listening.

Set up hybrid connectivity

If the external key manager is running on-premise, use a hybrid connectivity solution to connect the VPC with your on-premise network. Once you have set up connectivity, follow these additional steps:

1. Enable Private Google Access

   The external key manager must verify the OIDC token contained in each request. To verify the token, it needs to retrieve the OAuth2 public key from the www.googleapis.com domain name. If the external key manager runs on-premise and does not have access via the internet, follow the instructions for configuring private Google access for on-premises hosts.

2. Firewall configuration for IP range 35.199.192.0/19

   Requests from Cloud EKM will come from this range. Configure your on-premise network firewall or similar equipment to permit TCP traffic on the port on which the external key manager is listening.

3. Ensure that your VPC has a return route to IP range 35.199.192.0/19

   Your on-premises network must have a route for the 35.199.192.0/19 destination. For information about how to meet this requirement, see return route strategies for on-premise targets.

Return route strategies for on-premise targets

• For Cloud VPN tunnels that use static routing, manually create a route in your on-premises network whose destination is 35.199.192.0/19 and whose next hop is the Cloud VPN tunnel. For Cloud VPN tunnels that use policy-based routing, configure the Cloud VPN's local traffic selector and the on-premises VPN gateway's remote traffic selector to include 35.199.192.0/19.

• For Cloud VPN tunnels that use dynamic routing or for Cloud Interconnect, configure a custom route advertisement for 35.199.192.0/19 on the BGP session of the Cloud Router that manages the tunnel or VLAN attachment.

Set up your external key manager

Follow the instructions from your EKM provider to set up your EKM.

Set up your crypto space

If you use Cloud EKM as part of a partner-managed EKM arrangement, these steps have been completed for you as part of your partner's provisioning process.

If your EKM provider is compatible with EKM key management from Cloud KMS, the following setup and configuration steps need to be made in your EKM:

• Create a crypto space for your Cloud KMS-managed resources in your EKM.

• Grant your Cloud KMS service account access to your crypto space and the keys created in it.

• Set up Key Access Justifications policy to define which access justifications should be allowed or denied.

The exact process for each of these steps depends on your EKM. For more information, see your EKM provider's documentation.

Create a Service Directory service endpoint

Create and configure a Service Directory service endpoint in your VPC project that points to the private IP address and port of your your external key manager. If you are using a load balancer in front of multiple EKM replicas, use the load balancer's IP address and port. Ensure the network field of your Service Directory service endpoint is populated.

Authorize Cloud EKM to access your VPC

For each key project, you must authorize Cloud EKM to access your VPC on that project's behalf, even if the key project and the VPC project are the same. By authorizing access, keys in your key project can use the VPC in your VPC project.

1. Ensure a Cloud EKM service account exists for the project.

   gcloud CLI

   gcloud beta services identity create \
     --service=cloudkms.googleapis.com \
     --project=KEY_PROJECT_ID
   

2. Grant the servicedirectory.viewer and servicedirectory.pscAuthorizedService in your VPC project to service-KEY_PROJECT_NUMBER@gcp-sa-ekms.iam.gserviceaccount.com For help with getting your project ID and number, see Creating and managing projects.

   gcloud CLI

   gcloud projects add-iam-policy-binding VPC_PROJECT_ID \
     --member='serviceAccount:service-KEY_PROJECT_NUMBER@gcp-sa-ekms.iam.gserviceaccount.com' \
     --role='roles/servicedirectory.viewer'
   
   gcloud projects add-iam-policy-binding VPC_PROJECT_ID \
     --member='serviceAccount:service-KEY_PROJECT_NUMBER@gcp-sa-ekms.iam.gserviceaccount.com' \
     --role='roles/servicedirectory.pscAuthorizedService'
   

Create an EKM connection

To connect your external key manager to Cloud EKM, create an EKM connection in your key project.

gcloud beta kms ekm-connections create EKM_CONNECTION \
    --location LOCATION \
    --service-directory-service SERVICE_DIRECTORY_SERVICE \
    --hostname HOSTNAME \
    --server-certificates-files SERVER_CERTIFICATE_FILES \
    --key-management-mode manual

gcloud beta kms ekm-connections create EKM_CONNECTION \
    --location LOCATION \
    --service-directory-service SERVICE_DIRECTORY_SERVICE \
    --hostname HOSTNAME \
    --server-certificates-files SERVER_CERTIFICATE_FILES \
    --key-management-mode cloud-kms \
    --crypto-space-path CRYPTO_SPACE_PATH

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/ekmConnections" \
    --request "POST" \
    --header "authorization: Bearer TOKEN" \
    --header "content-type: application/json" \
    --header "x-goog-user-project: PROJECT_ID" \
    --data '{
      "name": "EKM_CONNECTION",
      "serviceResolvers": [
        {
          "serviceDirectoryService": "SERVICE_DIRECTORY_SERVICE",
          "hostname": "HOSTNAME",
          "serverCertificates": [
            {
              SERVER_CERTIFICATES
            }
          ]
        }
      ]
      "keyManagementMode": "CLOUD_KMS",
      "cryptoSpacePath": "CRYPTO_SPACE_PATH"
    }'

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/ekmConnections" \
    --request "POST" \
    --header "authorization: Bearer TOKEN" \
    --header "content-type: application/json" \
    --header "x-goog-user-project: PROJECT_ID" \
    --data '{
      "name": "EKM_CONNECTION",
      "serviceResolvers": [
        {
          "serviceDirectoryService": "SERVICE_DIRECTORY_SERVICE",
          "hostname": "HOSTNAME",
          "serverCertificates": [
            {
              SERVER_CERTIFICATES
            }
          ]
        }
      ]
    }'

Certificate status

Once you've uploaded a certificate for your EKM connection, you can check the overall certificate status of the EKM connection as well as the status of each certificate from the KMS infrastructure page.

EKM connections have an overall status in the Certificate status column of each connection. If an EKM connection has a status other than Active, we recommend updating the certificate(s) on your EKM connection.

Both EKM connections and individual certificates can have the following status:

• Active: The certificate is valid and is not nearing its expiration date.
• Expiring within 30 days: The certificate is valid, but has an expiration date in the next 30 days.
• Expired: The certificate is expired and is no longer valid. We recommend updating any expired certificates.
• Not valid yet: The certificate is not active. This can happen if the certificate's start date is in the future.

If your certificate is no longer valid, update your EKM connection in the Google Cloud console.

Set an EKM connection as default

You can set an EKM connection as the default connection for a given project and location. When a default EKM connection is set for a project and location, new Cloud EKM by VPC keys created in key rings in that location use the indicated EKM connection unless another EKM connection is selected.

To set an EKM connection as the default for its project and location, complete the following steps:

gcloud beta kms ekm-config update
  --location=LOCATION
  --default-ekm-connection=projects/PROJECT_ID/locations/LOCATION/ekmConnections/DEFAULT_EKM_CONNECTION

curl "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/ekmConfig" \
    --request "PATCH" \
    --header "authorization: Bearer TOKEN" \
    --header "content-type: application/json" \
    --data '{"defaultEkmConnection": "projects/PROJECT_ID/locations/LOCATION/ekmConnections/DEFAULT_EKM_CONNECTION"}'

If another EKM connection had been set as the default for this location, the selected EKM connection replaces it as the default. Only one EKM connection can be default for a given project and location.

What's next

• Create an external key.