This topic describes how to format your keys so that they can be imported by Cloud KMS as new key versions.
The correct format for your key material varies based on whether the key material is being imported into a symmetric key, or into an asymmetric key. For more information about the difference between symmetric and asymmetric keys, see Key purposes and algorithms.
Supported key formats
Symmetric keys for encryption must be 16 bytes (for raw symmetric encryption only) or 32 bytes of binary data, and must not be encoded. If your key is hex-encoded or base64-encoded, you must decode it before attempting to import it.
Symmetric keys for signing (MAC keys) must have length equal to the output length of the cryptographic hash function being used (e.g. HMAC-SHA256 keys must have a length of 32 bytes), and must not be encoded. If your key is hex-encoded or base64-encoded, you must decode it before attempting to import it.
Asymmetric keys for encryption or signing must be in PKCS #8 format and must be DER-encoded. PCKS #8 format is defined in RFC 5208. DER encoding is defined in International Telecommunications Union X.680. Asymmetric keys must use one of the length and algorithm combinations supported by Cloud KMS.
Some aspects of a key, such as the key's length, cannot be changed after the key is created. In these cases, the key cannot be imported into Cloud KMS.
Checking a symmetric key
Use the wc command to check a symmetric key's length.
wc -c /path/to/unwrapped-key
You cannot import a symmetric encryption key with a length other than 32.
Symmetric signing keys (MAC keys) must have a length equal to the output length of the cryptographic hash function being used (e.g. HMAC-SHA256 keys must have a length of 32 bytes).
Use the file command to check a key's format.
file /path/to/unwrapped-key
If the output is
data, the key is in the correct format to be imported.If the output is
ASCII text, use thecatcommand to display the contents of the file.If it is a string of letters and numbers ending in an
=sign, it might be base64-encoded. Use thebase64command (Base64.exeon Windows) to decode it. The following is an example of a base64-encoded key:THzArjassB+giKeNeT1Zr74OgV24t+Ep+37Ec6ojB3Y=
If it contains one or more lines of hexadecimal numbers, it might be hex-encoded. Use the
xxdcommand (or theFormat-HexPowerShell command on Windows) to decode it. The following is an example of a hex-encoded key:00000000: 4c7c c0ae 36ac b01f a088 a78d 793d 59af L|..6.......y=Y. 00000010: be0e 815d b8b7 e129 fb7e c473 aa23 0776 ...]...).~.s.#.v
If it contains any other text, it may not be a valid symmetric key.
Formatting asymmetric keys
Asymmetric keys using any of the supported algorithms can be imported. In practice, it is difficult to retroactively determine the algorithm used to create an asymmetric key. For that reason, we recommend that you run the following commands on each asymmetric key before attempting to import it into Cloud KMS.
Use the
filecommand to check a key's format.file /path/to/unwrapped-key
If the output is
PEM, the key is in PEM format. If it isASCII text, it is probably in PEM format. In either case, run the following command to convert it to PCKS#8 DER format:openssl pkcs8 -topk8 -nocrypt -inform PEM -outform DER \ -in /path/to/asymmetric-key-pem \ -out /path/to/formatted-keyIf the output is
data, the key is likely to be in DER format, but it may not be in PKCS #8 format. Run the following command to ensure that the key is in the correct format. The command has no effect if the key is already in the correct format. In that case, you can use thediffcommand to verify that the input and output file are identical.openssl pkcs8 -topk8 -nocrypt -inform DER -outform DER \ -in /path/to/asymmetric-key-der \ -out /path/to/formatted-key
Troubleshooting
If you run the commands above and you believe the key is in an appropriate format, but the import still fails, check for errors in Google Cloud console, and then see Troubleshooting failed imports.
What's next
- Continue to Import a key version
- Learn about key import