Importing a key into Cloud KMS

This topic shows you how to import a cryptographic key into Cloud HSM or Cloud Key Management Service.

For more details about importing keys, including limitations and restrictions, refer to Key import.

You can complete the steps in this topic in 5 to 10 minutes, not including the Before you begin steps. Wrapping the key manually adds complexity to the task.

Before you begin

It is recommended that you create a new project to test this feature, to ease clean-up after testing and to ensure that you have adequate Cloud IAM permissions to import a key.

Before you can import a key, you need to prepare the project, the local system, and the key itself.

Preparing the project

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. In the Cloud Console, on the project selector page, select or create a Cloud project.

    Go to the project selector page

  3. Make sure that billing is enabled for your Google Cloud project. Learn how to confirm billing is enabled for your project.

  4. Enable the required API.

    Enable the API

  5. Install and initialize the Cloud SDK.
  6. The user performing the import needs the following Cloud IAM permissions to create key rings, keys, and import jobs. If the user is not the project owner, you can assign both of the following two pre-defined roles to the user:

    • roles/editor
    • roles/cloudkms.importer

    For more information about available Cloud IAM roles and permissions for Cloud KMS, refer to Permissions and roles.

Preparing the local system

Prepare the local system by choosing one of the following options. Automatic key wrapping is recommended for most users.

  • If you want to allow the gcloud command-line tool to wrap your keys automatically before transmitting them to Google Cloud, you must install the Pyca cryptography library on your local system. The Pyca library is used by the import job that wraps and protects the key locally before sending it to Google Cloud.
  • If you want to wrap your keys manually, you must configure OpenSSL for manual key wrapping.

Preparing the key

  • If you don't have a key to import but want to test importing keys, you can create a symmetric key on the local system, using the following command:

    openssl rand 32 > ${HOME}/test.bin
    

    Use this key for testing only. A key created this way might not be appropriate for production use.

  • Ensure that the key you want to import is in the correct format, and convert it if necessary. For more information, see Formatting keys for import.

  • If you need to wrap the key manually, do that before continuing with the procedures in this topic.

Create the target key and key ring

Before you import a key, you create an empty key in your Google Cloud project, to contain the imported key material. In this topic, this empty key is called the target key.

The target key exists on a key ring. You can create a new key ring or use an existing one. In this topic, this key ring is called the target key ring.

The location of the target key ring determines the location where your key is available after import. Cloud HSM keys cannot be created or imported in some locations, such as global. You cannot move a key to a different key ring.

You can create the target key and key ring using the gcloud command-line tool or the Google Cloud Console.

gcloud

  1. Create the target key ring. If you intend to import into a Cloud HSM key, select a location with support for Cloud HSM.

    gcloud kms keyrings create keyring-name \
      --location location
    

    You can learn more about creating key rings.

  2. Create the target key.

    • Set the key's purpose:
      • For a symmetric key, set the purpose to encryption.
      • For an asymmetric key, set the purpose to either asymmetric-signing or asymmetric-encryption.
    • Prevent an initial version from being created by using the --skip-initial-version-creation flag.
    • Do not set the protection level.
    • Do not specify an algorithm for the target key. You specify the algorithm of the imported key as part of the import request.
    gcloud kms keys create key-name \
      --location location \
      --keyring keyring-name \
      --purpose purpose \
      --skip-initial-version-creation
    

    You can learn more about creating Cloud KMS keys or Cloud HSM keys.

Console

  1. Go to the Cryptographic Keys page in the Cloud Console.

    Go to the Cryptographic Keys page

  2. Click Create key ring.

  3. In the Key ring name field, enter the name for your key ring.

  4. From the Location dropdown, select a location.

  5. Click Create. The detail page for the key ring opens.

  6. Click Create key.

  7. Select Imported key. This prevents an initial key version from being created.

  8. In the Key name field, enter the name for your key.

  9. Set the Protection level to either Software or HSM.

  10. [Optional] For imported keys, automatic rotation is disabled by default. If you enable automatic rotation, the imported key version will no longer be the default key version after a rotation.

  11. [Optional] In the Labels field, click Add label if you want to [add labels to your key][4].

  12. Click Create.

The key ring and key now exist, but the key contains no key material. Next, you create an import job.

Create the import job

An import job defines the protection level and import method for keys you import into Cloud HSM or Cloud KMS, as well as the algorithm used to create the wrapping key that protects imported keys during transit from your local system to the target Google Cloud project.

You can create an import job using the gcloud tool, the Cloud Console, or the Cloud Key Management Service API.

gcloud

Use a command like the following to create an import job.

gcloud kms import-jobs create import-job \
  --location location \
  --keyring keyring-name \
  --import-method import-method \
  --protection-level protection-level

  • Use the same key ring and location as the target key.
  • Set the import method to either rsa-oaep-3072-sha1-aes-256 or rsa-oaep-4096-sha1-aes-256. Unless you have specific requirements, rsa-oaep-3072-sha1-aes-256 is recommended.
  • Set the protection level to either software or hsm.

Console

  1. Go to the Cryptographic Keys page in the Cloud Console.

    Go to the Cryptographic Keys page

  2. Click the name of the target key ring.

  3. Set the Protection level to either Software or HSM. Use the same protection level as you set for the target key.

  4. Click Create import job.

  5. In the Name field, enter the name for your import job.

  6. From the Import method dropdown, select an import method. Unless you have specific requirements, 3072 bit RSA is recommended.

  7. Click Create.

API

  1. Create an instance of the [ImportJob][importjob_api] type. Provide initial values for the ImportJob.protectionLevel and ImportJob.importMethod fields.

  2. Using your instance of ImportJob as the request body, call the ImportJob.create method.

Checking the state of the import job

The initial state for an import job is PENDING_GENERATION. Once the state is ACTIVE, the import job is ready to use.

An import job expires after three days. If the import job is expired, you must create a new one.

You can check the status of an import job using the gcloud command-line tool, the Google Cloud Console, or the Cloud Key Management Service API.

gcloud

When an import job is active, you can use it to import keys. This may take a few minutes. Use this command to verify that the import job is active. Use the location and keyring where you created the import job.

gcloud kms import-jobs describe import-job \
  --location location \
  --keyring keyring-name \
  --format="value(state)"
state: ACTIVE

Console

  1. Go to the Cryptographic Keys page in the Cloud Console.

    Go to the Cryptographic Keys page

  2. Click the name of the key ring that contains your import job.

  3. Click the Import Jobs tab at the top of the page.

  4. The state will be visible under Status next to your import job's name.

API

Call the ImportJob.get method and check the state field. If state is PENDING_GENERATION, the import job is still being created. Periodically recheck the state until it is ACTIVE.

As soon as the import job is active, you can make a request to import a key.

Preventing modification of import jobs

The import job determines many characteristics of the imported key, including the key's algorithm and whether an imported key is an HSM key or a software key. You can configure Cloud Identity and Access Management permissions to prevent users from creating import jobs, while allowing them to use import jobs to import keys.

  1. Only grant key administrators the importjobs.create.
  2. Grant the importjobs.useToImport permission for a specific import job to the operator who will use that job to import keys.
  3. When you create the import job, specify the protection level and algorithm for keys imported using it.

Until the import job expires, users who have the importjobs.useToImport and do not have the importjobs.create permission for a given import job can import keys, but cannot modify the characteristics of the import job.

Import the key

After checking the status of the import job, you can make an import request.

You use different flags to make the import request, depending on whether you want the gcloud command-line tool to wrap your key automatically or if you have wrapped your key manually.

Regardless of whether you wrapped your key manually or automatically, you must set the algorithm to an algorithm supported for the type of key you want to import. For example, set the algorithm to google-symmetric-encryption for symmetric keys. A variety of algorithms are supported for asymmetric keys.

Automatically wrapping and importing a key

If you want to use automatic wrapping, you must use the gcloud command-line tool. Use a command like the following. Set --target-key-file to the location of the unwrapped key to wrap and import. Do not set -rsa-aes-wrapped-key-file.

You can optionally set the --public-key-file flag to the location where the public key has already been downloaded. When importing a large number of keys, this prevents the public key from being downloaded during each import. For example, you could write a script that downloaded the public key once, then provided its location when importing each key.

gcloud kms keys versions import \
  --import-job import-job \
  --location location \
  --keyring keyring-name \
  --key KEY_NAME \
  --algorithm algorithm-name \
  --target-key-file path-to-unwrapped-key-to-import

Importing a manually-wrapped key

Use the instructions in this section to import a key that you have wrapped manually. Set --rsa-aes-wrapped-key-file to the location of key that you manually wrapped. Do not set --target-key-file.

You can optionally set the --public-key-file flag to the location where the public key has already been downloaded. When importing a large number of keys, this prevents the public key from being downloaded during each import. For example, you could write a script that downloaded the public key once, then provided its location when importing each key.

gcloud

Use a command like the following.

gcloud kms keys versions import \
  --import-job import-job \
  --location location \
  --keyring keyring-name \
  --key KEY_NAME \
  --algorithm algorithm-name \
  --rsa-aes-wrapped-key-file path-to-wrapped-key-to-import

For more information, see the output of the gcloud kms keys versions import --help command.

Console

  1. Open the Cryptographic Keys page in the Cloud Console.

  2. Click the name of the key ring that contains your import job. The target key is shown, along with any other keys on the key ring.

  3. Click the name of the target key, then click Import key version.

  4. Select your import job from the Select import job dropdown.

  5. In the Upload the wrapped key selector, select the key that you have already wrapped.

  6. If you are importing an asymmetric key, select the algorithm from the Algorithm dropdown. Your Import key version page should look similar to:

    Import key version

  7. Click Import.

API

  1. For the request body of the cryptoKeyVersions.import method, set the algorithm field to the algorithm of the key being imported. This value does not need to match the versionTemplate of the CryptoKey that is importing this version. The algorithm field is of type CryptoKeyVersionAlgorithm.

  2. Also for the request body, set the wrappedKeyMaterial field to the key material that you that you have already wrapped.

  3. Call the cryptoKeyVersions.import method. The cryptoKeyVersions.import response is of type CryptoKeyVersion. When a key is successfully imported, its state is ENABLED and you can use it in Cloud KMS.

Check the state of the imported key

The initial state for an imported key is PENDING_IMPORT. When the state is ENABLED, the imported key is ready to use. If the import fails, the status is IMPORT_FAILED.

You can check the status of an import request using the gcloud command-line tool, the Google Cloud Console, or the Cloud Key Management Service API.

gcloud

Use the versions list command to check the state. Use the same location, target key ring, and target key that you created earlier in this topic.

gcloud kms keys versions list \
  --keyring keyring \
  --location location \
  --key key

The import request creates a new key version using the imported key material and sets the key's status to ACTIVE.

Console

  1. Open the Cryptographic Keys page in the Cloud Console.

  2. Click the name of the key ring that contains your import job.

  3. Click the Import Jobs tab at the top of the page.

  4. The state will be visible under Status next to your import job's name.

API

Call the ImportJob.get method and check the state field. If state is PENDING_GENERATION, the import job is still being created. Periodically recheck the state until it is ACTIVE.

The key is imported and you can use it for signing or to protect data.

What's next