このクイックスタートでは、所有するプロジェクトで Cloud Key Management Service を使用して暗号鍵を作成、使用する方法について説明します。この手順では、Google Cloud コンソールを使用して、Cloud KMS でキーリング、鍵、鍵バージョンを作成します。他の方法を使用する手順については、入門ガイドをご覧ください。
このクイックスタートでは、コマンドラインを使用して Cloud KMS API にリクエストを送信します。クライアント ライブラリを使用して Cloud KMS API にリクエストを送信するプログラミングの例については、暗号化と復号をご覧ください。
始める前に
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-09-04 UTC。"],[],[],null,["Create encryption keys with Cloud KMS This quickstart shows you how to create and use encryption keys with\nCloud Key Management Service in a project you own. These instructions use the\nGoogle Cloud console to create key rings, keys, and key versions in\nCloud KMS. For instructions that use other methods,\nsee [Autokey overview](/kms/docs/autokey-overview), [Create a key\nring](/kms/docs/create-key-ring), and [Create a key](/kms/docs/create-key).\n\nThis quickstart uses the command line to send requests to the\nCloud KMS API. For programming examples that use the client\nlibraries to send requests to the Cloud KMS API, see [Encrypting\nand Decrypting](/kms/docs/encrypt-decrypt).\n\nBefore you begin\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Cloud KMS API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=cloudkms.googleapis.com&redirect=https://console.cloud.google.com)\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Cloud KMS API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=cloudkms.googleapis.com&redirect=https://console.cloud.google.com)\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n\u003cbr /\u003e\n\n| **Important:** This quickstart creates Cloud KMS resources such as key rings and keys. Once created, these resources cannot be deleted. For more information, see [Why can't I delete keys or key rings?](/kms/docs/faq#cannot_delete).\n\nKey rings and keys\n\nTo encrypt and decrypt content you will need a Cloud KMS key, which\nis part of a key ring.\n\nCreate a key ring named `test`, and a key named `quickstart`. Refer to the\n[object hierarchy overview](/kms/docs/object-hierarchy) for more\ninformation about these objects and how they are related. \n\n gcloud kms keyrings create \"test\" \\\n --location \"global\"\n\n gcloud kms keys create \"quickstart\" \\\n --location \"global\" \\\n --keyring \"test\" \\\n --purpose \"encryption\"\n\nYou can use the `list` option to view the name and metadata for the key that you\njust created. \n\n gcloud kms keys list \\\n --location \"global\" \\\n --keyring \"test\"\n\nYou should see: \n\n```\nNAME PURPOSE PRIMARY_STATE\nprojects/PROJECT_ID/locations/global/keyRings/test/cryptoKeys/quickstart ENCRYPT_DECRYPT ENABLED\n```\n\nEncrypt data\n\nNow that you have a key, you can use that key to encrypt text or binary\ncontent.\n\nStore some text to be encrypted in a file called \"mysecret.txt\". \n\n echo -n \"Some text to be encrypted\" \u003e mysecret.txt\n\nTo encrypt the data with `gcloud kms encrypt`, provide your key information,\nspecify the name of the plaintext file to encrypt, and specify the name of the\nfile that will contain the encrypted content: \n\n gcloud kms encrypt \\\n --location \"global\" \\\n --keyring \"test\" \\\n --key \"quickstart\" \\\n --plaintext-file ./mysecret.txt \\\n --ciphertext-file ./mysecret.txt.encrypted\n\nThe `encrypt` method saves your encrypted content in the file specified by the\n`--ciphertext-file` flag.\n\nDecrypt ciphertext\n\nTo decrypt the data with `gcloud kms decrypt`, provide your key information,\nspecify the name of the encrypted file (ciphertext file) to decrypt, and specify\nthe name of the file that will contain the decrypted content: \n\n gcloud kms decrypt \\\n --location \"global\" \\\n --keyring \"test\" \\\n --key \"quickstart\" \\\n --ciphertext-file ./mysecret.txt.encrypted \\\n --plaintext-file ./mysecret.txt.decrypted\n\nThe `decrypt` method saves your decrypted content in the file specified by the\n`--plaintext-file` flag.\n\nTo decrypt encrypted content, you must use the same key that was\nused to encrypt the content.\n\nClean up\n\n\nTo avoid incurring charges to your Google Cloud account for\nthe resources used on this page, follow these steps.\n\nList the versions available for your key: \n\n gcloud kms keys versions list \\\n --location \"global\" \\\n --keyring \"test\" \\\n --key \"quickstart\"\n\nTo destroy a version, run the following command, where `1` is the number\nof the key version that you want to destroy:\n**Important:** When you destroy a key version, you can no longer decrypt content that was encrypted using that version of the key. Make sure that you no longer need a key version before you destroy it. \n\n```\ngcloud kms keys versions destroy 1 \\\n --location \"global\" \\\n --keyring \"test\" \\\n --key \"quickstart\"\n```\n\nWhat's next\n\n- Start [using the API](/kms/docs/accessing-the-api).\n- Take a look at the [API Reference](/kms/docs/reference/rest).\n- Learn more about how to [encrypt data at\n rest](https://codelabs.developers.google.com/codelabs/encrypt-and-decrypt-data-with-cloud-kms)."]]
