You can retrieve the public key portion of an asymmetric key version by using
the Google Cloud Console, the gcloud
command-line tool, and the Key Management Service API.
The public key is in the Privacy-enhanced Electronic Mail (PEM) format. For more information, see the RFC 7468 sections for General Considerations and Textual Encoding of Subject Public Key Info.
The user or service that will retrieve the public key requires
cloudkms.cryptoKeyVersions.viewPublicKey
permission on the key version. You
can learn about permissions in the KMS beta release at
Permissions and Roles.
Console
To download the public key for an existing asymmetric key version:
- Open the Cryptographic Keys page in the Cloud Console.
- Click the name of the key ring that contains the asymmetric key.
- Click the name of the key that contains the key version.
- For the key version whose public key you want to retrieve, click the More icon (3 vertical dots).
Click Get public key. The public key is displayed, and you can copy the public key to your clipboard or download the public key. (If you do not see the Get public key option, verify the key is an asymmetric key, and verify you have the
cloudkms.cryptoKeyVersions.viewPublicKey
permission.)
The file name of a public key downloaded from the Cloud Console is
of the form
[KEY_RING]-[KEY]-[CRYPTO_KEY_VERSION]
.pub.
Command-line
gcloud kms keys versions \
get-public-key CRYPTO_KEY_VERSION \
--location LOCATION \
--keyring KEY_RING \
--key KEY \
--output-file ~/mykey.pub
API
Retrieve the public key by calling the CryptoKeyVersions.getPublicKey method.
Specify the resource ID of the key version for the public key you want to retrieve.
Go
Java
Python