Retrieving a public key

You can retrieve the public key portion of an asymmetric key version by using the Google Cloud Platform Console, the gcloud command-line tool, and the Cloud KMS API.

The public key is in the Privacy-enhanced Electronic Mail (PEM) format. For more information, see the RFC 7468 sections for General Considerations and Textual Encoding of Subject Public Key Info.

The user or service that will retrieve the public key requires cloudkms.cryptoKeyVersions.viewPublicKey permission on the key version. You can learn about permissions in the Cloud KMS beta release at Permissions and Roles.


To download the public key for an existing asymmetric key version:

  1. Open the Cryptographic Keys page in the GCP Console.
  2. Click the name of the key ring that contains the asymmetric key.
  3. Click the name of the key that contains the key version.
  4. For the key version whose public key you want to retrieve, click the More icon (3 vertical dots).
  5. Click Get public key. The public key is displayed, and you can copy the public key to your clipboard or download the public key. (If you do not see the Get public key option, verify the key is an asymmetric key, and verify you have the cloudkms.cryptoKeyVersions.viewPublicKey permission.)

    Public key

The file name of a public key downloaded from the GCP Console is of the form [KEY_RING]-[KEY]-[CRYPTO_KEY_VERSION].pub.


gcloud alpha kms keys versions \
  get-public-key [CRYPTO_KEY_VERSION] \
  --location [LOCATION] \
  --keyring [KEY_RING] \
  --key [KEY] \
  --output-file ~/


Retrieve the public key by calling the CryptoKeyVersions.getPublicKey method.

Specify the resource ID of the key version for the public key you want to retrieve.


// getAsymmetricPublicKey retrieves the public key from a saved asymmetric key pair on KMS.
// example keyName: "projects/PROJECT_ID/locations/global/keyRings/RING_ID/cryptoKeys/KEY_ID/cryptoKeyVersions/1"
func getAsymmetricPublicKey(keyName string) (interface{}, error) {
	ctx := context.Background()
	client, err := cloudkms.NewKeyManagementClient(ctx)
	if err != nil {
		return nil, err

	// Build the request.
	req := &kmspb.GetPublicKeyRequest{
		Name: keyName,
	// Call the API.
	response, err := client.GetPublicKey(ctx, req)
	if err != nil {
		return nil, fmt.Errorf("failed to fetch public key: %+v", err)
	// Parse the key.
	keyBytes := []byte(response.Pem)
	block, _ := pem.Decode(keyBytes)
	publicKey, err := x509.ParsePKIXPublicKey(block.Bytes)
	if err != nil {
		return nil, fmt.Errorf("failed to parse public key: %+v", err)
	return publicKey, nil


 * Retrieves the public key from a saved asymmetric key pair on Cloud KMS
 * Example keyName:
 *   "projects/PROJECT_ID/locations/global/keyRings/RING_ID/cryptoKeys/KEY_ID/cryptoKeyVersions/1"
public static PublicKey getAsymmetricPublicKey(String keyName)
    throws IOException, GeneralSecurityException {

  // Create the Cloud KMS client.
  try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) { pub = client.getPublicKey(keyName);

    // Convert a PEM key to DER without taking a dependency on a third party library
    String pemKey = pub.getPem();
    pemKey = pemKey.replaceFirst("-----BEGIN PUBLIC KEY-----", "");
    pemKey = pemKey.replaceFirst("-----END PUBLIC KEY-----", "");
    pemKey = pemKey.replaceAll("\\s", "");
    byte[] derKey = BaseEncoding.base64().decode(pemKey);

    X509EncodedKeySpec keySpec = new X509EncodedKeySpec(derKey);

    if (pub.getAlgorithm().name().contains("RSA")) {
      return KeyFactory.getInstance("RSA").generatePublic(keySpec);
    } else if (pub.getAlgorithm().name().contains("EC")) {
      return KeyFactory.getInstance("EC").generatePublic(keySpec);
    } else {
      throw new UnsupportedOperationException(String.format(
          "key at path '%s' is of unsupported type '%s'.", keyName, pub.getAlgorithm()));


def get_asymmetric_public_key(key_name):
    Retrieves the public key from a saved asymmetric key pair on Cloud KMS

    Example key_name:


    client = kms_v1.KeyManagementServiceClient()
    response = client.get_public_key(key_name)

    key_txt = response.pem.encode('ascii')
    key = serialization.load_pem_public_key(key_txt, default_backend())
    return key

Bu sayfayı yararlı buldunuz mu? Lütfen görüşünüzü bildirin:

Şunun hakkında geri bildirim gönderin...