Set up Cloud EKM via the internet

This topic is about using Cloud External Key Manager (Cloud EKM) to create and manage external keys accessed via the internet.

Before you begin

After you complete the steps below, you can begin using Cloud EKM keys to protect your data.

Create a new project

  1. In the Google Cloud console, go to the Manage Resources page.

    Go to the Manage Resources page

  2. Create a new Google Cloud project or select an existing project.

  3. Make sure that billing is enabled for your Google Cloud project.

  4. You can learn more about Cloud EKM pricing.

Enable Cloud KMS

  1. Enable the Cloud Key Management Service API for the project.

    Enable the Cloud Key Management Service API

  2. Make a note of your project's Cloud EKM service account. In the following example, replace PROJECT_NUMBER with your Google Cloud project's project number. This information is also visible each time you use the Google Cloud console to create a Cloud EKM key.

    service-PROJECT_NUMBER@gcp-sa-ekms.iam.gserviceaccount.com
    

Prepare the external key management partner system

In the external key management partner system, grant the Google Cloud service account access to use the external key. Treat the service account as an email address. Partners may use different terminology than that used in this topic.

Ensure gcloud CLI is up to date

If you're going to use the Google Cloud CLI, ensure that it's up-to-date with the following command:

gcloud

gcloud components update

Troubleshooting errors

If you experience an error when creating or using a Cloud EKM key, an error is logged. For information about troubleshooting Cloud EKM errors, see the Cloud EKM error reference.

What's next