This topic is about using Cloud External Key Manager (Cloud EKM) to create and manage external keys accessed via the internet.
Before you begin
After you complete the steps below, you can begin using Cloud EKM keys to protect your data.
Create a new project
In the Google Cloud console, go to the Manage Resources page.
Create a new Google Cloud project or select an existing project.
-
Make sure that billing is enabled for your Google Cloud project.
You can learn more about Cloud EKM pricing.
Enable Cloud KMS
Enable the Cloud Key Management Service API for the project.
Make a note of your project's Cloud EKM service account. In the following example, replace
PROJECT_NUMBER
with your Google Cloud project's project number. This information is also visible each time you use the Google Cloud console to create a Cloud EKM key.service-PROJECT_NUMBER@gcp-sa-ekms.iam.gserviceaccount.com
Prepare the external key management partner system
In the external key management partner system, grant the Google Cloud service account access to use the external key. Treat the service account as an email address. Partners may use different terminology than that used in this topic.
Ensure gcloud CLI is up to date
If you're going to use the Google Cloud CLI, ensure that it's up-to-date with the following command:
gcloud
gcloud components update
Troubleshooting errors
If you experience an error when creating or using a Cloud EKM key, an error is logged. For information about troubleshooting Cloud EKM errors, see the Cloud EKM error reference.