Troubleshooting failed imports

Cloud Key Management Service allows you to import user-provided cryptographic keys. The initial state for an imported key is PENDING_IMPORT. When your import request is processed, the state is updated to ENABLED if the key material is imported successfully. If key material is not imported successfully, the state is updated to IMPORT_FAILED.

This topic describes the steps that you can take to understand why the state of your imported key is IMPORT_FAILED.

Formatting

Formatting issues are a common cause of import failures. The following error messages are typically caused by incorrectly formatted keys:

  • An argument to the import operation was malformed.

  • The key material in the import request couldn't be unwrapped or wasn't formatted correctly.

Formatting keys for import contains complete instructions on how to ensure that your key material is in a format that can be processed by Cloud KMS.

Length errors

Length errors are a specific variety of formatting error that Cloud KMS will detect before it attempts to unwrap your key material. The following length error messages are typically caused by incorrectly formatted keys:

  • Wrapped ECDSA key has invalid length of (length).

  • Wrapped key is too short.

  • Wrapped key does not consist of 64-bit blocks.

  • Wrapped key has invalid length.

Formatting keys for import contains instructions on how to ensure that your key material is properly formatted.

Wrapping

Errors in key wrapping are another possible cause of import failures, especially if you are manually wrapping keys for import. The following error messages could be caused by an improperly wrapped key:

  • An argument to the import operation was malformed.

  • The key material in the import request couldn't be unwrapped or wasn't formatted correctly.

Key wrapping describes the cryptographic operations required to properly wrap a key, depending on the import method associated with your import job.

If you use the automatic key wrapping built into the gcloud command-line tool, you can be sure that the key is wrapped properly. See Importing a key for further instructions.