Verifying an imported key

This topic shows you how to verify an asymmetric key that you import into Cloud KMS or Cloud HSM.

For more details about how import works, including limitations and restrictions, refer to Key import.

Limitations on verifying imported keys

Data encrypted outside of Cloud KMS

The best way to test an imported key is to decrypt data that was encrypted before the key was imported, or to encrypt data using the imported key and decrypt it using the key before import.

In Cloud KMS or Cloud HSM, this is only possible when you import an asymmetric key. This is because when data is encrypted using a symmetric Cloud KMS or Cloud HSM key, extra metadata about the encryption key version is saved, encrypted, along with the encrypted data. This metadata is not present in data encrypted outside of Cloud KMS.

Verifying attestations

You can verify attestations about Cloud HSM keys. These attestations assert that the key is an HSM key, that the HSM module is owned by Google, and other details about the key. These attestations are not available for software keys.

Before you begin

  • Import an asymmetric key into Cloud KMS or Cloud HSM. You must use Cloud HSM if you want to verify the key's attestations.
  • If possible, complete the tasks in this topic using the same local system where you imported the key, so the local system already has the Cloud SDK installed and configured.
  • Encrypt a file using the local key, or copy a file encrypted with that key to the local system.

Verifying that the key material is identical

After you import an asymmetric key into Cloud KMS or Cloud HSM, the key material is identical to the local key. To verify that this is true, you can use the imported key to decrypt data that was encrypted using the key before it was imported.

To decrypt a file using a Cloud KMS or Cloud HSM key:

gcloud kms decrypt \
  --location=location  \
  --keyring=key-ring-name \
  --key=key-name \
  --ciphertext-file=filepath-and-file-to-decrypt \

If the file pointed to by the --plaintext-file flag contains the correct decrypted data, the key material of the external and imported key is identical.

To learn more, refer to encrypting and decrypting data.

Verifying attestations for a Cloud HSM key

After a key is imported into a Cloud HSM key, you can view attestations to verify that the key is in an HSM owned by Google. The procedure is different to verify symmetric Cloud HSM keys and asymmetric keys.

Attestations are not available for software keys in Cloud KMS.

Symmetric Cloud HSM keys

You can use the Extended Key Checksum Value (EKCV) key attribute to verify an imported Cloud HSM key's key material. This value is calculated by following RFC 5869, section 2. The value is derived using SHA-256-based HMAC-based Extract-and-Expand Key Derivation Function (HKDF) with 32 zero bytes as salt and expanding it with the fixed string Key Check Value as info. To retrieve this value, you can attest the key.

Asymmetric Cloud HSM keys

When you make the import request for an asymmetric key, you include your wrapped private key. The private key contains sufficient information for Cloud KMS to derive the public key. After your key is imported, you can retrieve the public key and verify that it matches the public key you have stored locally. For more information about checking the public key attribute, see To verify the public key.

You can verify the EKCV verification for asymmetric keys. In this case, the value is the SHA-256 digest of the DER-encoded public key. You can retrieve this value by looking at the key's attestation. For more information about checking the EKCV key attribute, see To verify key properties.

For additional information about attesting keys you import, see Attesting a key

What's next