Configure partner-managed Cloud KMS

Stay organized with collections Save and categorize content based on your preferences.

In Sovereign Controls by Partners, all data needs to be encrypted using Cloud External Key Manager (Cloud EKM) keys, which are encryption keys connected to an external key manager (also abbreviated as EKM). Customers are provided with a project provisioned by Google Cloud and Sovereign Controls by Partners. In this project — called a Key Management Project — keys can be created using an external key manager that is operated by the partner on the customer's behalf.

This topic covers the steps to use Cloud KMS when backed by a partner.

Overview

To create and manage keys using Cloud EKM in Sovereign Controls by Partners, you will use a ticketing system called Issue Tracker. You will receive a link to the Issue Tracker tool and the key administrator access group information in your welcome email from the partner. All key admins must be added to the access group. These admins will then have access to the Issue Tracker component in order to file tickets with the partner, who will perform key management operations on your behalf.

All partner-managed keys should be created in the pre-provisioned Key Management Project. You can host data in a project that is different from the project in which your Cloud KMS keys reside. This capability supports the best practice of separation of duties between the key administrators and data administrators.

Locate customer-specific information

Before you start creating keys, locate the following pieces of information from your "EKM is provisioned" email:

  1. Key administrator access group
  2. Issue Tracker link

Configure access groups

The key administrator access group is a private Google group for key administrators in your organization, namely those that will be granted the Cloud KMS Admin Identity and Access Management (IAM) role. The key administrator access group is maintained by you.

You will receive your access group in your welcome email. It will be in the format:

<Assured-Workloads-folder-name>-<KMS-project-number>-key-admin@googlegroups.com

Add the users who you would like to be granted the Cloud KMS Admin role in your project to the Google Group. For more information on how to manage your group, see Add people to your group.

Create a Cloud EKM key

Cloud EKM keys are used to encrypt your data on Google Cloud. To use keys from a partner's external key manager, you'll first need to create a Cloud EKM key. This partner-linked Cloud EKM key is used to reference a specific key in the partner's EKM and can only be created in the pre-provisioned Key Management Project.

Get the key ring name

A key ring is the place to hold your Cloud EKM keys. The key ring location must always be the region specified for the Assured Workloads (AW) folder that supported by your Sovereign Partner, such as europe-west3.

gcloud

Run the following command to find the created key ring name.

gcloud kms keyrings list \
--location AW-FOLDER-REGION

Sample output:

NAME
projects/xxx/locations/yyy/keyRings/zzz

Copy the key ring name (the zzz part after keyRings/) below for the future use when create a key.

KEY_RING_NAME: KEY_RING_NAME

Get the Cloud EKM connection resource name

Next, you will need to obtain the partner's Cloud EKM connection resource name in the Key Management Project. It will be called default-ekm-connection.

gcloud

Run the following command and find the Cloud EKM connection resource name that contains the connection name default-ekm-connection. It will be in the format of projects/[PROJECT-ID]/locations/[AW-FOLDER-REGION]/ekmConnections/default-ekm-connection:

gcloud kms ekm-connections list \
--location AW-FOLDER-REGION

Sample output:

NAME: projects/test-project/locations/test-region/ekmConnections/default-ekm-connection
SERVICE_DIRECTORY_SERVICE: projects/host-project/locations/test-region/namespaces/partner-ekm-000000001/services/partner-ekm-00000001
HOSTNAME: test_host.example.com

Copy the name of the full resource name below, which is highlighted text in the NAME section. This will be used as the --crypto-key-backend value when you create your symmetric key and/or asymmetric key.

EKM_CONNECTION_NAME: EKM_CONNECTION_NAME

Create a symmetric encryption key

To create a symmetric Cloud EKM key, use the following command in Google Cloud CLI:

gcloud

gcloud kms keys create KEY_NAME \
--keyring KEY_RING_NAME \
--location AW-FOLDER-REGION \
--purpose encryption \
--protection-level external-vpc \
--default-algorithm external-symmetric-encryption \
--skip-initial-version-creation \
--crypto-key-backend EKM_CONNECTION_NAME

The flag --skip-initial-version-creation is used to prevent a key version from being created. When using Cloud KMS with Sovereign Controls by Partners, the partner is responsible for creating key versions for you.

The key's purpose as encryption specifies that the key is a symmetric encryption key. You must use the external-vpc protection level since the partner's EKM is connected to Cloud KMS using an EKM via VPC connection.

The step above creates an empty symmetric encryption key in the key ring. To create a key version, follow instructions under the Final steps section below.

Create an asymmetric signing key

Creating an asymmetric signing key is similar to creating a symmetric encryption key. The primary differences are the key's purpose and default algorithm.

When creating a new key, ensure you add the --skip-initial-version-creation to prevent a key version from being created. When using Cloud KMS with Sovereign Controls by Partners, the partner is responsible for creating key versions for you.

gcloud

gcloud kms keys create KEY_NAME \
--keyring KEY_RING_NAME \
--location AW-FOLDER-REGION \
--purpose asymmetric-signing \
--protection-level external-vpc \
--skip-initial-version-creation \
--default-algorithm ec-sign-p256-sha256 \
--crypto-key-backend EKM_CONNECTION_NAME

Set the key's purpose as asymmetric-signing to specify that the key is an asymmetric signing key. You must use the external-vpc protection level since the partner's EKM is connected to Cloud KMS using an EKM via VPC connection.

The steps above create an empty asymmetric encryption key in the key ring. To create a key version, follow instructions under the Final steps section below.

Final steps

After you've created a Cloud EKM key in Google Cloud, the final step is to submit a ticket to the partner using the Issue Tracker link from the welcome email. Do this to create the first key version. Your request will be routed to the partner to complete their side of key creation.

See Partner-managed key operations for detailed walkthroughs on other key management operations such as creating or rotating key versions.

What's next?