As a Sovereign Controls by Partners customer, you use a different workflow to manage your Cloud External Key Manager (Cloud EKM) keys. Instead of setting up and managing your own external key manager, Google Cloud and the partner handle these steps for you. This means that the partner manages your keys and key versions at your request.
This topic covers how to submit requests for common key operations in a partner-managed Cloud Key Management Service project, commonly known as the Key Management Project.
Before you begin
You need to have a key ring with at least one key before making key operation requests.
Get the key's resource name
For any key operation request, you need to provide the resource name of the key or key version to be modified.
- You need to provide the key resource name to create a version or rotate a key.
- You need to provide the key version resource name to update or destroy a key version.
Issue Tracker requests
Issue Tracker is a tool used by Google and its partners to track requests for specialized projects. For partner-managed Cloud Key Management Service projects, you use the Issue Tracker to submit requests to the partner who then fulfills requests in your Cloud Key Management Service project and manages your keys in the external key manager.
You can find a link to your organization's Issue Tracker in your welcome email.
Common key operations
Create a key version
Use the Issue Tracker to submit a request for a new key version. The new key version is set as the primary version if it's the first key version, or if there are no other key versions.
In the Issue Tracker, select Create key version and provide the resource name of your key. Click Create to submit your request.
Rotate key
In the Issue Tracker, indicate Rotate key in the ticket body and provide the resource name of your key. Click Create to submit your request.
When a key is rotated, the partner generates new key material in the EKM, creates a new key version in your Cloud Key Management Service project, and then sets the new key version as the primary version.
Rotating a key version causes all newly-created data protected with that key to be encrypted with new key material. Data protected with previous key material is not re-encrypted. As a result, your previous key material needs to remain available for use.
Disable a key version
You can use the Google Cloud console, Google Cloud CLI, or a Cloud KMS client library to disable a key version in the Enabled state. When you disable a key version, its state changes to Disabled. See Enabling and disabling key versions in the Cloud KMS documentation for more information.
Destroy a key version
To destroy a key version, schedule the key version for destruction in Cloud KMS. This destroys the Cloud KMS key and data encrypted by the key will no longer be accessible.
If you'd also like to destroy the key in the partner's EKM:
- Schedule the key version for destruction.
- In the Issue Tracker, select Destroy key version in the ticket body and provide the resource name of the key version you would like to have destroyed.
- Click Create to submit your request.
The partner confirms your key destruction request with you before proceeding. When destruction is confirmed, the partner provides a date and time for when the key will be destroyed. You can restore the key before the destruction.
In the period before the key is destroyed, if you restore your key version, both the Cloud KMS key and the key in the partner's EKM will remain.
If the destruction continues as scheduled, the Cloud KMS key is deleted first, and then the key in the partner's EKM is deleted.
Response time
Use the Issue Tracker for routine key management operations only. Once an Issue Tracker request is submitted, you can expect to receive a response from your partner within one business day.
See also
- See a list of supported products
- Understand restrictions and limitations