In Sovereign Controls by Partners, all data needs to be encrypted using Cloud External Key Manager (Cloud EKM) keys, which are encryption keys connected to an external key manager (also abbreviated as EKM). Customers are provided with a project provisioned by Google Cloud and Sovereign Controls by Partners. In this project — called a Key Management Project — keys can be created using an external key manager that is operated by the partner on the customer's behalf.
This topic covers the steps to use Cloud KMS when backed by a partner.
To create and manage keys using Cloud EKM in Sovereign Controls by Partners, you will use a ticketing system called Issue Tracker. You will receive a link to the Issue Tracker tool and the key administrator access group information in your welcome email from the partner. All key admins must be added to the access group. These admins will then have access to the Issue Tracker component in order to file tickets with the partner, who will perform key management operations on your behalf.
All partner-managed keys should be created in the pre-provisioned Key Management Project. You can host data in a project that is different from the project in which your Cloud KMS keys reside. This capability supports the best practice of separation of duties between the key administrators and data administrators.
Locate customer-specific information
Before you start creating keys, locate the following pieces of information from your "EKM is provisioned" email:
- Key administrator access group
- Issue Tracker link
Configure access groups
The key administrator access group is a private Google group for key administrators in your organization, namely those that will be granted the Cloud KMS Admin Identity and Access Management (IAM) role. The key administrator access group is maintained by you.
You will receive your access group in your welcome email. It will be in the format:
Add the users who you would like to be granted the Cloud KMS Admin role in your project to the Google Group. For more information on how to manage your group, see Add people to your group.
Create a Cloud EKM key
Cloud EKM keys are used to encrypt your data on Google Cloud. To use keys from a partner's external key manager, you'll first need to create a Cloud EKM key. This partner-linked Cloud EKM key is used to reference a specific key in the partner's EKM and can only be created in the pre-provisioned Key Management Project.
Get the key ring name
A key ring is the place to hold your Cloud EKM keys. The key ring
location must always be the region specified for the Assured Workloads (AW)
folder that supported by your Sovereign Partner, such as
Run the following command to find the created key ring name.
gcloud kms keyrings list \ --location AW-FOLDER-REGION
Copy the key ring name (the
zzz part after
keyRings/) below for the future
use when create a key.
Get the Cloud EKM connection resource name
Next, you will need to obtain the partner's Cloud EKM connection
resource name in the Key Management Project. It will be called
Run the following command and find the Cloud EKM connection resource
name that contains the connection name default-ekm-connection. It will be in
the format of
gcloud kms ekm-connections list \ --location AW-FOLDER-REGION
NAME: projects/test-project/locations/test-region/ekmConnections/default-ekm-connection SERVICE_DIRECTORY_SERVICE: projects/host-project/locations/test-region/namespaces/partner-ekm-000000001/services/partner-ekm-00000001 HOSTNAME: test_host.example.com
Copy the name of the full resource name below, which is highlighted text in
NAME section. This will be used as the
--crypto-key-backend value when
you create your symmetric key and/or asymmetric key.
Create a symmetric encryption key
To create a symmetric Cloud EKM key, use the following command in Google Cloud CLI:
gcloud kms keys create KEY_NAME \ --keyring KEY_RING_NAME \ --location AW-FOLDER-REGION \ --purpose encryption \ --protection-level external-vpc \ --default-algorithm external-symmetric-encryption \ --skip-initial-version-creation \ --crypto-key-backend EKM_CONNECTION_NAME
--skip-initial-version-creation is used to prevent a key version
from being created. When using Cloud KMS with Sovereign Controls by Partners,
the partner is responsible for creating key versions for you.
The key's purpose as
encryption specifies that the key is a symmetric
encryption key. You must use the
external-vpc protection level since the
partner's EKM is connected to Cloud KMS using
an EKM via VPC connection.
The step above creates an empty symmetric encryption key in the key ring. To create a key version, follow instructions under the Final steps section below.
Create an asymmetric signing key
Creating an asymmetric signing key is similar to creating a symmetric encryption key. The primary differences are the key's purpose and default algorithm.
When creating a new key, ensure you add the
prevent a key version from being created. When using Cloud KMS with
Sovereign Controls by Partners, the partner is responsible for creating key versions for
gcloud kms keys create KEY_NAME \ --keyring KEY_RING_NAME \ --location AW-FOLDER-REGION \ --purpose asymmetric-signing \ --protection-level external-vpc \ --skip-initial-version-creation \ --default-algorithm ec-sign-p256-sha256 \ --crypto-key-backend EKM_CONNECTION_NAME
Set the key's purpose as
asymmetric-signing to specify that the key is an
asymmetric signing key. You must use the
external-vpc protection level since
the partner's EKM is connected to Cloud KMS using
an EKM via VPC connection.
The steps above create an empty asymmetric encryption key in the key ring. To create a key version, follow instructions under the Final steps section below.
After you've created a Cloud EKM key in Google Cloud, the final step is to submit a ticket to the partner using the Issue Tracker link from the welcome email. Do this to create the first key version. Your request will be routed to the partner to complete their side of key creation.
See Partner-managed key operations for detailed walkthroughs on other key management operations such as creating or rotating key versions.