kms - Configure Cloud KMS encryption

kms - Configure Cloud KMS encryption

Synopsis

gsutil kms authorize [-p proj_id] -k kms_key
gsutil kms encryption [(-d|[-k kms_key])] bucket_url...
gsutil kms serviceaccount [-p proj_id]

Description

The kms command is used to configure Cloud Storage and Cloud KMS resources to support encryption of Cloud Storage objects with Cloud KMS keys.

The kms command has several sub-commands that deal with configuring Cloud Storage's integration with Cloud KMS:

Authorize

The authorize sub-command checks that the default (or supplied) project has a Cloud Storage-owned service account created for it, and if not, it creates one. It then adds appropriate encrypt/decrypt permissions to Cloud KMS resources such that the Cloud Storage service account can write and read Cloud KMS-encrypted objects in buckets associated with the specified project.

Authorize Examples

Authorize your default project to use a Cloud KMS key:

gsutil kms authorize \
    -k projects/key-project/locations/global/keyRings/key-ring/cryptoKeys/my-key

Authorize "my-project" to use a Cloud KMS key:

gsutil kms authorize -p my-project \
    -k projects/key-project/locations/global/keyRings/key-ring/cryptoKeys/my-key

Encryption

The encryption sub-command is used to set, display, or clear a bucket's default KMS key, which is used to encrypt newly-written objects if no other key is specified.

Encryption Examples

Set the default KMS key for my-bucket:

gsutil kms encryption \
    -k projects/key-project/locations/global/keyRings/key-ring/cryptoKeys/my-key \
    gs://my-bucket

Show the default KMS key for my-bucket, if one is set:

gsutil kms encryption gs://my-bucket

Clear the default KMS key so newly-written objects will not be encrypted:

gsutil kms encryption -d gs://my-bucket

Serviceaccount

The serviceaccount sub-command displays the Cloud Storage-owned service account that is used to perform Cloud KMS operations against your default project (or a supplied project).

Serviceaccount Examples

Show the service account for your default project:

gsutil kms serviceaccount

Show the service account for my-project:

gsutil kms serviceaccount -p my-project
Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Storage
Need help? Visit our support page.