kms - Configure Cloud KMS encryption
gsutil kms authorize [-p proj_id] -k kms_key gsutil kms encryption [(-d|[-k kms_key])] bucket_url... gsutil kms serviceaccount [-p proj_id]
The kms command is used to configure Cloud Storage and KMS resources to support encryption of Cloud Storage objects with Cloud KMS keys.
The kms command has several sub-commands that deal with configuring Cloud Storage's integration with Cloud KMS:
The encryption sub-command is used to set, display, or clear a bucket's default KMS key, which is used to encrypt newly-written objects if no other key is specified.
Set the default KMS key for my-bucket:
gsutil kms encryption \ -k projects/key-project/locations/global/keyRings/key-ring/cryptoKeys/my-key \ gs://my-bucket
Show the default KMS key for my-bucket, if one is set:
gsutil kms encryption gs://my-bucket
Clear the default KMS key so newly-written objects will not be encrypted:
gsutil kms encryption -d gs://my-bucket
The serviceaccount sub-command displays the Cloud Storage-owned service account that is used to perform Cloud KMS operations against your default project (or a supplied project).
Show the service account for your default project:
gsutil kms serviceaccount
Show the service account for my-project:
gsutil kms serviceaccount -p my-project