kms - Configure Cloud KMS encryption
gsutil kms authorize [-p <proj_id>] -k <kms_key> gsutil kms encryption [(-d|[-k <kms_key>])] [-w] gs://<bucket_name>... gsutil kms serviceaccount [-p <proj_id>]
The kms command is used to configure Cloud Storage and Cloud KMS resources to support encryption of Cloud Storage objects with Cloud KMS keys.
The kms command has three sub-commands that deal with configuring Cloud Storage
's integration with Cloud KMS:
Before using this command, read the prerequisites for using Cloud KMS with Cloud Storage.
The encryption sub-command is used to set, display, or clear a bucket's default KMS key, which is used to encrypt newly-written objects if no other key is specified.
Set the default KMS key for my-bucket:
gsutil kms encryption \ -k projects/key-project/locations/us-east1/keyRings/key-ring/cryptoKeys/my-key \ gs://my-bucket
Show the default KMS key for my-bucket, if one is set:
gsutil kms encryption gs://my-bucket
Clear the default KMS key so newly-written objects are not encrypted using it:
gsutil kms encryption -d gs://my-bucket
Once you clear the default KMS key, newly-written objects are encrypted with Google-managed encryption keys by default.
- -k <key>
Set the default KMS key for my-bucket using the full path to the key, which has the following form:
(used with -k key) Display a warning rather than failing if gsutil is unable to verify that the specified key contains the correct IAM bindings for encryption/decryption. This is useful for users that do not have getIamPolicy permission but know that the key has the correct IAM policy for encryption in the user's project.
Clear the default KMS key.
The serviceaccount sub-command displays the Cloud Storage service agent that is used to perform Cloud KMS operations against your default project (or a supplied project).
Show the service account for my-project:
gsutil kms serviceaccount -p my-project
- -p <project>
The ID or number of the project whose Cloud Storage service agent is being requested. If this flag is not included, your default project is used.