Get started with Cloud KMS

In T-Systems Sovereign Cloud, all data needs to be encrypted using Cloud External Key Manager (Cloud EKM) keys, which are encryption keys connected to an external key manager (also abbreviated as EKM). While customers can set up and use their own Cloud EKM, customers are also provided with a project provisioned by Google Cloud and T-Systems Sovereign Cloud. In this project — called a Key Management Project — keys can be created using an external key manager that is operated by T-Systems International (TSI) on the customer's behalf.

This topic covers the steps to use Cloud KMS when backed by TSI.

Overview

To create and manage keys using Cloud EKM in T-Systems Sovereign Cloud, you will use a ticketing system called Issue Tracker. You will receive a link to the Issue Tracker tool and the key administrator access group information in your welcome email. All key admins must be added to the access group. These admins will then have access to the Issue Tracker component in order to file tickets with TSI, who will perform key management operations on your behalf.

All TSI-managed keys should be created in the pre-provisioned Key Management Project. You can host data in a project that is different from the project in which your Cloud KMS keys reside. This capability supports the best practice of separation of duties between the key administrators and data administrators.

Locate customer-specific information

Before you start creating keys, locate the following pieces of information from your initial welcome email:

  1. Cloud KMS project number
  2. Key administrator access group
  3. Issue Tracker link

Configure access groups

The key administrator access group is a private Google group for key administrators in your organization, namely those that will be granted the Cloud KMS Admin Identity and Access Management (IAM) role. The key administrator access group is maintained by you.

You will receive your access group in your welcome email. It will be in the format:

<customer-name>-<KMS-project-number>-key-admin@googlegroups.com

Add the users who you would like to be granted the Cloud KMS Admin role in your project to the Google Group. For more information on how to manage your group, see Add people to your group.

Create a Cloud EKM key

Cloud EKM keys are used to encrypt your data on Google Cloud. To use keys from TSI's external key manager, you'll first need to create a Cloud EKM key. This TSI-linked Cloud EKM key is used to reference a specific key in TSI's EKM and can only be created in the pre-provisioned Key Management Project.

Create a key ring

Create a key ring to hold your Cloud EKM key. For T-Systems Sovereign Cloud, the key ring location must always be europe-west3. Replace the KEY_RING_NAME placeholder with your desired name for the key ring:

gcloud

gcloud kms keyrings create KEY_RING_NAME \
--location europe-west3

Get the Cloud EKM connection resource name

Next, you will need to obtain TSI's Cloud EKM connection resource name in the Key Management Project. It will be called default-ekm-connection.

gcloud

Run the following command and find the Cloud EKM connection resource name that contains the connection name default-ekm-connection. It will be in the format of projects/[PROJECT-ID]/locations/europe-west3/ekmConnections/default-ekm-connection:

gcloud kms ekm-connections list \
--location europe-west3

Sample output:

NAME: projects/test-project/locations/europe-west3/ekmConnections/default-ekm-connection
SERVICE_DIRECTORY_SERVICE: projects/host-project/locations/europe-west3/namespaces/tsi-ekm-000000001/services/tsi-ekm-00000001
HOSTNAME: test_host.example.com

Copy the name of the full resource name, which is highlighted text in the NAME section. This will be used as the --crypto-key-backend value when you create your symmetric key and/or asymmetric key.

Create a symmetric encryption key

To create a symmetric Cloud EKM key, use the following command in Google Cloud CLI:

gcloud

gcloud kms keys create KEY_NAME \
--keyring KEY_RING_NAME \
--location europe-west3 \
--purpose encryption \
--protection-level external-vpc \
--default-algorithm external-symmetric-encryption \
--skip-initial-version-creation \
--crypto-key-backend EKM_CONNECTION

The flag --skip-initial-version-creation is used to prevent a key version from being created. When using Cloud KMS with TSI Sovereign Cloud, TSI is responsible for creating key versions for you.

The key's purpose as encryption specifies that the key is a symmetric encryption key. You must use the external-vpc protection level since the TSI's EKM is connected to Cloud KMS using an EKM via VPC connection.

Replace EKM_CONNECTION with the EKM connection name you copied in the Get the Cloud EKM connection resource name section above, using the full resource name.

The step above creates an empty symmetric encryption key in the key ring. To create a key version, follow instructions under the Final steps section below.

Create an asymmetric signing key

Creating an asymmetric signing key is similar to creating a symmetric encryption key. The primary differences are the key's purpose and default algorithm.

When creating a new key, ensure you add the --skip-initial-version-creation to prevent a key version from being created. When using Cloud KMS with T-Systems Sovereign Cloud, TSI is responsible for creating key versions for you.

gcloud

gcloud kms keys create KEY_NAME \
--keyring KEY_RING_NAME \
--location europe-west3 \
--purpose asymmetric-signing \
--protection-level external-vpc \
--skip-initial-version-creation \
--default-algorithm ec-sign-p256-sha256 \
--crypto-key-backend EKM_CONNECTION

Set the key's purpose as asymmetric-signing to specify that the key is an asymmetric signing key. You must use the external-vpc protection level since TSI's EKM is connected to Cloud KMS using an EKM via VPC connection.

Replace EKM_CONNECTION with the EKM connection name you copied in the Get the Cloud EKM connection resource name section above, using the full resource name.

The steps above create an empty asymmetric encryption key in the key ring. To create a key version, follow instructions under the Final steps section below.

Final steps

After you've created a Cloud EKM key in Google Cloud, the final step is to submit a ticket to TSI using the Issue Tracker request form. Do this to create the first key version. Your request will be routed to TSI to complete their side of key provisioning.

See TSI-managed key operations for detailed walkthroughs on other key management operations such as creating or rotating key versions.

What's next?