In T-Systems Sovereign Cloud, all data needs to be encrypted using Cloud External Key Manager (Cloud EKM) keys, which are encryption keys connected to an external key manager (also abbreviated as EKM). While customers can set up and use their own Cloud EKM, customers are also provided with a project provisioned by Google Cloud and T-Systems Sovereign Cloud. In this project — called a Key Management Project — keys can be created using an external key manager that is operated by T-Systems International (TSI) on the customer's behalf.
This topic covers the steps to use Cloud KMS when backed by TSI.
Overview
To create and manage keys using Cloud EKM in T-Systems Sovereign Cloud, you will use a ticketing system called Issue Tracker. You will receive a link to the Issue Tracker tool and the key administrator access group information in your welcome email. All key admins must be added to the access group. These admins will then have access to the Issue Tracker component in order to file tickets with TSI, who will perform key management operations on your behalf.
All TSI-managed keys should be created in the pre-provisioned Key Management Project. You can host data in a project that is different from the project in which your Cloud KMS keys reside. This capability supports the best practice of separation of duties between the key administrators and data administrators.
Locate customer-specific information
Before you start creating keys, locate the following pieces of information from your initial welcome email:
- Cloud KMS project number
- Key administrator access group
- Issue Tracker link
Configure access groups
The key administrator access group is a private Google group for key administrators in your organization, namely those that will be granted the Cloud KMS Admin Identity and Access Management (IAM) role. The key administrator access group is maintained by you.
You will receive your access group in your welcome email. It will be in the format:
<customer-name>-<KMS-project-number>-key-admin@googlegroups.com
Add the users who you would like to be granted the Cloud KMS Admin role in your project to the Google Group. For more information on how to manage your group, see Add people to your group.
Create a Cloud EKM key
Cloud EKM keys are used to encrypt your data on Google Cloud. To use keys from TSI's external key manager, you'll first need to create a Cloud EKM key. This TSI-linked Cloud EKM key is used to reference a specific key in TSI's EKM and can only be created in the pre-provisioned Key Management Project.
Create a key ring
Create a key ring to hold your Cloud EKM key. For T-Systems Sovereign Cloud, the
key ring location must always be europe-west3. Replace the
KEY_RING_NAME placeholder with your desired name for the key ring:
gcloud
gcloud kms keyrings create KEY_RING_NAME \ --location europe-west3
Get the Cloud EKM connection resource name
Next, you will need to obtain TSI's Cloud EKM connection
resource name in the Key Management Project. It will be called
default-ekm-connection.
gcloud
Run the following command and find the Cloud EKM connection resource
name that contains the connection name default-ekm-connection. It will be in
the format of
projects/[PROJECT-ID]/locations/europe-west3/ekmConnections/default-ekm-connection:
gcloud kms ekm-connections list \ --location europe-west3
Sample output:
NAME: projects/test-project/locations/europe-west3/ekmConnections/default-ekm-connection SERVICE_DIRECTORY_SERVICE: projects/host-project/locations/europe-west3/namespaces/tsi-ekm-000000001/services/tsi-ekm-00000001 HOSTNAME: test_host.example.com
Copy the name of the full resource name, which is highlighted text in the
NAME section. This will be used as the --crypto-key-backend value when
you create your symmetric key and/or asymmetric key.
Create a symmetric encryption key
To create a symmetric Cloud EKM key, use the following command in Google Cloud CLI:
gcloud
gcloud kms keys create KEY_NAME \ --keyring KEY_RING_NAME \ --location europe-west3 \ --purpose encryption \ --protection-level external-vpc \ --default-algorithm external-symmetric-encryption \ --skip-initial-version-creation \ --crypto-key-backend EKM_CONNECTION
The flag --skip-initial-version-creation is used to prevent a key version
from being created. When using Cloud KMS with TSI Sovereign Cloud,
TSI is responsible for creating key versions for you.
The key's purpose as encryption specifies that the key is a symmetric
encryption key. You must use the external-vpc protection level since the
TSI's EKM is connected to Cloud KMS using
an EKM via VPC connection.
Replace EKM_CONNECTION with the EKM connection name you copied in the Get the Cloud EKM connection resource name section above, using the full resource name.
The step above creates an empty symmetric encryption key in the key ring. To create a key version, follow instructions under the Final steps section below.
Create an asymmetric signing key
Creating an asymmetric signing key is similar to creating a symmetric encryption key. The primary differences are the key's purpose and default algorithm.
When creating a new key, ensure you add the --skip-initial-version-creation to
prevent a key version from being created. When using Cloud KMS with
T-Systems Sovereign Cloud, TSI is responsible for creating key versions for
you.
gcloud
gcloud kms keys create KEY_NAME \ --keyring KEY_RING_NAME \ --location europe-west3 \ --purpose asymmetric-signing \ --protection-level external-vpc \ --skip-initial-version-creation \ --default-algorithm ec-sign-p256-sha256 \ --crypto-key-backend EKM_CONNECTION
Set the key's purpose as asymmetric-signing to specify that the key is an
asymmetric signing key. You must use the external-vpc protection level since
TSI's EKM is connected to Cloud KMS using
an EKM via VPC connection.
Replace EKM_CONNECTION with the EKM connection name you copied in the Get the Cloud EKM connection resource name section above, using the full resource name.
The steps above create an empty asymmetric encryption key in the key ring. To create a key version, follow instructions under the Final steps section below.
Final steps
After you've created a Cloud EKM key in Google Cloud, the final step is to submit a ticket to TSI using the Issue Tracker request form. Do this to create the first key version. Your request will be routed to TSI to complete their side of key provisioning.
See TSI-managed key operations for detailed walkthroughs on other key management operations such as creating or rotating key versions.