As a T-Systems Sovereign Cloud customer, you use a different workflow to manage your Cloud External Key Manager (Cloud EKM) keys. Instead of setting up and managing your own external key manager, Google Cloud and T-Systems International (TSI) handle these steps for you. This means that TSI manages your keys and key versions at your request.
This topic covers how to submit requests for common key operations in a TSI-managed Cloud Key Management Service project, commonly known as the Key Management Project.
Before you begin
You need to have a key ring with at least one key before making key operation requests. If you need a new key ring and key, use the steps in Getting started with TSI-managed Cloud KMS.
Get the key's resource name
For any key operation request, you need to provide the resource name of the key or key version to be modified.
- You need to provide the key resource name to create a version or rotate a key.
- You need to provide the key version resource name to update or destroy a key version.
Issue Tracker requests
Issue Tracker is a tool used by Google and its partners to track requests for specialized projects. For TSI-managed Cloud Key Management Service projects, you use the Issue Tracker to submit requests to TSI who then fulfills requests in your Cloud Key Management Service project and manages your keys in the external key manager.
You can find a link to your organization's Issue Tracker in your welcome email.
Common key operations
Create a key version
Use the Issue Tracker to submit a request for a new key version. The new key version is set as the primary version if it's the first key version, or if there are no other key versions.
In the Issue Tracker, select Create key version and provide the resource name of your key. Click Create to submit your request.
Rotate key
In the Issue Tracker, indicate Rotate key in the ticket body and provide the resource name of your key. Click Create to submit your request.
When a key is rotated, TSI generates new key material in the EKM, creates a new key version in your Cloud Key Management Service project, and then sets the new key version as the primary version.
Rotating a key version causes all newly-created data protected with that key to be encrypted with new key material. Data protected with previous key material is not re-encrypted. As a result, your previous key material needs to remain available for use.
Disable a key version
You can use the Google Cloud console, Google Cloud CLI, or a Cloud KMS client library to disable a key version in the Enabled state. When you disable a key version, its state changes to Disabled. See Enabling and disabling key versions in the Cloud KMS documentation for more information.
Destroy a key version
To destroy a key version, schedule the key version for destruction in Cloud KMS. This destroys the Cloud KMS key and data encrypted by the key will no longer be accessible.
If you'd also like to destroy the key in TSI's EKM:
- Schedule the key version for destruction.
- In the Issue Tracker, select Destroy key version in the ticket body and provide the resource name of the key version you would like to have destroyed.
- Click Create to submit your request.
TSI confirms your key destruction request with you before proceeding. When destruction is confirmed, TSI provides a date and time for when the key will be destroyed. You can restore the key before the destruction.
In the period before the key is destroyed, if you restore your key version, both the Cloud KMS key and the key in TSI's EKM will remain.
If the destruction continues as scheduled, the Cloud KMS key is deleted first, and then the key in TSI's EKM is deleted.
Response time
Use the Issue Tracker for routine key management operations only. Once an Issue Tracker request is submitted, you can expect to receive a response from your partner within one business day.