	In Browser
	StumbleUpon
	del.icio.us
	Google
	Google Buzz
	reddit
	LinkedIn

	Facebook
	Twitter
	Linkedin
	E-Mail

Cloud Platforms > Google Cloud Platform (GCP) > Cloud KMS

Cloud KMS

Author: Venkata Sudhakar

Google Cloud Key Management Service (KMS) is a cloud-hosted key management service that lets you manage cryptographic keys for your cloud services. It allows you to create, import, manage, and use encryption keys to protect your data.

Key Features:

1. CMEK support - Use Customer-Managed Encryption Keys to encrypt GCP services like BigQuery, GCS, and Pub/Sub.

2. Key rotation - Automatic or manual key rotation with configurable rotation periods.

3. HSM-backed keys - Hardware Security Module protection for keys requiring FIPS 140-2 Level 3 compliance.

4. Asymmetric keys - Support for RSA and EC keys for signing and encryption operations.

5. Audit logging - Every key use is logged in Cloud Audit Logs for compliance.

The below example shows how to create a key ring, key, and use it to encrypt/decrypt data.

import com.google.cloud.kms.v1.CryptoKey;
import com.google.cloud.kms.v1.CryptoKeyVersion;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.KeyRing;
import com.google.cloud.kms.v1.LocationName;
import com.google.cloud.kms.v1.CryptoKeyName;
import com.google.protobuf.ByteString;

public class CloudKMSExample {
    public static void main(String[] args) throws Exception {
        String projectId = "my-project";
        String locationId = "us-central1";
        String keyRingId = "my-key-ring";
        String keyId = "my-encryption-key";

try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
            // Create a key ring
            LocationName locationName = LocationName.of(projectId, locationId);
            KeyRing keyRing = client.createKeyRing(locationName, keyRingId, KeyRing.newBuilder().build());
            System.out.println("Key ring created: " + keyRing.getName());

// Create a symmetric encryption key
            CryptoKey cryptoKey = CryptoKey.newBuilder()
                .setPurpose(CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT)
                .setVersionTemplate(CryptoKeyVersion.CryptoKeyVersionTemplate.newBuilder()
                    .setAlgorithm(CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION))
                .build();
            CryptoKey createdKey = client.createCryptoKey(
                keyRing.getName(), keyId, cryptoKey);
            System.out.println("Key created: " + createdKey.getName());

// Encrypt data
            CryptoKeyName keyName = CryptoKeyName.of(projectId, locationId, keyRingId, keyId);
            String plaintext = "Sensitive data to encrypt";
            ByteString encrypted = client.encrypt(keyName,
                ByteString.copyFromUtf8(plaintext)).getCiphertext();
            System.out.println("Encrypted: " + encrypted.size() + " bytes");

// Decrypt data
            String decrypted = client.decrypt(keyName, encrypted)
                .getPlaintext().toStringUtf8();
            System.out.println("Decrypted: " + decrypted);
        }
    }
}

It gives the following output,

Key ring created: projects/my-project/locations/us-central1/keyRings/my-key-ring
Key created: .../cryptoKeys/my-encryption-key
Encrypted: 108 bytes
Decrypted: Sensitive data to encrypt

KMS Key Types:

Symmetric (ENCRYPT_DECRYPT) - Same key encrypts and decrypts. Used for data encryption at rest. Fast and efficient.

Asymmetric signing (ASYMMETRIC_SIGN) - Private key signs, public key verifies. Used for JWT signing, code signing, and certificate signing.

Asymmetric encryption (ASYMMETRIC_DECRYPT) - Public key encrypts, private key decrypts. Used for wrapping sensitive keys or data.

Send your comments, suggestions or queries regarding this site to [email protected].