To import a Customer Managed Encryption Key in the Google KMS, follow the instructions on Google documentation related to importing a manually wrapped key.
[TOC]
Using the Google Console, first create a key in an existing Cloud KMS key ring.
Click Continue and select Imported Key
Then click Create
In the Select Import Job dropdown, select Create Import Job
Select 4096 bit RSA -OAEP Padding - SHA256 digest + 256 bit AES-KWP as import method
then click Create
Then click Download wrapping key
The key will be downloaded as a PKCS#8 PEM named ImportWith4096RsaAesKeyWrapSha256.pem
This is the symmetric key that will be wrapped by the Google wrapping key and imported in the Google KMS.
ckms sym keys create --number-of-bits 256 CMEK_Sym_Key
The symmetric key was successfully generated.
Unique identifier: CMEK_Sym_Keyckms rsa keys import --key-format pem --key-usage encrypt --key-usage wrap-key \
ImportWith4096RsaAesKeyWrapSha256.pem CMEK_Wrapping_Key
The PublicKey in file ImportWith4096RsaAesKeyWrapSha256.pem was imported with id: CMEK_Wrapping_Key
Unique identifier: CMEK_Wrapping_Keyckms sym keys export --key-id CMEK_Sym_Key --wrap-key-id CMEK_Wrapping_Key \
--key-format raw --wrapping-algorithm rsa-aes-key-wrap wrapped_key.bin
The key CMEK_Sym_Key of type SymmetricKey was exported to "wrapped_key.bin"
Unique identifier: CMEK_Sym_KeyNote 1: The rsa-aes-key-wrap wrapping algorithm uses the SHA256 digest.
Note 2: the wrapped key should be 552 bytes (4416 bits) long:
- 4096 bits (RSA key length) +
- 256 bits (Symmetric key length) +
- 64 bits of AES KWP overhead.
The key should now be available in the Google Cloud KMS.
The entire Eviden KMS side of this workflow (steps 2–4) is covered by the
script .github/scripts/test_gcp_cmek.sh. It uses the test wrapping key at
test_data/google_cmek/Import_RSA_AES_WRAP.pem and can be executed via:
bash .github/scripts/nix.sh --variant non-fips test gcp_cmek