The Key Management System (KMS) service centrally manages cryptographic keys and runs in the Management API server.
This page is for audiences within the platform administrator group, such as IT admins or security engineers, who are responsible for managing and using cryptographic keys within Google Distributed Cloud (GDC) air-gapped. For more information, see Audiences for GDC air-gapped documentation .
Supported keys
KMS supports the following keys for its data-plane operations:
AEAD
aeadkey
AEAD
)
key that performs authenticated encryption using AES-256
.The key's components represent the following:
-
AES-256: the 256-bit Advanced Encryption Standard (AES) symmetric key algorithm. This algorithm is the default algorithm.
AES_256_GCM
Signing
signingkey
The key's components represent the following:
-
EC: the elliptic curve key.
-
P384: the size of the EC curve.
-
SHA384: the digest algorithm used in signing. This algorithm is the default algorithm.
EC_SIGN_P384_SHA384
Root key types
The KMS uses root keys internally to encrypt key material before writing the material to the disk, and decrypts the material when reading from the disk. The KMS retrieves the root key for each operation.
The KMS supports a single root key per organization, which is automatically
created when a KMS is deployed. The root key wraps all non-root keys. Use the RootKeyID
field on each key to identify the root key.
If your root key becomes compromised or for periodic rotation, you can rotate a root key . This process replaces the old root key with a new one, which becomes the primary key and wraps all non-root keys.
| Root Key Type | Root Key Type (API) | Description |
|---|---|---|
Local Root
|
kms.gdc.goog/local-root
|
The root key cryptographic material is stored in the Management API
server as a Kubernetes Secret. |
