Setting Up Google KMS

PreviousSetting Up Google Cloud Run NextSetting Up Heroku

Last updated 6 months ago

Import private keys

Largely follows https://cloud.google.com/kms/docs/importing-a-key#kms-create-key-for-import-gcloud, but with more specification on which parameters to include

gcloud components update

updates gcloud

set CLOUDSDK_PYTHON_SITEPACKAGES=1(windows) or export CLOUDSDK_PYTHON_SITEPACKAGES=1

This allows gcloud to use libraries outside its native library folder (so we can use the Python cryptographic library in next step)

pip install "cryptography>=2.2.0"

This installs a cryptography library for the import step (Step 6)

gcloud kms keyrings create key-ring-test-two --location asia-east1

Creates a keyring called "key-ring-test-two" (can change name). Keyrings are containers for keys.

gcloud kms keys create key-test --location asia-east1 --keyring key-ring-test-two --purpose asymmetric-signing --default-algorithm ec-sign-secp256k1-sha256 --skip-initial-version-creation --import-only --protection-level hsm

Creates a key called "key-test" (can change name). The key is empty. Later, you will import a key material into this key.
The "purpose" is "assymetric-signing", which is the most appropriate choice of a list of choices. The "default-algorithm" is secp256k1, using a sha256 digest (digest = a hash of the message being signed; a message can be hashed with sha256 or keccak256). Ethereum uses a keccak256 digest, but some forums say it's still ok. The protection level is "hsm" (hardware-security-module), which is mandatory if using secp256k1.

gcloud kms import-jobs create import-test --location asia-east1 --keyring key-ring-test-two --import-method rsa-oaep-3072-sha256-aes-256 --protection-level hsm

creates an import job called "import test" (name can be changed). The "import-method" is just the encryption used to import the key. We will just go for the Google recommendation (see below).
1. import options:rsa-oaep-3072-sha1-aes-256 rsa-oaep-4096-sha1-aes-256, rsa-oaep-3072-sha256-aes-256, rsa-oaep-4096-sha256-aes-256, rsa-oaep-3072-sha256, or rsa-oaep-4096-sha256
  1. recommended import hash function

gcloud kms import-jobs describe import-test --location asia-east1 --keyring key-ring-test-two --format="value(state)"

creating an import job takes several minutes. Enter the above to check its status (it should show ACTIVE).

gcloud kms keys versions import --import-job import-test --location asia-east1 --keyring key-ring-test-two --key key-test --algorithm ec-sign-secp256k1-sha256 --target-key-file C:\Users\jonwa\Desktop\importedkey.txt

paste private key into .txt file. Copy file path and paste it above. Then delete the file.

Import private keys

Largely follows https://cloud.google.com/kms/docs/importing-a-key#kms-create-key-for-import-gcloud, but with more specification on which parameters to include

gcloud components update

updates gcloud

set CLOUDSDK_PYTHON_SITEPACKAGES=1(windows) or export CLOUDSDK_PYTHON_SITEPACKAGES=1

This allows gcloud to use libraries outside its native library folder (so we can use the Python cryptographic library in next step)

pip install "cryptography>=2.2.0"

This installs a cryptography library for the import step (Step 6)

gcloud kms keyrings create key-ring-test-two --location asia-east1

Creates a keyring called "key-ring-test-two" (can change name). Keyrings are containers for keys.

Creates a key called "key-test" (can change name). The key is empty. Later, you will import a key material into this key.
The "purpose" is "assymetric-signing", which is the most appropriate choice of a list of choices. The "default-algorithm" is secp256k1, using a sha256 digest (digest = a hash of the message being signed; a message can be hashed with sha256 or keccak256). Ethereum uses a keccak256 digest, but some forums say it's still ok. The protection level is "hsm" (hardware-security-module), which is mandatory if using secp256k1.

gcloud kms import-jobs create import-test --location asia-east1 --keyring key-ring-test-two --import-method rsa-oaep-3072-sha256-aes-256 --protection-level hsm

creates an import job called "import test" (name can be changed). The "import-method" is just the encryption used to import the key. We will just go for the Google recommendation (see below).
1. import options:rsa-oaep-3072-sha1-aes-256 rsa-oaep-4096-sha1-aes-256, rsa-oaep-3072-sha256-aes-256, rsa-oaep-4096-sha256-aes-256, rsa-oaep-3072-sha256, or rsa-oaep-4096-sha256
  1. recommended import hash function

gcloud kms import-jobs describe import-test --location asia-east1 --keyring key-ring-test-two --format="value(state)"

creating an import job takes several minutes. Enter the above to check its status (it should show ACTIVE).

paste private key into .txt file. Copy file path and paste it above. Then delete the file.