是否可以将我手动生成的AES-256密钥存储到google cloud kms。 我成功创建了由Google完全管理和创建的密钥,但是如何处理在采用谷歌云之前生成的密钥?
答案 0 :(得分:1)
Tim的回答当时是正确的,但Cloud KMS now supports Key Import。
创建导入作业:
$ gcloud kms import-jobs create "my-job" \
--location "us-central1" \
--keyring "my-keyring" \
--import-method "rsa-oaep-4096-sha1-aes-256" \
--protection-level "hsm"
导入密钥:
$ gcloud kms keys versions import \
--import-job "my-job" \
--location "us-central1" \
--keyring "my-keyring" \
--key "my-key" \
--algorithm "<algorithm>" \
--target-key-file ./path/to/my.key
答案 1 :(得分:0)
We don't currently support importing keys, but even if we did, we don't currently document the format of encrypted data, so we can't support interoperability with data you have encrypted yourself.
The solution to this use case is usually to use a master key in KMS which you use to wrap your AES keys, then store the wrapped keys in a data store. You can then bootstrap from the service account identities provisioned into your deployed code, using them to authorize the use of KMS to unwrap your AES keys, then use the unwrapped keys to encrypt/decrypt your data.