Importing a key (BYOK)
Google allows you to bring your own cryptographic key material. You can import that using the Software or Cloud HSM protection level. We will see step-by-step instructions on how to do this. But before we do that, let us understand the reasons you want to import a key:
- You may be using existing cryptographic keys that were created on your premises or in an external KMS.
- If you migrate an application to Google Cloud or if you add cryptographic support to an existing Google Cloud application, you can import the relevant keys into Cloud KMS.
- As part of key import, Cloud KMS generates a wrapping key, which is a public/private key pair, using one of the supported import methods. Encrypting your key material with this wrapping key protects the key material in transit.
- This Cloud KMS public wrapping key is used to encrypt, on the client, the key to be imported. The private key matching this public key is stored within Google Cloud and is used to...
