Part-22: 🔐Google Cloud KMS (Key Management Service) – Create & Use Keys

This content originally appeared on DEV Community and was authored by Latchu@DevOps

Google Cloud Key Management Service (Cloud KMS) lets you create, manage, and use cryptographic keys for your applications and services.
It supports both symmetric and asymmetric encryption and integrates with many Google Cloud services to secure your workloads.

In this guide, we’ll go step by step to:

1. Understand encryption types
2. Create a Key Ring and Keys
3. Work with KMS keys using gcloud CLI
4. Clean up resources

Step 01: Introduction

Encryption Types

• Symmetric Key Encryption → The same key is used to encrypt and decrypt data. (Faster, suitable for most workloads)
• Asymmetric Key Encryption → Uses a public-private key pair. (Suitable for signing, secure communications)

What is Cloud KMS?

• Fully managed service to create and manage encryption keys
• Supports both software and hardware-backed (HSM) protection levels
• Provides fine-grained IAM permissions for secure access
• Allows automatic key rotation and scheduled destruction

Step 02: Create Key Ring

Go to Security → Data Protection → Key Management

Click CREATE KEY RING

Fill details:

• Key Ring Name → my-keyring1
• Location Type → Region (lower latency in one region)
• Region → us-central1

Click CREATE

Step 03: Create a Key

1. Go to Security → Key Management → my-keyring1
2. Click CREATE KEY

Fill details:

• Key Name → my-symkey-1
• Protection Level → software
• Key Material → Generated Key (default)
• Purpose → Symmetric encrypt/decrypt
• Algorithm → Default (Google symmetric key)
• Key Rotation → 90 days (default)
• Destruction Duration → 5 days (instead of default 30)

Click CREATE

Step 04: Review Key

1. Go to Security → Key Management → my-keyring1 → my-symkey-1
2. Review available options:

• Disable
• Destroy (schedule destruction for specific versions)

Step 05: Asymmetric Key Options

Cloud KMS also supports Asymmetric Keys:

• Asymmetric Sign → Generate and verify digital signatures
• Asymmetric Decrypt → Use public/private key pair for encryption & decryption

You can use this key while creating VM in GCP console

Step 06: Use gcloud CLI to Manage Keys

# Create a KMS Key Ring - Regional
gcloud kms keyrings create my-keyring2 --location us-central1

# Create a KMS Key Ring - Global
gcloud kms keyrings create my-keyring3 --location global

# Create a symmetric encryption key with custom destruction duration
gcloud kms keys create my-symkey-2 \
    --keyring my-keyring2 \
    --location us-central1 \
    --purpose "encryption" \
    --protection-level "software" \
    --destroy-scheduled-duration "2d"

# List Keys
gcloud kms keys list --keyring my-keyring2 --location us-central1

# Describe Key

- 
gcloud kms keys describe my-symkey-2 \
    --keyring my-keyring2 \
    --location us-central1

Step 07: Clean Up

Destroy Key

• Go to Security → Key Management Service → my-keyring2 → my-symkey-2
• Click Destroy all key version material → SCHEDULE DESTRUCTION

Keep Key for Next Demo

• my-symkey-1 in my-keyring1 → Keep this key for later usage

You’ve now created and managed Cloud KMS Keys in both Console and CLI.
In upcoming demos, you can use these keys to encrypt/decrypt application data or integrate them with Google Cloud services like Cloud Storage, BigQuery, and Compute Engine.

This content originally appeared on DEV Community and was authored by Latchu@DevOps