Configure Google HSM as Bring Your Own Key Provider
PreviousSetup Bring Your Own Master Encryption Key (BYOMEK) with Google HSMNextCreate a Master Encryption Key and Store in Google HSM
Last updated
Was this helpful?
Last updated
Was this helpful?
Watch video tutorial
Admin Access in GCP: Ensure you have administrative access to Google Cloud Platform (GCP).
Admin Access to FenixPyre Portal: Ensure you have administrative access to the FenixPyre portal to configure the encryption key provider settings.
1. Create or Access a Key Ring
Follow to create a key ring or navigate to an existing one.
2. Copy Resource Name
Click on the vertical ellipsis (⋮) next to the key ring and select Copy Resource Name.
3. Update Resource Name in FenixPyre Dashboard
Log in to the FenixPyre Dashboard.
Navigate to Settings → Security → Key Management → Encryption Key Provider.
Paste the resource name into the KeyRing Resource Name field.
Add a vault name for identification in the Vault Name text box.
4. Create a Role in GCP Console
Navigate back to the GCP console.
Go to IAM → Roles.
Create a new role with the following permissions:
cloudkms.cryptoKeyVersions.create
cloudkms.cryptoKeyVersions.get
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeyVersions.useToEncrypt
cloudkms.cryptoKeyVersions.useToSign
cloudkms.cryptoKeyVersions.useToVerify
cloudkms.cryptoKeyVersions.viewPublicKey
cloudkms.cryptoKeys.create
cloudkms.cryptoKeys.get
cloudkms.cryptoKeys.update
cloudkms.importJobs.create
cloudkms.importJobs.get
cloudkms.importJobs.useToImport
cloudkms.keyRings.create
cloudkms.keyRings.get
cloudkms.keyRings.list
cloudkms.locations.get
5. Create a Service Account
Navigate to the Service Accounts tab.
Give your service account a name and click Create and Continue.
In the roles field, select the role you just created.
Click Done.
A new service account will be created.
6. Generate and Download the Encryption Key
Select the service account you created in the previous step.
Go to the Keys tab and click on Add Key.
Choose Create a Key.
Select JSON and click Create.
A JSON file will be downloaded containing your encryption key.
7. Create Encryption Key Provider in FenixPyre
Navigate back to the FenixPyre Dashboard.
Use the downloaded JSON file to create your own encryption key provider with GCP in FenixPyre by following the on-screen instructions for uploading or configuring the key.
Follow to create a new role.
