# Configure Google HSM as Bring Your Own Key Provider

### Setting Up Encryption Key Provider in FenixPyre

> Watch video tutorial [here](#video-tutorial)

***

#### Prerequisites

* **Admin Access in GCP:**\
  Ensure you have administrative access to Google Cloud Platform (GCP).
* **Admin Access to FenixPyre Portal:**\
  Ensure you have administrative access to the FenixPyre portal to configure the encryption key provider settings.

***

#### Setup Process

**1. Create or Access a Key Ring**

* Follow [Google’s documentation](https://cloud.google.com/kms/docs/create-key-ring?hl=en) to create a key ring or navigate to an existing one.

**2. Copy Resource Name**

* Click on the vertical ellipsis (⋮) next to the key ring and select **Copy Resource Name**.\ <br>

  <figure><img src="/files/dqc7YTwdYzOWjLJ5D7aW" alt=""><figcaption></figcaption></figure>

**3. Update Resource Name in FenixPyre Dashboard**

* Log in to the FenixPyre Dashboard.
* Navigate to **Settings → Security → Key Management → Encryption Key Provider**.
* Paste the resource name into the **KeyRing Resource Name** field.
* Add a vault name for identification in the **Vault Name** text box.

**4. Create a Role in GCP Console**

* Navigate back to the GCP console.
* Go to **IAM → Roles**.
* Follow [Google's documentation](https://cloud.google.com/iam/docs/creating-custom-roles) to create a new role.
* Create a new role with the following permissions:
  * `cloudkms.cryptoKeyVersions.create`
  * `cloudkms.cryptoKeyVersions.get`
  * `cloudkms.cryptoKeyVersions.useToDecrypt`
  * `cloudkms.cryptoKeyVersions.useToEncrypt`
  * `cloudkms.cryptoKeyVersions.useToSign`
  * `cloudkms.cryptoKeyVersions.useToVerify`
  * `cloudkms.cryptoKeyVersions.viewPublicKey`
  * `cloudkms.cryptoKeys.create`
  * `cloudkms.cryptoKeys.get`
  * `cloudkms.cryptoKeys.update`
  * `cloudkms.importJobs.create`
  * `cloudkms.importJobs.get`
  * `cloudkms.importJobs.useToImport`
  * `cloudkms.keyRings.create`
  * `cloudkms.keyRings.get`
  * `cloudkms.keyRings.list`
  * `cloudkms.locations.get`

**5. Create a Service Account**

* Navigate to the **Service Accounts** tab.
* Give your service account a name and click **Create and Continue**.
* In the roles field, select the role you just created.
* Click **Done**.
* A new service account will be created.\ <br>

  <figure><img src="/files/YMGCW5kz11C9mXQD6TyH" alt=""><figcaption></figcaption></figure>

**6. Generate and Download the Encryption Key**

* Select the service account you created in the previous step.
* Go to the **Keys** tab and click on **Add Key**.
* Choose **Create a Key**.
* Select **JSON** and click **Create**.
* A JSON file will be downloaded containing your encryption key.

**7. Create Encryption Key Provider in FenixPyre**

* Navigate back to the FenixPyre Dashboard.
* Use the downloaded JSON file to create your own encryption key provider with GCP in FenixPyre by following the on-screen instructions for uploading or configuring the key.

***

## Video Tutorial

{% embed url="<https://www.loom.com/embed/ef6ba67407f947f2aa38294d23801189?sid=7639055d-78cd-4b51-b4a3-4a2362ffb6bd>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fenixpyre.com/fenixpyre-for-admins/admin-dashboard/key-management/master-encryption-keys/setup-bring-your-own-master-encryption-key-byomek-with-google-hsm/configure-google-hsm-as-bring-your-own-key-provider.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.