# Configure Google HSM as Bring Your Own Key Provider

### Setting Up Encryption Key Provider in FenixPyre

> Watch video tutorial [here](#video-tutorial)

***

#### Prerequisites

* **Admin Access in GCP:**\
  Ensure you have administrative access to Google Cloud Platform (GCP).
* **Admin Access to FenixPyre Portal:**\
  Ensure you have administrative access to the FenixPyre portal to configure the encryption key provider settings.

***

#### Setup Process

**1. Create or Access a Key Ring**

* Follow [Google’s documentation](https://cloud.google.com/kms/docs/create-key-ring?hl=en) to create a key ring or navigate to an existing one.

**2. Copy Resource Name**

* Click on the vertical ellipsis (⋮) next to the key ring and select **Copy Resource Name**.\ <br>

  <figure><img src="https://3947089720-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOuMyGdeUQs2m5OYPFuwT%2Fuploads%2FTyfpMZTz17RTVDkbSk9P%2Fimage.png?alt=media&#x26;token=1c45e2ed-7700-4411-8fc9-627383a43a7f" alt=""><figcaption></figcaption></figure>

**3. Update Resource Name in FenixPyre Dashboard**

* Log in to the FenixPyre Dashboard.
* Navigate to **Settings → Security → Key Management → Encryption Key Provider**.
* Paste the resource name into the **KeyRing Resource Name** field.
* Add a vault name for identification in the **Vault Name** text box.

**4. Create a Role in GCP Console**

* Navigate back to the GCP console.
* Go to **IAM → Roles**.
* Follow [Google's documentation](https://cloud.google.com/iam/docs/creating-custom-roles) to create a new role.
* Create a new role with the following permissions:
  * `cloudkms.cryptoKeyVersions.create`
  * `cloudkms.cryptoKeyVersions.get`
  * `cloudkms.cryptoKeyVersions.useToDecrypt`
  * `cloudkms.cryptoKeyVersions.useToEncrypt`
  * `cloudkms.cryptoKeyVersions.useToSign`
  * `cloudkms.cryptoKeyVersions.useToVerify`
  * `cloudkms.cryptoKeyVersions.viewPublicKey`
  * `cloudkms.cryptoKeys.create`
  * `cloudkms.cryptoKeys.get`
  * `cloudkms.cryptoKeys.update`
  * `cloudkms.importJobs.create`
  * `cloudkms.importJobs.get`
  * `cloudkms.importJobs.useToImport`
  * `cloudkms.keyRings.create`
  * `cloudkms.keyRings.get`
  * `cloudkms.keyRings.list`
  * `cloudkms.locations.get`

**5. Create a Service Account**

* Navigate to the **Service Accounts** tab.
* Give your service account a name and click **Create and Continue**.
* In the roles field, select the role you just created.
* Click **Done**.
* A new service account will be created.\ <br>

  <figure><img src="https://3947089720-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOuMyGdeUQs2m5OYPFuwT%2Fuploads%2FLRqeKe8S0OgyuwbWdNcp%2Fimage.png?alt=media&#x26;token=5139e91b-00f2-493f-a7a5-d2b0d857f49c" alt=""><figcaption></figcaption></figure>

**6. Generate and Download the Encryption Key**

* Select the service account you created in the previous step.
* Go to the **Keys** tab and click on **Add Key**.
* Choose **Create a Key**.
* Select **JSON** and click **Create**.
* A JSON file will be downloaded containing your encryption key.

**7. Create Encryption Key Provider in FenixPyre**

* Navigate back to the FenixPyre Dashboard.
* Use the downloaded JSON file to create your own encryption key provider with GCP in FenixPyre by following the on-screen instructions for uploading or configuring the key.

***

## Video Tutorial

{% embed url="<https://www.loom.com/embed/ef6ba67407f947f2aa38294d23801189?sid=7639055d-78cd-4b51-b4a3-4a2362ffb6bd>" %}