Configure Google HSM as Bring Your Own Key Provider

Setting Up Encryption Key Provider in FenixPyre

Watch video tutorial here


Prerequisites

  • Admin Access in GCP: Ensure you have administrative access to Google Cloud Platform (GCP).

  • Admin Access to FenixPyre Portal: Ensure you have administrative access to the FenixPyre portal to configure the encryption key provider settings.


Setup Process

1. Create or Access a Key Ring

2. Copy Resource Name

  • Click on the vertical ellipsis (⋮) next to the key ring and select Copy Resource Name.

3. Update Resource Name in FenixPyre Dashboard

  • Log in to the FenixPyre Dashboard.

  • Navigate to Settings → Security → Key Management → Encryption Key Provider.

  • Paste the resource name into the KeyRing Resource Name field.

  • Add a vault name for identification in the Vault Name text box.

4. Create a Role in GCP Console

  • Navigate back to the GCP console.

  • Go to IAM → Roles.

  • Follow Google's documentation to create a new role.

  • Create a new role with the following permissions:

    • cloudkms.cryptoKeyVersions.create

    • cloudkms.cryptoKeyVersions.get

    • cloudkms.cryptoKeyVersions.useToDecrypt

    • cloudkms.cryptoKeyVersions.useToEncrypt

    • cloudkms.cryptoKeyVersions.useToSign

    • cloudkms.cryptoKeyVersions.useToVerify

    • cloudkms.cryptoKeyVersions.viewPublicKey

    • cloudkms.cryptoKeys.create

    • cloudkms.cryptoKeys.get

    • cloudkms.cryptoKeys.update

    • cloudkms.importJobs.create

    • cloudkms.importJobs.get

    • cloudkms.importJobs.useToImport

    • cloudkms.keyRings.create

    • cloudkms.keyRings.get

    • cloudkms.keyRings.list

    • cloudkms.locations.get

5. Create a Service Account

  • Navigate to the Service Accounts tab.

  • Give your service account a name and click Create and Continue.

  • In the roles field, select the role you just created.

  • Click Done.

  • A new service account will be created.

6. Generate and Download the Encryption Key

  • Select the service account you created in the previous step.

  • Go to the Keys tab and click on Add Key.

  • Choose Create a Key.

  • Select JSON and click Create.

  • A JSON file will be downloaded containing your encryption key.

7. Create Encryption Key Provider in FenixPyre

  • Navigate back to the FenixPyre Dashboard.

  • Use the downloaded JSON file to create your own encryption key provider with GCP in FenixPyre by following the on-screen instructions for uploading or configuring the key.


Video Tutorial

Last updated

Was this helpful?