Configuring the ESA with Google Cloud KMS

Verifying the Prerequisites

Ensure that the following prerequisites are met before configuring the ESA with the Google Cloud KMS.

Authorization

The resources are organized into a hierarchy in the GCP Key Store. This hierarchy helps to manage and grant access to the resources at various levels of granularity. The scope of the role depends on the level of the resource hierarchy, where the role is granted to access the Google Cloud resources.

The user or service account attached to the ESA requires the following permissions:

Table: Permissions for accessing Google Cloud KMS

Creating a Key Ring

The Enterprise Security Administrator (ESA) appliances needs a Key ring to store Key Encryption Keys (KEK).

1. Navigate to the Key Management screen in the Google Cloud console.

2. Click Create key ring.

3. In the Key ring name field, enter the required name for the key ring.

4. From the Key ring location drop-down list, select a location.

   Note: The Key ring must be created in a location where Hardware Security Module (HSM) support is enabled. For more information on supported locations refer to https://cloud.google.com/kms/docs/locations.

5. Click Create. Key rings are created for the selected region.

Configuring Connection with Google Cloud KMS

To configure a connection with Google Cloud KMS:

1. On the ESA Web UI, navigate to Key Management > Key Stores.

   The Key Stores screen appears.

2. Click New Key Store.

   The Create New Key Store screen appears.

3. In the Key Store Information section, enter the following details.

   • Name: Type a unique name for Google Cloud KMS. For example, Google_Cloud_KMS. The name that you type will update the Key Store installation path field.
   • Type: Select Google Cloud KMS.

4. In the Google Cloud KMS details section, enter the following details:

   • Project
   • Key Ring
   • Location

5. In the Key Store files and environment variables > Key Store environment variables section, click Add environment variable.
   The Add Key Store environment variable dialog box appears.

6. Enter the following details, and then click Save:

   • Environment variable name: Specify the environment variable name for the Google Cloud KMS. For example, specify GOOGLE_APPLICATION_CREDENTIALS.
   • Environment variable value: Specify the value for the corresponding environment variable. For example, specify /opt/protegrity/keystore/Google_Cloud_KMS/credentials.json.
     If you want to mask the value of the variable in the UI, then click the Sensitive toggle to the on position. This ensures that the variable value is hidden while typing and is replaced with asterisks of a fixed-length in the list of environment variables.

7. In the Key Store files and environment variables > Key Store files section, click Add File.
   The Add Key Store File dialog box appears.

8. Enter the following details.

   File Type	File
   Other	Select the Application Credentials JSON file for the Google Cloud KMS from your local machine.

9. Click Add File to add the file to the Key Store files section.

10. Click Save.
    The Key Store saved successfully message appears.

11. Click Test to test the Key Store connection.
    The Test Key Store Connection dialog box appears.

12. Click OK to close the Test Key Store Connection dialog box.

13. Click Set As Active to activate the Key Store.
    The Google Cloud KMS is set as active.

Note: You should verify that the master key is generated by the Google Cloud KMS.

Viewing Keys under the Key Ring

After activating the Google Cloud KMS, a new Master Key is created under the configured key ring.

To view keys under the Key Ring:

1. Navigate to the GCP Console > Key management > Key_ring_name > Keys.

2. Verify that the master key UID and key under the Key ring location is the same.

   Note: The keys in the Key ring must not be rotated on GCP, as the ESA will not register it. Also, when a key is rotated on the ESA, a new key will be created in the Key ring and it will not create a new version of the key in GCP.