Key Management System/KMS keys

Topics

1. What is Key Management System?
2. Type of keys in KMS.
3. Purpose of keys.
4. Key Versions
5. State of the keys.
6. Structure of the key rings and keys
7. Keyring and key creation

1. Key Management System

KMS, short for Key Management System, is used for encryption and signing purposes. It serves as a secure repository for cryptographic keys, ensuring that sensitive information remains protected from unauthorized access or tampering

2. Type of keys in KMS

There are two types of keys →

1. Symmetric key
2. Asymmetric key

→ The purpose of a symmetric key is always Symmetric encrypt/decrypt.

what it means? when we use term called symmetric that means it will use same key to encrypt and decrypt tha data.
so that it can symmetrically encrypt and decrypt data,

→ The purpose of an asymmetric key is either Asymmetric. encrypt/decrypt or Asymmetric signing.

Asymmetric means it will use different-2 keys for encryption and decryption for the same purpose..

Within the realm of KMS:

1. Encryption Keys: These keys are used to encrypt data, converting it into an unreadable format that can only be deciphered/decrypted by authorized users or systems possessing the corresponding decryption key.
2. Signing Keys: On the other hand, signing keys are utilized for digital signatures, enabling data authentication and integrity verification. By affixing a digital signature to data, it becomes possible to verify its origin and integrity, ensuring that it has not been altered in transit.

So it means we can use Symmetric key/Asymmetric key for encryption/decryption of the data but for signing we can only use Asymmetric key.

3. Purpose of keys

Purpose as it’s name suggests, we need to have a purpose for creating any key it could be Symmetric encrypt/decrypt data or it could be Asymmetric encrypt/decrypt data or Asymmetric signing.

Note: Basically purpose should be decided before making any key, because after creation of the key purpose can’t be changed.

4. Key Versions

Every key has it’s own version, there can be multiple version of a key

key versions are represented by an integer number.

Example:

If a key has 3 version’s then, versions will be represented like this

1
2
3

Note:

1. If we encrypted data with specific key version that must be decrypted by the same key version otherwise it wont decrypt it.

2. Symmetric key can have at most one primary key version, if we do not define key version while encrypting the data then primary version will be used for that.

3. Asymmetric keys do not have primary versions, we must specify the version while using the key.

4. For both type of keys we can use enabled version only.

5. We can disable a key version without effecting other key versions of a key.

6. Disabling or destroying a key also disable or destroy it’s all key versions.

5. State of the Keys

A key has it’s state, that can be one of them

• Enabled
• Disabled
• Scheduled for destruction
• Destroyed

Enabled means we can use it for encryption/decryption purpose.

Disabled means we have the key but it’s disabled so we can’t use it for any purpose.

Scheduled for destruction means this key will destroyed soon or it can be moved back into the disable state.

Destroyed mean the key is destroyed.

6 . Structure of the key rings and keys

Now we need to understand how key rings and keys are structured.

Key Ring → It’s basically root resource for cloud kms keys and key version’s Each key ring is associated with a specific location.

Note: One key ring can’t be associated with multiple locations.

Key → It’s the actual key for encryption/decryption or signing.

7. Keyring and key creation

1. Keyring creation

Now we will understand how these keyrings are created:

1. First of all we need permissions for creating the keyring
   So for example we can assign this role roles/cloudkms.admin to a user or a SA(Service Account) using IAM roles.

Note: Admin roles are always comes with lots of permissions so we can check what kind of permissions exactly do we need to manage key rings

For more info refer below link:

https://cloud.google.com/kms/docs/create-key-ring#expandable-1

2. For creating keyring we need below parameters:

Name: <Name of the keyring>
Location: <Location of the key ring>

Note: Location depends on where are your resources located that will be using KMS keys to Encrypt/Decrypt or signing for better availability.

For more info about KMS key location and supported protection levels refer below link:

https://cloud.google.com/kms/docs/locations

2. Key Creation

After successfully creation of keyring now we can create keys in above keyring

1. We need permission for creating keys as well, you can find out permissions and roles according to your requirements below.

For more info refer below link:

https://cloud.google.com/kms/docs/reference/permissions-and-roles#predefined

2. Creating a key can contain other parameters as well but I am mentioning here the basic parameters that we need.

For more info refer below link

https://cloud.google.com/kms/docs/resource-hierarchy

Name: <Name of the key>
Key_ring: <Key Ring>
algorithm: <Algorithm to be used for cryptographic operations>

Note: If purpose is not defined then by default purpose will be ENCRYPT_DECRYPT.

In above picture we can see that there is a Key Ring called ‘A’ has 3 keys

key 1
key 2
key 3

So we can understand that we can have multiple keys associated with same keyring.

There are certain things that we need to take care of while creating keyring and keys.

1. We can not create same name key within the same keyring.
2. We can create same name keyring but in different location.
3. We can have multiple versions of a key.

Thanks 🙏 for reading out this blog. I hope you enjoyed reading. Do👏 👏clap 50 times and share this article if you like it.