Including the Pyca cryptography library
This page describes how to update the Google Cloud CLI to enable support forautomatically wrapping keys for secure import into Cloud Key Management Service, byinstalling thePyca cryptography library. Version 2.2.0or higher adds support for the requiredaes_key_wrap_with_padding wrappingmechanism.
Before you begin
- Install or upgrade the Google Cloud CLI to version 253.0.0 orhigher.
- Install the
pipcommand if possible.pipis the platform-independentcommand-line interface to thePython Package Index. Thepackage manager provided by your operating system may not provide version2.2.0 or higher of the Pyca cryptographic library.
Installing and using pip
You can install and usepip on Linux, macOS, or Windows systems.
This command installs the library into your user environment, specifying theminimum version to install. To install system-wide, omit the--user flag. You may need to installpip as a privileged user.
pip install --user "cryptography>=2.2.0"
After installing the Pyca cryptographic libraries, you mustenable site packages so the gcloud CLI can usethe libraries.
Installing on Linux using a package manager
Follow these instructions on Linux systems if you can't use thepip command.
Debian or Ubuntu
If you use a system based on Debian or Ubuntu, you can install the Pycacryptographic library using theapt-get command.
Check the versions of the
python-cryptographypackage available in thepackage database. Version 2.2.0 or higher is required.apt policy python-cryptography
Install the package.
sudo apt-get install python-cryptography
If necessary, specify the version to install.
sudo apt-get install python-cryptography=version
=(equals sign) between the package name and version.
After installing the Pyca cryptographic libraries, you mustenable site packages so the gcloud CLI can usethe libraries.
Red Hat, CentOS, or SUSE
If your system uses RPMs for package management, you can install the Pycacrytographic library using theyum command.
Check the versions of
python-cryptographyavailable in the packagedatabase. Version 2.2.0 or higher is required.yum --showduplicates list python2-cryptography
Install the package.
sudo yum install python2-cryptography
If necessary, specify the version to install.
sudo yum install python2-cryptography-version
-(hyphen) between the package name and version.
After installing the Pyca cryptographic libraries, you mustenable site packages so the gcloud CLI can usethe libraries.
Enabling site packages
By default, the Google Cloud CLI ignores Python libraries installed on your localsystem. To allow the Google Cloud CLI to use the Pyca cryptographic library, youneed to enable site packages.
To enable site packages, set theCLOUDSDK_PYTHON_SITEPACKAGES environment variable to1. With site packagesenabled, the gcloud CLI can use extra libraries outside of thegoogle-cloud-sdk/lib directory.
Linux
export CLOUDSDK_PYTHON_SITEPACKAGES=1
macOS
export CLOUDSDK_PYTHON_SITEPACKAGES=1
Windows
set CLOUDSDK_PYTHON_SITEPACKAGES=1
Enabling site packages may cause some gcloud CLI commands to fail.It is recommended that youdisable site packagesafter importing your keys.
Disabling site packages
After you finish importing keys, it is recommended that you disable sitepackages on systems where you use the gcloud CLI. To disable sitepackages, setCLOUDSDK_PYTHON_SITEPACKAGES to0.
Linux
export CLOUDSDK_PYTHON_SITEPACKAGES=0
macOS
export CLOUDSDK_PYTHON_SITEPACKAGES=0
Windows
set CLOUDSDK_PYTHON_SITEPACKAGES=0
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.