gcloud kms keys create - create a new key

gcloud kms keys create(KEY :--keyring=KEYRING--location=LOCATION)--purpose=PURPOSE[--allowed-access-reasons=[ALLOWED_ACCESS_REASONS,…]][--crypto-key-backend=CRYPTO_KEY_BACKEND][--default-algorithm=DEFAULT_ALGORITHM][--destroy-scheduled-duration=DESTROY_SCHEDULED_DURATION][--import-only][--labels=[KEY=VALUE,…]][--next-rotation-time=NEXT_ROTATION_TIME][--protection-level=PROTECTION_LEVEL; default="software"][--rotation-period=ROTATION_PERIOD][--skip-initial-version-creation][GCLOUD_WIDE_FLAG …]

The flag--purpose is always required when creating a key. The flag--default-algorithm is required when creating a symmetric signingkey, an asymmetric key, or an external key. Algorithm and purpose should becompatible.

The optional flags--rotation-period and--next-rotation-time define a rotation schedule for the key. Aschedule can also be defined by the--create-rotation-schedulecommand.

The flag--next-rotation-time must be in ISO 8601 or RFC3339format, androtation-period must be in the form INTEGER[UNIT],where units can be one of seconds (s), minutes (m), hours (h) or days (d).

The optional flag--protection-level specifies the physicalenvironment where crypto operations with the key happen. The default issoftware; usehsm to create a hardware-backed key,external to create an externally backedkey, orexternal-vpc to create an externalkey over vpc.

The optional flag--labels defines a user specified key/value pairfor the given key.

The flag--skip-initial-version-creation creates a CryptoKey withno versions. If you import into the CryptoKey, or create a new version in thatCryptoKey, there will be no primary version until one is set using the--set-primary-version command. You must include--skip-initial-version-creation when creating a CryptoKey withprotection levelexternal orexternal-vpc.

The optional flag--import-only restricts the key to imported keyversions only. To do so, the flag--skip-initial-version-creationmust also be set.

The optional flag--destroy-scheduled-duration defines the destroyschedule for the key, and must be in the form INTEGER[UNIT], where units can beone of seconds (s), minutes (m), hours (h) or days (d).

The flag--crypto-key-backend defines the resource name for thebackend where the key resides. Required forexternal-vpc keys.

The optional flag--allowed-access-reasons defines the Key AccessJustifications Policy for the key, and is specified as a comma separated list ofzero or more justification codes defined inhttps://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes.The key must be enrolled in Key Access Justifications to use this flag.

gcloudkmskeyscreatefrodo--location=us-east1--keyring=fellowship--purpose=encryption

The following command creates a key namedstrider with protection levelsoftware within the keyringrangers and locationglobal with a specified rotation schedule:

gcloudkmskeyscreatestrider--location=global--keyring=rangers--purpose=encryption--rotation-period=30d--next-rotation-time=2017-10-12T12:34:56.1234Z

The following command creates a raw encryption key namedfoo with protection levelsoftware within the keyringfellowship and locationus-east1 with two specified labels:

gcloudkmskeyscreatefoo--location=us-east1--keyring=fellowship--purpose=raw-encryption--default-algorithm=aes-128-cbc--labels=env=prod,team=kms

The following command creates an asymmetric key namedsamwise with protection levelsoftware and default algorithmec-sign-p256-sha256 within the keyringfellowship and locationus-east1:

gcloudkmskeyscreatesamwise--location=us-east1--keyring=fellowship--purpose=asymmetric-signing--default-algorithm=ec-sign-p256-sha256

The following command creates a key namedgimli with protection levelhsm and default algorithmgoogle-symmetric-encryption within thekeyringfellowship and locationus-east1:

gcloudkmskeyscreategimli--location=us-east1--keyring=fellowship--purpose=encryption--protection-level=hsm

The following command creates a key namedlegolas with protection levelexternal and default algorithmexternal-symmetric-encryption within thekeyringfellowship and locationus-central1:

gcloudkmskeyscreatelegolas--location=us-central1--keyring=fellowship--purpose=encryption--default-algorithm=external-symmetric-encryption--protection-level=external--skip-initial-version-creation

The following command creates a key namedbilbo with protection levelexternal-vpc and default algorithmexternal-symmetric-encryption and anEkmConnection ofeagles within the keyringfellowship and locationus-central1:

gcloudkmskeyscreatebilbo--location=us-central1--keyring=fellowship--purpose=encryption--default-algorithm=external-symmetric-encryption--protection-level=external-vpc--skip-initial-version-creation--crypto-key-backend="projects/$(gcloudconfiggetproject)/    locations/us-central1/ekmConnections/eagles"

The following command creates a key namedarwen with protection levelsoftware within the keyringfellowship and locationus-east1 with a Key Access Justificationspolicy that allows access reasonscustomer-initiated-access andgoogle-initiated-system-operation:

gcloudkmskeyscreatearwen--location=us-east1--keyring=fellowship--purpose=encryption--allowed-access-reasons=customer-initiated-access,google-initiated-system-operation

Key resource - The KMS key resource. The arguments in this group can be used tospecify the attributes of this resource. (NOTE) Some attributes are not givenarguments in this group but can be set in other ways.

To set theproject attribute:

• provide the argumentkey on the command line with a fully specifiedname;
• set the propertycore/project.

This must be specified.

KEY

ID of the key or fully qualified identifier for the key.

To set thekey attribute:

• provide the argumentkey on the command line.

This positional argument must be specified if any of the other arguments in thisgroup are specified.

--keyring=KEYRING

The KMS keyring of the key.

To set thekeyring attribute:

• provide the argumentkey on the command line with a fully specifiedname;
• provide the argument--keyring on the command line.

--location=LOCATION

The Google Cloud location for the key.

To set thelocation attribute:

• provide the argumentkey on the command line with a fully specifiedname;
• provide the argument--location on the command line.

--purpose=PURPOSE

The "purpose" of the key.PURPOSE must be one of:asymmetric-encryption,asymmetric-signing,encryption,key-encapsulation,mac,raw-encryption.

--allowed-access-reasons=[ALLOWED_ACCESS_REASONS,…]

The list of allowed Key Access Justifications access reasons on the key. The keymust be enrolled in Key Access Justifications to configure this field. Bydefault, this field is absent, and all justification codes are allowed. For moreinformation about justification codes, seehttps://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes.ALLOWED_ACCESS_REASONS must be one of:customer-authorized-workflow-servicing,customer-initiated-access,customer-initiated-support,google-initiated-review,google-initiated-service,google-initiated-system-operation,google-response-to-production-alert,modified-customer-initiated-access,modified-google-initiated-system-operation,reason-not-expected,reason-unspecified,third-party-data-request.

--crypto-key-backend=CRYPTO_KEY_BACKEND

The resource name of the backend environment where the key material for allCryptoKeyVersions associated with this CryptoKey reside and where all relatedcryptographic operations are performed. Currently only applicable forEXTERNAL_VPC and EkmConnection resource names.

--default-algorithm=DEFAULT_ALGORITHM

The default algorithm for the crypto key. For more information about choosing analgorithm, seehttps://cloud.google.com/kms/docs/algorithms.DEFAULT_ALGORITHM must be one of:aes-128-cbc,aes-128-ctr,aes-128-gcm,aes-256-cbc,aes-256-ctr,aes-256-gcm,ec-sign-ed25519,ec-sign-p256-sha256,ec-sign-p384-sha384,ec-sign-secp256k1-sha256,external-symmetric-encryption,google-symmetric-encryption,hmac-sha1,hmac-sha224,hmac-sha256,hmac-sha384,hmac-sha512,kem-xwing,ml-kem-1024,ml-kem-768,pq-sign-hash-slh-dsa-sha2-128s-sha256,pq-sign-ml-dsa-65,pq-sign-slh-dsa-sha2-128s,rsa-decrypt-oaep-2048-sha1,rsa-decrypt-oaep-2048-sha256,rsa-decrypt-oaep-3072-sha1,rsa-decrypt-oaep-3072-sha256,rsa-decrypt-oaep-4096-sha1,rsa-decrypt-oaep-4096-sha256,rsa-decrypt-oaep-4096-sha512,rsa-sign-pkcs1-2048-sha256,rsa-sign-pkcs1-3072-sha256,rsa-sign-pkcs1-4096-sha256,rsa-sign-pkcs1-4096-sha512,rsa-sign-pss-2048-sha256,rsa-sign-pss-3072-sha256,rsa-sign-pss-4096-sha256,rsa-sign-pss-4096-sha512,rsa-sign-raw-pkcs1-2048,rsa-sign-raw-pkcs1-3072,rsa-sign-raw-pkcs1-4096.

--destroy-scheduled-duration=DESTROY_SCHEDULED_DURATION

The amount of time that versions of the key should spend in theDESTROY_SCHEDULED state before transitioning to DESTROYED. See $gcloud topic datetimes forinformation on duration formats.

--import-only

Restrict this key to imported versions only.

--labels=[KEY=VALUE,…]

List of label KEY=VALUE pairs to add.

Keys must start with a lowercase character and contain only hyphens(-), underscores (_), lowercase characters, andnumbers. Values must contain only hyphens (-), underscores(_), lowercase characters, and numbers.

--next-rotation-time=NEXT_ROTATION_TIME

Next automatic rotation time of the key. See $gcloud topic datetimes forinformation on time formats.

--protection-level=PROTECTION_LEVEL; default="software"

Protection level of the key.PROTECTION_LEVEL must beone of:software,hsm,hsm-single-tenant,external,external-vpc.

--rotation-period=ROTATION_PERIOD

Automatic rotation period of the key. See $gcloud topic datetimes forinformation on duration formats.

--skip-initial-version-creation

Skip creating the first version in a key and setting it as primary duringcreation.

Run$gcloud help for details.