Retrieving endorsement keys
This topic describes how to retrieve the endorsement key (EKPub) from aShielded VMinstance.
You can retrieve the endorsement key for both the encryption key and the signingkey. You can use the encryption key to encrypt data so that only the vTPM canread it, or the signing key to verify signatures that the vTPM makes. You canalso use the key to ascertain the identity of a VM instance before sendingsensitive information to it.
You must have thegetShieldedInstanceIdentity permission to retrieveendorsement keys.
Retrieving endorsement keys using the Google Cloud CLI
Use thegcloud compute instances get-shielded-identity command to retrievethe public portion of the endorsement key from a Shielded VM instance.
gcloudcomputeinstancesget-shielded-identity[INSTANCE_NAME]The results returned look similar to the following:
encryptionKey: ekPub: | -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4ucWqhLjIkcEJyqc8KJM 12345678abcdefghijklmnopqrstuvwxyz12345678abcdefghijklmnopqrstu oBSrm0swIu3x4LWR/Ebl5KA0EKe9YFGaS9Pguun1m6X8Ld2zAqmoIwnxDiOqxQEU mx2wxkjf0bbjxG5ZI1i3t/c/QzeaE2WWTlKdgnUDyxSloDBq63yywtoIrp1nbDLj X8qdBymixu8jXXp1iGwmEUltnEnx779JKTpKgKTEednri+NcfRmXHrnPCxfiPudQ 4wIDAQAB -----END PUBLIC KEY-----kind: compute#shieldedInstanceIdentitysigningKey: ekPub: | -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzQvcD+2LAnsXAgdsVYAc 12345678abcdefghijklmnopqrstuvwxyz12345678abcdefghijklmnopqrstu V/7WHasUuGlkbqiDOuDWgb15FAn35PU64HGey67McZTUT9EvrkT/ryXi4kZgBtoM lQIDAQAB -----END PUBLIC KEY-----
Retrieving endorsement keys using the Compute Engine API
You can use the Compute Engine API to view endorsement key information. Formore information on how to use the API, see theHow-to guides.
GET/compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]/getShieldedInstanceIdentity{"signingKey":{"ekPub":[PEM-formatted key]},"encryptionKey":{"ekPub":[PEM-formatted key]},"kind":"compute#shieldedInstanceIdentity"}What's next
- Learn aboutmodifying options on a Shielded VM instance.
- Learn about one approach toautomating responses to integrity monitoring events.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-11-24 UTC.