This topic shows you how to verify an asymmetric key version that youimport into Cloud KMS orCloud HSM.

For more details about how import works, including limitations andrestrictions, refer toKey import.

Limitations on verifying imported keys

Data encrypted outside of Cloud KMS

The best way to test an imported key is to decrypt data that was encryptedbefore the key was imported, or to encrypt data using the imported key anddecrypt it using the key before import.

In Cloud KMS or Cloud HSM, this is only possible when youimport an asymmetric key. This is because when data is encrypted using asymmetric Cloud KMS or Cloud HSM key, extra metadata aboutthe encryption key version is saved, encrypted, along with the encrypted data.This metadata is not present in data encrypted outside of Cloud KMS.

Verify attestations

You canverify attestations about Cloud HSMkeys. These attestations assert that the key is an HSM key, that the HSM moduleis owned by Google, and other details about the key. These attestations are notavailable for software keys.

Before you begin

• Import an asymmetric key intoCloud KMS or Cloud HSM. You must use Cloud HSMif you want to verify the key's attestations.
• If possible, complete the tasks in this topic using the same local systemwhere you imported the key, so the local system already has theGoogle Cloud CLI installed and configured.
• Encrypt a file using the local key, or copy a file encrypted with that keyto the local system.

Verify that the key material is identical

After you import an asymmetric key into Cloud KMS orCloud HSM, the key material is identical to the local key. To verifythat this is true, you can use the imported key to decrypt data that wasencrypted using the key before it was imported.

To decrypt a file using a Cloud KMS or Cloud HSM key:

gcloud kms decrypt \  --location=location  \  --keyring=key-ring-name \  --key=key-name \  --ciphertext-file=filepath-and-file-to-decrypt \  --plaintext-file=decrypted-filepath-and-file.dec

If the file pointed to by the--plaintext-file flag contains the correctdecrypted data, the key material of the external and imported key is identical.

To learn more, seeencrypting and decrypting data.

Verify attestations for a Cloud HSM key

After a key is imported into an HSM, you can view attestations to verify thatthe HSM is owned by Google. The procedure is different to verifysymmetric Cloud HSM keys andasymmetric keys.

Attestations are not available for software keys in Cloud KMS.

Symmetric Cloud HSM keys

You can use the Extended Key Checksum Value (EKCV) key attribute to verify animported Cloud HSM key's key material. This value is calculated byfollowingRFC 5869,section 2. The value is derived using SHA-256-based HMAC-basedExtract-and-Expand Key Derivation Function (HKDF) with 32 zero bytes as salt andexpanding it with the fixed stringKey Check Value as info. To retrieve thisvalue, you canattest the key.

Asymmetric Cloud HSM keys

When you make the import request for an asymmetric key, you include your wrappedprivate key. The private key contains sufficient information forCloud KMS to derive the public key. After your key is imported, youcan retrieve the public key and verify that it matches the public key you havestored locally. For more information about checkingthe public key attribute, seeTo verify the public key.

You can verify the EKCV verification for asymmetric keys. In this case, thevalue is the SHA-256 digest of the DER-encoded public key. You can retrieve thisvalue by looking at the attestation of the key. For more information aboutchecking the EKCV key attribute, seeTo verify key properties.

For additional information about attesting keys you import, seeAttesting a key

What's next

• Learn how tocreate keys
• Learn aboutencrypting and decrypting
• Learn aboutsigning andvalidating data