gcloud alpha kms

NAME
gcloud alpha kms - manage cryptographic keys in the cloud
SYNOPSIS
gcloud alpha kmsGROUP |COMMAND[GCLOUD_WIDE_FLAG]
DESCRIPTION
(ALPHA) The gcloud kms command group lets you generate, use, rotateand destroy Google Cloud KMS keys.

Cloud KMS is a cloud-hosted key management service that lets you manageencryption for your cloud services the same way you do on-premises. You cangenerate, use, rotate and destroy AES256 encryption keys. Cloud KMS isintegrated with IAM and Cloud Audit Logging so that you can manage permissionson individual keys, and monitor how these are used. Use Cloud KMS to protectsecrets and other sensitive data which you need to store in Google CloudPlatform.

More information on Cloud KMS can be found here:https://cloud.google.com/kms/ anddetailed documentation can be found here:https://cloud.google.com/kms/docs/

GCLOUD WIDE FLAGS
These flags are available to all commands:--help.

Run$gcloud help for details.

GROUPS
GROUP is one of the following:
autokey-config
(ALPHA) Update and retrieve the AutokeyConfig.
ekm-config
(ALPHA) Update and retrieve the EkmConfig.
ekm-connections
(ALPHA) Create and manage ekm connections.
import-jobs
(ALPHA) Create and manage import jobs.
inventory
(ALPHA) Manages the KMS Inventory and Key Tracking commands.
key-handles
(ALPHA) Create and manage KeyHandle resources.
keyrings
(ALPHA) Create and manage keyrings.
keys
(ALPHA) Create and manage keys.
locations
(ALPHA) View locations available for a project.
operations
(ALPHA) Commands for managing operations.
single-tenant-hsm
(ALPHA) Commands for managing single tenant HSM instances.
COMMANDS
COMMAND is one of the following:
asymmetric-decrypt
(ALPHA) Decrypt an input file using an asymmetric-encryption keyversion.
asymmetric-sign
(ALPHA) Sign a user input file using an asymmetric-signing keyversion.
decapsulate
(ALPHA) Decapsulate an input file using a key-encapsulation keyversion.
decrypt
(ALPHA) Decrypt a ciphertext file using a Cloud KMS key.
encrypt
(ALPHA) Encrypt a plaintext file using a key.
mac-sign
(ALPHA) Sign a user input file using a MAC key version.
mac-verify
(ALPHA) Verify a user signature file using a MAC key version.
raw-decrypt
(ALPHA) Decrypt a ciphertext file using a raw key.
raw-encrypt
(ALPHA) Encrypt a plaintext file using a raw key.
NOTES
This command is currently in alpha and might change without notice. If thiscommand fails with API permission errors despite specifying the correct project,you might be trying to access an API with an invitation-only early accessallowlist. These variants are also available:
gcloudkms
gcloudbetakms

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-16 UTC.