If you are a security engineer or if you are responsible for the security of the resources in the cloud, you know that encryption keys are essential for encrypting data at REST. For this purpose, Google launched Cloud KMS (Key Management Service). Cloud KMS is a managed service that lets users create, rotate, and handle encryption keys for Google Cloud services such as Cloud SQL databases and Compute Engine disks. By using Cloud KMS, you can handle AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys. In this lab, you will first learn the basic concepts of Cloud KMS, and you will create a Key Ring, a symmetric encryption key and you will understand how to manually rotate and destroy an encryption key.

Learning Objectives

Upon completion of this lab you will be able to:

• Understand the core concepts of Cloud KMS
• Define a Key Ring
• Create symmetric encryption keys
• Manually rotate an encryption key
• Destroy and encryption key

Intended Audience

This lab is intended for:

• Google Cloud Professional Security Engineer (PSE) certification candidates
• Security Engineers who want to handle encryption at REST on Google Cloud
• Individuals who want to better understand how to handle encryption keys on Google Cloud

Prerequisites

Basic knowledge of encryption is a plus, but it's not required.

Updates

December 14th, 2021 - Update the lab to reflect the latest console experience