GCP creates symmetric keys (DEKs) to encrypt resources protected by EKM. These keys encrypt GCP resources (Disk, BigQuery tables, etc.) and are themselves encrypted by Virtru managed KEKs. When GCP needs to use these keys a service account calls Virtru with an encrypted key and Virtru returns the decrypted key.
This document will guide you through creating a keyring and setting up Virtru as your External key provider.
Sync your Google Workspace domain with Virtru
If you have not already done so, please follow this guide to sync your Google Workspace domain with Virtru, this is a prerequisite for provisioning your Virtru organization.
Log into your GPC project and Key management
- Click "Go to Console"
- Verify you are logged into the correct project and click "Create Keyring"
- Name your keyring and select the same region as your application click "Create"
- Select "Externally managed Key and give your key a name.
- Step 2 under Link your external key copy the service account and send that to Virtru
- Virtru will send you back the Key URI for Step 3 and click "Create"
- Now that your key is saved you can follow Google's steps for using the externally managed key for the supported GPC resource.