Can I restore a imported HSM AES-256 key by key material?

Question

I have imported the key material into Cloud KMS and KMS generated a (AES-256) key, then I saved the key material locally and encrypted some data files with generated key.

After that if my Google account is arrears or Cloud KMS crashes and causes the KMS key to be lost (I know this is highly unlikely). Can I still recover the key and decrypt the encrypted file?

Specifically, my scenario is that, after I renewed my payment method, my KMS service resumed. Can I use the same key material to re-import it into KMS to regenerate a new key that can decrypt the files that were encrypted with the old key?

Answer 1

Even if you have your imported key material, Cloud KMS only allows operations through its API, this means that without access to it, is not possible to decrypt files.

From the documentation on symmetrical keys:

For security reasons, the raw cryptographic key material represented by a Cloud KMS key can never be viewed or exported. It can only be used by an authorized user to encrypt or decrypt data when they invoke the Cloud KMS API.

In your specific scenario, even if you use the same key material to create another symmetrical key, you won't be able to decrypt the previously encrypted files with the old key.