We want to create and manage keys in KMS and provide those keys to a third party to encrypt our data at rest. Third party uses GCS to store data. How do we go about it?
Trying to understand the steps and flow.
Per my understanding we will create a key ring and keys in KMS. Not sure how we provide those keys to third party so that they can encrypt our data at rest.
Use an asymmetric key (key pair), that way you can safely share the public key with them.
gcloud kms keys versions get-public-key key-version \
--key key \
--keyring key-ring-name \
--location location \
--output-file public-key.pub
The third party can use the public key to encrypt the data, but only you will have access to the private key in your kms to decrypt.
If the data is large, the third party should generate an AES key to encrypt the data, and then encrypt the AES key with your public key (rsa). Then store the encrypted data and the encrypted AES key together.
