Google Cloud HSM

This tutorial uses Google Cloud HSM — a FIPS 140-2 Level 3 certified implementation.

---

Before you start

Make sure that you have:

• Set up your Google Cloud project

---

1. Create a key ring

To set up the Google Cloud HSM, create a key ring and indicate its location.

Note:

Only certain locations support Google Cloud HSM.

---

2. Create a key

Create a key, including the following information:

Field	Value
Key ring	The key ring you created in Step 2
Protection level	HSM
Purpose	Asymmetric Encrypt

---

3. Import the private key

After creating a key ring and key, import the private key.

Note:

You need to convert your key from a PEM to DER format.

---

4. Modify your gokeyless config file and restart the service

Once you’ve imported the key, copy the Resource name from the UI. Then, add this value to the gokeyless YAML file under private_key_stores.

With the config file saved, restart gokeyless and verify it started successfully.

sudo systemctl restart gokeyless.service
sudo systemctl status gokeyless.service -l