---
title: "Exporting Fortanix DSM Keys to Cloud Providers for BYOK - Google Cloud"
slug: "exporting-fortanix-data-security-manager-keys-to-cloud-providers-for-byok-google-cloud"
updated: 2026-04-01T08:24:40Z
published: 2026-03-16T20:02:31Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Exporting Fortanix DSM Keys to Cloud Providers for BYOK - Google Cloud

## 1.0 Introduction

There are several ways to export **Fortanix-Data-Security-Manager (DSM)** keys to major cloud providers that support Bring Your Own Key (BYOK) for server-side encryption.

## 2.0 Prerequisite

Ensure the following:

- Download Fortanix DSM CLI from [*here*](https://fortanix.zendesk.com/hc/en-us/sections/17701671182356-Fortanix-DSM-CLI).

## 3.0 Google Cloud

### 3.1 GCS (Cloud Storage)

For GCS, actual base64 customer keys are needed to be provided for every upload and download of objects to GCS.

1. Run the following command to create a 256-bit AES key in Fortanix DSM with the `EXPORT` key operation enabled:

```bash
$ python sdkms-cli create-key --obj-type AES --key-size 256 --name Google-Cloud-Master-Key --exportable
```
2. Run the following command to export this key on your application environment:

```bash
$ python sdkms-cli export-object --name Google-Cloud-Master-Key
```
3. Run the following command to add the following option to the `GSUtil` section of GSUtil [boto configuration file](https://cloud.google.com/storage/docs/gsutil/commands/config):

```bash
encryption_key = [YOUR_ENCRYPTION_KEY]
decryption_key1 = [YOUR_ENCRYPTION_KEY]
```
4. Run the following command to upload and download objects in GCS with encryption with your own keys:

```bash
$ gsutil cp [LOCAL_OBJECT_LOCATION] gs://[DESTINATION_BUCKET_NAME]/
$ gsutil cp gs://[BUCKET_NAME]/[OBJECT_NAME] [OBJECT_DESTINATION]
```
5. GCS browser shows that the object is customer encrypted.

![gce-4.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/gce-4.png)

**Figure 1: Customer encrypted**

### 3.2 GCE (Compute Engine)

GCE supports import of customer keys [wrapped by a Google public key](https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#rsa-encryption). Since Fortanix DSM supports wrapping natively, actual material of the customer keys are never exposed.

1. Run the following command to create a 256-bit AES key in Fortanix DSM with the `EXPORT` key operation enabled:

```bash
$ python sdkms-cli create-key --obj-type AES --key-size 256 --name Google-Cloud-Master-Key --exportable
```
2. Run the following command to fetch Google public key:

```bash
$ curl "https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem" -o google-cloud-csek-ingress.pem
$ openssl x509 -pubkey -noout -in google-cloud-csek-ingress.pem > google-cloud-csek-public.pem
```
3. Run the following command to import the Google public key in Fortanix DSM:

```bash
$ python sdkms-cli import-key --obj-type RSA --in google-cloud-csek-public.pem --name Google-Cloud-Public-Key
```
4. Run the following command to wrap Fortanix DSM master key with Google public key, using Fortanix DSM:

```bash
$ sdkms-cli wrap-key --kid (kid of master key) --alg RSA --mode OAEP_MGF1_SHA1 --wrapping-kid (kid of the Google public key) --out rsawrappedkey.txt
$ openssl enc -base64 -in rsawrappedkey.txt | tr -d '\n' | sed -e '$a\' > rsawrappedbase64key.txt
```
5. Set the key data in GCE as a wrapped key.

![wrapped-key-google.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/wrapped-key-google.png)

**Figure 2: Set the key data**
6. The disk says that it's encrypted with customer keys.

![gce-3.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/gce-3.png)

**Figure 3: Encryption**

- **[Watch Google Cloud Storage Demo](https://www.youtube.com/watch?v=ByHgAItENp4)
- **[Watch Google Compute Engine Demo](https://www.youtube.com/watch?v=pnfhG3Z8yW0)

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

Fortanix DSM’s BYOK feature generates Linked or Copied virtual keys from a source key enabling backup and key replication to other CSP accounts/subscriptions, regional instances, key repositories, and, most importantly, to multiple cloud providers, including private clouds. This includes seamless movement between private clouds (on-premises) and public clouds. BYOK keys also allow tracking of key activities across multiple CSP repositories for easier restoration if keys are deleted or disabled.

## Related

- [Manually Importing Fortanix DSM Keys into Cloud Providers](/manually-importing-fortanix-data-security-manager-keys-into-cloud-providers.md)
- [Getting Started](/fortanix-dsm-cloud-data-control-getting-started.md)
- [How does the attestation process guarantee hardware integrity?](/how-does-the-attestation-process-guarantee-hardware-integrity.md)
- [Fortanix DSM with Google Cloud EKM Interface](/using-fortanix-data-security-manager-with-google-cloud-ekm-interface.md)