1.0 Introduction
Welcome to the Fortanix Data Security Manager (DSM) Google Cloud Platform (GCP) Key Management User Guide. This article describes how to add a new GCP Cloud Key Management Service (KMS) using Fortanix DSM.
The Fortanix solution for GCP Cloud KMS offers complete Bring Your Own Key (BYOK) and lifecycle management for management and automation of native GCP Cloud keys (CMEK – Customer Master Encryption Key) and allows users to manage all keys centrally and securely.
This guide will walk you through setting up a Cloud Data Control (CDC) group that will be used for both CNKMS and BYOK workflows.
2.0 Getting Started with Fortanix Cloud Data Control
To understand which solution between CNKMS, BYOK, BYOKMS (AWS XKS), or BYOE is right for you, refer to the Fortanix DSM - Cloud Data Control - Getting Started.
For BYOKMS using AWS External Key Store (XKS), refer to the Fortanix DSM with AWS External Key Store.
3.0 Obtaining Access to Fortanix DSM
Create an account in Fortanix DSM if you do not have one already. For more information, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI guide.
4.0 Fortanix DSM GCP Cloud KMS Group Workflow
The following section describes the workflow to configure Fortanix DSM to interact with the GCP Cloud KMS. A GCP CDC group is created in the Fortanix DSM account, and this group is configured to interact with the GCP Cloud KMS.
4.1 Create a GCP CDC Group
Perform the following steps to create a GCP CDC group:
Navigate to the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to create a new group.
On the Add new group form, do the following:
Enter a title and description for your group.
Click the LINK HSM/EXTERNAL KMS button to select the GCP KMS type, so that Fortanix DSM can connect to it.
Enter the GCP KMS Service Account Credentials
GCP Project ID: This is the unique identifier for the Google Cloud project used to differentiate your project from all others in Google Cloud. For example:
fortanix.Select the geographical region/location where the Google Cloud KMS resource is stored or can be accessed within a Google Cloud project. For example:
South Carolina (us-east1).Authentication: The following Cloud KMS and Cloud Platform APIs must be enabled for using KMS and Cloud platform related GCP services.
https://www.googleapis.com/auth/cloudkmshttps://www.googleapis.com/auth/cloud-platformTo authenticate with the Google Cloud KMS, a Google service account is used.
Enter the service account email in the format
[email protected]NOTE
The Google service account must have the role of Cloud KMS Admin.
Upload a Private Key: Upload the JSON or PKCS#11 file containing the private key of the service account to authenticate with Google Cloud KMS.
Click TEST CONNECTION to test your GCP KMS connection. If Fortanix DSM can connect to your GCP KMS using your connection details, then it shows the status as “Connected” with a green tick
. Otherwise, it shows the status as “Not Connected” with a yellow warning sign 
.NOTE
Though it is an optional step, you can save your group details even if the connection information might be incorrect or incomplete, you can edit these details later.
After the connection is successful, select the Key Ring Name from the drop down menu that you want to configure for the GCP KMS group. A key ring organizes keys in a specific Google Cloud location and allows you to manage access control on groups of keys.
NOTE
When you click TEST CONNECTION for the first time, Fortanix DSM tests the credentials provided and fetches the key rings. After you select the key ring, if you click TEST CONNECTION again, then Fortanix DSM checks the credentials and checks the accessibility of the selected key ring.
Click the SAVE button to create the group.
After you save your group details, your group is created, and you will see a detailed view of your group.
4.2 Not Connected Scenario
When you click the TEST CONNECTION, it is possible that Fortanix DSM is not able to connect to the GCP node. If that happens, it displays a “Not Connected” status with a warning symbol . You can save the details of the new connection details provided and edit them later.
4.3 HSM/KMS Tab
The group details now include an HSM/KMS tab displaying information about your KMS.
The HSM/KMS tab displays the details of the GCP KMS, including the service account email and name of the key ring. You can edit these connection details here.
After editing and saving, click the TEST CONNECTION button to check the connection.
Click the SYNC KEYS button to create virtual copies of all the keys present in the key ring of the location and project provided in the GCP KMS group.
4.4 Groups Table View
After saving the group details, you can view the list of all groups and notice the special symbol 
next to the newly created group. This symbol indicates that it is a GCP CDC group, distinguishing it from other groups.
4.5 User’s View
Navigate to the Users menu item in the DSM left navigation bar and on the Users page click the user that says “You” to view the user’s detailed view.
The detailed view shows all the groups the user belongs to and indicates which groups are mapped to GCP KMS, displaying their status as "connected" or "not connected."
5.0 GCP Key Ring BYOK and Cloud Native Key Management
For details on how to perform native key lifecycle management in GCP Key Ring using Fortanix DSM, refer to the Fortanix DSM - GCP Key Ring Cloud Native Key Management.
For details on how to perform BYOK key lifecycle management in GCP Key Ring using Fortanix DSM, refer to the Fortanix DSM - GCP Key Ring Bring Your Own Key.