This document shows how to create a customer-managed encryption key using Cloud Key Management Service (Cloud KMS). You can use this key to back up data in other Google Cloud services.
Before you begin
- In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
- Ensure that you have the Cloud KMS Admin (
roles/cloudkms.admin) role or another role that includes the necessary permissions.
Create a regional encryption key
Create a key in the same location as the resources you intend to back up.
Console
In the Google Cloud console, go to the Key Management page.
Select an existing key ring or click Create key ring to create a new one.
Click Create key.
In the Key name field, enter a name for your key.
For Location type, select Region or Multi-region.
In the Location menu, select the same region as the resources you want to back up with this key.
If the key location and the resource location don't match, operations that use the key fail.
Click Create.
After the key is created, select the key from the list.
Copy the Resource name for future reference.
The resource name has the following format:
projects/PROJECT_ID/locations/REGION/keyRings/KEY_RING_NAME/cryptoKeys/KEY_NAME
What's next
- Learn more about Cloud KMS.
- Learn how to create a backup vault.