Stay organized with collections
Save and categorize content based on your preferences.
Set up encryption keys for a server
You can set up encryption keys to encrypt your server passwords. These keys are
customer-managed encryption keys (CMEK) that you can manage using Cloud Key Management Service (Cloud KMS). You can set them while provisioning a new server or while
reimaging an existing one. You can use an encryption key with multiple servers.
Using an encryption key is optional. However, once you set up an encryption key,
you have to use it. You can't change this setting. However, you can change the
key or its version.
SERVER_NAME: the name of your Bare Metal Solution server
PROJECT_ID: the ID of your Bare Metal Solution project
REGION: the location of your Bare Metal Solution server
USERNAME: the username of the account associated with the
password you want to decrypt. The value is either root or
customeradmin.
ENCRYPTED_PASSWORD_FILE: the file in which you saved the encrypted
password. To avoid problems with the format of the password after copying it,
remove the spaces and newline ('\n') characters.
ENCRYPTED_PASSWORD_FILE: the file in which you saved the
encrypted password. To avoid problems with the format of the password after
copying it, remove the spaces and newline ('\n') characters.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eCustomer-managed encryption keys (CMEK) can be set up to encrypt server passwords using Cloud Key Management Service (Cloud KMS) when provisioning or reimaging a server.\u003c/p\u003e\n"],["\u003cp\u003eSetting up an encryption key is optional, but once implemented, it must be used, although the key or its version can be changed.\u003c/p\u003e\n"],["\u003cp\u003eBefore setting up encryption keys, you must use Cloud KMS to create an encryption key and assign specific roles to the Bare Metal Solution service account, such as \u003ccode\u003eroles/cloudkms.viewer\u003c/code\u003e and \u003ccode\u003eroles/cloudkms.publicKeyViewer\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eTo view encryption keys and passwords, you can navigate to the \u003cstrong\u003eServers\u003c/strong\u003e page in the Google Cloud console or use the \u003ccode\u003egcloud alpha bms instances auth-info\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eTo obtain the decrypted password you must first get the ciphertext and then follow the steps in \u003ca href=\"/kms/docs/encrypt-decrypt-rsa#decrypt_data\"\u003eDecrypt data\u003c/a\u003e.\u003c/p\u003e\n"]]],[],null,["# Set up encryption keys for a server\n===================================\n\n|\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nYou can set up encryption keys to encrypt your server passwords. These keys are\ncustomer-managed encryption keys (CMEK) that you can manage using Cloud Key Management Service (Cloud KMS). You can set them while provisioning a new server or while\nreimaging an existing one. You can use an encryption key with multiple servers.\n\nUsing an encryption key is optional. However, once you set up an encryption key,\nyou have to use it. You can't change this setting. However, you can change the\nkey or its version.\n\nThis feature is available only for the\n[Linux OSes supported by Bare Metal Solution](/bare-metal/docs/bms-planning#linux).\n\nBefore you begin\n----------------\n\n1. Using Cloud KMS, create an encryption key.\n\n | **Note:** You don't have to create the Cloud KMS key in the same project that contains your Bare Metal Solution server.\n\n To create an encryption key, follow these steps:\n 1. In the project in which you want to create the key,\n [enable the Cloud KMS API](https://console.cloud.google.com/flows/enableapi?apiid=cloudkms.googleapis.com&redirect=https://console.cloud.google.com).\n\n Do this only once per project.\n 2. [Assign the following roles](/iam/docs/manage-access-service-accounts#iam-view-access-sa-gcloud)\n to your Bare Metal Solution service account. Do this only once per project.\n\n - `roles/cloudkms.viewer`: verify that the [`CryptoKeyVersion`](/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions#CryptoKeyVersion) is available to use.\n - `roles/cloudkms.publicKeyViewer`: retrieve a public key.\n\n To learn how to grant a role, see\n [Granting roles on a resource](/kms/docs/iam#granting_roles_on_a_resource).\n\n To assign these roles, use the `gcloud projects add-iam-policy-binding` command. \n\n ```\n gcloud projects add-iam-policy-binding KMS_PROJECT_ID \\\n --member serviceAccount:service-PROJECT_NUMBER@gcp-sa-bms.iam.gserviceaccount.com \\\n --role roles/cloudkms.publicKeyViewer\n ``` \n\n ```\n gcloud projects add-iam-policy-binding KMS_PROJECT_ID \\\n --member serviceAccount:service-PROJECT_NUMBER@gcp-sa-bms.iam.gserviceaccount.com \\\n --role roles/cloudkms.viewer\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eKMS_PROJECT_ID\u003c/var\u003e: the project that contains your Cloud KMS key\n - \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e: the project that contains your Bare Metal Solution server\n 3. [Create an asymmetric decryption key](/kms/docs/create-key#create-asymmetric-decrypt).\n\n | **Important:** You must select **3072 bit RSA - OAEP Padding - SHA256 Digest** algorithm. Using any other algorithm can result in undecipherable passwords.\n\n You can create as many keys and versions as required.\n\nSet up encryption keys while provisioning a server\n--------------------------------------------------\n\nYou can set up an encryption key for a new Bare Metal Solution server while\nprovisioning it through the [Google Cloud console intake form](/bare-metal/docs/bms-deploy#use_the_console_intake_form_to_enter_your_selections).\n\nTo set up an encryption key while provisioning a server, see\n[Use the Google Cloud console intake form to enter your selections](/bare-metal/docs/bms-deploy#use_the_console_intake_form_to_enter_your_selections).\n\nSet up encryption keys while reimaging a server\n-----------------------------------------------\n\nTo set up encryption keys while reimaging a server, see\n[Change the OS for a server](/bare-metal/docs/bms-maintenance#change-os-for-server).\n\nView encryption keys and passwords of a server\n----------------------------------------------\n\nTo view encryption keys and passwords of a server, follow these steps: \n\n### Console\n\n1. Go to the **Servers** page.\n\n [Go to Servers](https://console.cloud.google.com/compute/bareMetalSolution/servers)\n2. Click the server name.\n\n On the **Server details** page, view the encryption key in\n **Password encryption key** field.\n3. To view user accounts and their corresponding encrypted passwords, go to\n the **User Accounts** section.\n\n### gcloud\n\nUse the `gcloud alpha bms instances auth-info` command: \n\n```\ngcloud alpha bms instances auth-info SERVER_NAME --project=PROJECT_ID --region=REGION\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eSERVER_NAME\u003c/var\u003e: the name of the Bare Metal Solution server\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the ID of the project\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: the region of the Bare Metal Solution server\n\nDecrypt a password\n------------------\n\nTo obtain the raw password, follow these steps:\n\n1. Obtain the ciphertext. Use the `gcloud alpha bms instances auth-info`\n command.\n\n ```\n gcloud alpha bms instances auth-info SERVER_NAME \\\n --project=PROJECT_ID \\\n --region=REGION \\\n --format='value(userAccounts.USERNAME.ENCRYPTED_PASSWORD_FILE)' | tr -d ' \\n' | base64 -d \u003e CIPHERTEXT_FILE\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSERVER_NAME\u003c/var\u003e: the name of your Bare Metal Solution server\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the ID of your Bare Metal Solution project\n - \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: the location of your Bare Metal Solution server\n - \u003cvar translate=\"no\"\u003eUSERNAME\u003c/var\u003e: the username of the account associated with the password you want to decrypt. The value is either `root` or `customeradmin`.\n - \u003cvar translate=\"no\"\u003eENCRYPTED_PASSWORD_FILE\u003c/var\u003e: the file in which you saved the encrypted password. To avoid problems with the format of the password after copying it, remove the spaces and newline (`'\\n'`) characters.\n - \u003cvar translate=\"no\"\u003eCIPHERTEXT_FILE\u003c/var\u003e: the name of the ciphertext file\n\n Example: \n\n ```\n gcloud alpha bms instances auth-info my-instance \\\n --region=europe-west3 \\\n --project=project-testing \\\n --format='value(userAccounts.customeradmin.encryptedPassword)' | tr -d ' \\n' | base64 -d \u003e ciphertext\n ```\n\n To obtain the ciphertext from the password copied from the Google Cloud console,\n use the following command: \n\n ```\n cat ENCRYPTED_PASSWORD_FILE | tr -d ' \\n' | base64 -d \u003e CIPHERTEXT_FILE\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eENCRYPTED_PASSWORD_FILE\u003c/var\u003e: the file in which you saved the encrypted password. To avoid problems with the format of the password after copying it, remove the spaces and newline (`'\\n'`) characters.\n - \u003cvar translate=\"no\"\u003eCIPHERTEXT_FILE\u003c/var\u003e: the name of the ciphertext file\n\n Example: \n\n ```\n cat encrypted_password | tr -d ' \\n' | base64 -d \u003e ciphertext\n ```\n2. Decrypt the password. Follow the steps in [Decrypt data](/kms/docs/encrypt-decrypt-rsa#decrypt_data).\n\nWhat's next\n-----------\n\n- [Operate your Bare Metal Solution server](/bare-metal/docs/bms-maintenance#operate_a_server).\n- [Check the status of a server](/bare-metal/docs/bms-maintenance#check_the_status_of_a_server).\n- [Manage servers](/bare-metal/docs/bms-maintenance#manage_servers)."]]
