Stay organized with collections
Save and categorize content based on your preferences.
This topic describes how to retrieve the endorsement key (EKPub) from a
Shielded VMinstance.
You can retrieve the endorsement key for both the encryption key and the signing
key. You can use the encryption key to encrypt data so that only the vTPM can
read it, or the signing key to verify signatures that the vTPM makes. You can
also use the key to ascertain the identity of a VM instance before sending
sensitive information to it.
You must have the getShieldedInstanceIdentity permission to retrieve
endorsement keys.
Retrieving endorsement keys using the Google Cloud CLI
Use the gcloud compute instances get-shielded-identity command to retrieve
the public portion of the endorsement key from a Shielded VM instance.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide outlines the process of retrieving the endorsement key (EKPub) from a Shielded VM instance, including both encryption and signing keys.\u003c/p\u003e\n"],["\u003cp\u003eThe encryption key obtained can be used to encrypt data readable only by the vTPM, while the signing key can verify vTPM-generated signatures, and both keys can verify VM instance identity.\u003c/p\u003e\n"],["\u003cp\u003eRetrieving these endorsement keys requires the \u003ccode\u003egetShieldedInstanceIdentity\u003c/code\u003e permission.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003egcloud compute instances get-shielded-identity\u003c/code\u003e command can be used via the Google Cloud CLI, or alternatively the Compute Engine API can be leveraged to retrieve the endorsement keys, both returning similar results.\u003c/p\u003e\n"]]],[],null,["# Retrieving endorsement keys\n\nThis topic describes how to retrieve the endorsement key (EKPub) from a\nShielded VMinstance.\n\nYou can retrieve the endorsement key for both the encryption key and the signing\nkey. You can use the encryption key to encrypt data so that only the vTPM can\nread it, or the signing key to verify signatures that the vTPM makes. You can\nalso use the key to ascertain the identity of a VM instance before sending\nsensitive information to it.\n\nYou must have the `getShieldedInstanceIdentity` permission to retrieve\nendorsement keys.\n\nRetrieving endorsement keys using the Google Cloud CLI\n------------------------------------------------------\n\nUse the `gcloud compute instances get-shielded-identity` command to retrieve\nthe public portion of the endorsement key from a Shielded VM instance. \n\n gcloud compute instances get-shielded-identity [INSTANCE_NAME]\n\nThe results returned look similar to the following: \n\n```\nencryptionKey:\n ekPub: |\n -----BEGIN PUBLIC KEY-----\n MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4ucWqhLjIkcEJyqc8KJM\n 12345678abcdefghijklmnopqrstuvwxyz12345678abcdefghijklmnopqrstu\n oBSrm0swIu3x4LWR/Ebl5KA0EKe9YFGaS9Pguun1m6X8Ld2zAqmoIwnxDiOqxQEU\n mx2wxkjf0bbjxG5ZI1i3t/c/QzeaE2WWTlKdgnUDyxSloDBq63yywtoIrp1nbDLj\n X8qdBymixu8jXXp1iGwmEUltnEnx779JKTpKgKTEednri+NcfRmXHrnPCxfiPudQ\n 4wIDAQAB\n -----END PUBLIC KEY-----\nkind: compute#shieldedInstanceIdentity\nsigningKey:\n ekPub: |\n -----BEGIN PUBLIC KEY-----\n MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzQvcD+2LAnsXAgdsVYAc\n 12345678abcdefghijklmnopqrstuvwxyz12345678abcdefghijklmnopqrstu\n V/7WHasUuGlkbqiDOuDWgb15FAn35PU64HGey67McZTUT9EvrkT/ryXi4kZgBtoM\n lQIDAQAB\n -----END PUBLIC KEY-----\n```\n\nRetrieving endorsement keys using the Compute Engine API\n--------------------------------------------------------\n\nYou can use the Compute Engine API to view endorsement key information. For\nmore information on how to use the API, see the [How-to guides](/compute/docs/api/how-tos/how-tos). \n\n GET /compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]/getShieldedInstanceIdentity\n\n {\n \"signingKey\": {\n \"ekPub\": [PEM-formatted key]\n },\n \"encryptionKey\": {\n \"ekPub\": [PEM-formatted key]\n },\n \"kind\": \"compute#shieldedInstanceIdentity\"\n }\n\nWhat's next\n-----------\n\n- Learn about [modifying options on a Shielded VM instance](/compute/shielded-vm/docs/modifying-shielded-vm).\n- Learn about one approach to [automating responses to integrity monitoring events](/compute/shielded-vm/docs/automating-responses-integrity-failures)."]]
