The hardware security modules (HSM) API provides the resources that the Platform Administrator (PA) uses to control the security keys in their organization. Storage systems in Google Distributed Cloud (GDC) air-gapped, such as Server Keys for disk encryption and storage data management software for block storage, create the keys and represent them as resources.
The PA views the keys, pulls their audit logs, and deletes them to erase data graphically. The PA cannot directly create keys. The storage systems create them as necessary.
GDC encrypts all data at rest. It uses the HSM for all data at rest and all servers. Because you have access to the resource for keys, you can manage the keys that protect your data at rest. For more details on encryption in GDC, see Encryption at rest.
Service endpoint and discovery document
Use the kubectl proxy command to access the following HSM API endpoint in your
browser and obtain the discovery document for the KMS API:
https://GDC_API_SERVER_ENDPOINT/apis/hsm.gdc.goog/v1
Replace GDC_API_SERVER_ENDPOINT with the endpoint of the
GDC API server.
The kubectl proxy command opens a proxy to the Kubernetes API server on your
local machine. When the command is running, access the document through the
following URL:
http://127.0.0.1:8001/apis/hsm.gdc.goog/v1