Stay organized with collections
Save and categorize content based on your preferences.
The hardware security modules (HSM) API provides the resources that the
Platform Administrator (PA) uses to control the security keys in their organization.
Storage systems in Google Distributed Cloud (GDC) air-gapped, such as Server Keys for
disk encryption and storage data management software for block storage,
create the keys and represent them as resources.
The PA views the keys, pulls their audit logs, and deletes them to erase data
graphically. The PA cannot directly create keys. The storage systems create them
as necessary.
GDC encrypts all data at rest. It uses the HSM for all
data at rest and all servers. Because you have access to the resource for keys,
you can manage the keys that protect your data at rest. For more details on
encryption in GDC, see
Encryption at rest.
Service endpoint and discovery document
Use the kubectl proxy command to access the following HSM API endpoint in your
browser and obtain the discovery document for the KMS API:
Replace MANAGEMENT_API_SERVER_ENDPOINT with the endpoint of the
Management API server.
The kubectl proxy command opens a proxy to the Kubernetes API server on your
local machine. When the command is running, access the document through the
following URL:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-05 UTC."],[[["The HSM API enables Platform Administrators (PAs) to manage security keys within their organization, which are created by storage systems in Google Distributed Cloud (GDC)."],["PAs can view keys, access audit logs, and delete keys via the HSM API, but they cannot directly create new keys as the storage systems manage key creation automatically."],["GDC encrypts all data at rest, using the HSM for all data and servers, and this resource access provides the PA with the ability to manage the keys that protect the data."],["Deleting keys results in the permanent loss of the associated data, therefore extreme caution is required when performing this action."],["The HSM API endpoint can be accessed via the `kubectl proxy` command, enabling retrieval of the discovery document for the KMS API."]]],[]]