Stay organized with collections
Save and categorize content based on your preferences.
Before you can import a key into Cloud KMS, it must be wrapped
using the
PKCS#11CKM_RSA_AES_KEY_WRAP scheme, which includes both RSA-OAEP (which is included
in OpenSSL 1.1 by default) and AES Key Wrap
with Padding (which is not). That mechanism is not included in OpenSSL.
We recommend using the Google Cloud CLI to
wrap each key automatically during
the import. If you must wrap your keys manually due to compliance or regulatory
requirements, you must first recompile OpenSSL to add support for AES Key Wrap
with Padding. After recompiling OpenSSL, you can
wrap the key manually.
Before you begin
Do not overwrite your system's built-in OpenSSL binaries with the
patched binaries produced by following the procedures in this topic. For example,
do not install the patched OpenSSL directly into /usr. If you follow this
procedure exactly, the patched OpenSSL is built in $HOME/build and installed
into $HOME/local/bin.
If ${HOME}/local/bin already exists, back up its contents or move those files
elsewhere before following the steps in this topic.
Patch and install OpenSSL v1.1.0
If you choose to use OpenSSL to manually wrap your keys before importing them
into Cloud KMS, OpenSSL v1.1.0 is required, with the following
patch applied. You will need to compile OpenSSL and install it into a location
separate from your system's default OpenSSL installation.
Download the source for OpenSSL 1.1.0l release from
https://www.openssl.org/source.
This is the latest release in the 1.1.0 code line. Do not use a newer
version of OpenSSL, such as v1.1.1, in this procedure. The patch will fail
to apply.
Extract the archive to ${HOME}/build/openssl/ using the following command.
This command overrides the default directory, which includes the version of
OpenSSL and changes often. Replace
/path/to/downloaded-openssl.tar.gz with the path to the downloaded
.tar.gz archive.
# Create the directory for the eventual OpenSSL binaries
mkdir -p ${HOME}/local/ssl
# Create the build directory
mkdir -p ${HOME}/build/openssl
# Extract the archive to ${HOME}/build/openssl
tar xzvf /path/to/downloaded-openssl.tar.gz \
-C ${HOME}/build/openssl/ \
--strip-components 1
Apply a custom patch to the extracted OpenSSL source, using the following
commands.The patch enables the EVP_CIPHER_CTX_FLAG_WRAP_ALLOW flag.
Run the following commands to build the OpenSSL binaries and libraries from
the patched source, test the build for validity, and install the binaries
and libraries into the ${HOME}/local directory.
CPUS=$(getconf _NPROCESSORS_ONLN)
cd ${HOME}/build/openssl
./config --prefix=${HOME}/local --openssldir=${HOME}/local/ssl
make -j${CPUS}
make test
make install
Do not omit or modify the --prefix or --openssldir flags, to ensure that
you do not overwrite the system's OpenSSL installation.
Run the following command to check that the new OpenSSL binary installed
successfully:
test -x ${HOME}/local/bin/openssl || echo FAIL
You should see no output if the binaries are installed correctly. If you see
FAIL, check the output of the make, make test, and make install
commands you ran earlier.
The patched OpenSSL binaries are dynamically linked against the OpenSSL
libraries in ${HOME}/local/ssl/lib/, but the ld command does not
index these libraries by default. Run the following commands to create a
wrapper script that adds the patched libraries to the ${LD_LIBRARY_PATH}
before invoking the CLI for the patched OpenSSL.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Configuring OpenSSL for manual key wrapping\n\nBefore you can import a key into Cloud KMS, it must be wrapped\nusing the\n[PKCS#11](https://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908)\n`CKM_RSA_AES_KEY_WRAP` scheme, which includes both `RSA-OAEP` (which is included\nin OpenSSL 1.1 by default) and AES Key Wrap\nwith Padding (which is not). That mechanism is not included in OpenSSL.\n\nWe recommend using the Google Cloud CLI to\n[wrap each key automatically](/kms/docs/importing-a-key#request_import) during\nthe import. If you must wrap your keys manually due to compliance or regulatory\nrequirements, you must first recompile OpenSSL to add support for AES Key Wrap\nwith Padding. After recompiling OpenSSL, you can\n[wrap the key manually](/kms/docs/wrapping-a-key).\n| **Important:** If you use automatic wrapping, do not follow these steps. Instead, you need to [install the Pyca cryptographic library](/kms/docs/crypto), which works with the OpenSSL binaries already installed on your local system. The Google Cloud CLI can use that library to automatically wrap your key during the import request.\n\nBefore you begin\n----------------\n\n| **Caution:** These steps require advanced knowledge of Linux. Most users should allow the Google Cloud CLI command to [automatically wrap and import](/kms/docs/importing-a-key#automatically_wrap_and_import) keys instead of following the instructions in this topic.\n\nDo not overwrite your system's built-in OpenSSL binaries with the\npatched binaries produced by following the procedures in this topic. For example,\ndo not install the patched OpenSSL directly into `/usr`. If you follow this\nprocedure exactly, the patched OpenSSL is built in `$HOME/build` and installed\ninto `$HOME/local/bin`.\n\nIf `${HOME}/local/bin` already exists, back up its contents or move those files\nelsewhere before following the steps in this topic.\n\nPatch and install OpenSSL v1.1.0\n--------------------------------\n\nIf you choose to use OpenSSL to manually wrap your keys before importing them\ninto Cloud KMS, OpenSSL v1.1.0 is required, with the following\npatch applied. You will need to compile OpenSSL and install it into a location\nseparate from your system's default OpenSSL installation.\n\n1. Download the source for OpenSSL 1.1.0l release from\n [https://www.openssl.org/source](https://www.openssl.org/source/old/1.1.0/openssl-1.1.0l.tar.gz).\n This is the latest release in the 1.1.0 code line. Do not use a newer\n version of OpenSSL, such as v1.1.1, in this procedure. The patch will fail\n to apply.\n\n2. Extract the archive to `${HOME}/build/openssl/` using the following command.\n This command overrides the default directory, which includes the version of\n OpenSSL and changes often. Replace\n \u003cvar translate=\"no\"\u003e/path/to/downloaded-openssl.tar.gz\u003c/var\u003e with the path to the downloaded\n `.tar.gz` archive.\n\n ```\n # Create the directory for the eventual OpenSSL binaries\n mkdir -p ${HOME}/local/ssl\n\n # Create the build directory\n mkdir -p ${HOME}/build/openssl\n\n # Extract the archive to ${HOME}/build/openssl\n tar xzvf /path/to/downloaded-openssl.tar.gz \\\n -C ${HOME}/build/openssl/ \\\n --strip-components 1\n ```\n3. Apply a custom patch to the extracted OpenSSL source, using the following\n commands.The patch enables the `EVP_CIPHER_CTX_FLAG_WRAP_ALLOW` flag.\n\n | **Warning:** This patch fails to apply to versions of OpenSSL other than v1.1.0l.\n\n\n ```none\n cd ${HOME}/build\n cat \u003c\u003c-EOF | patch -d . -p0\n --- orig/openssl/apps/enc.c 2020-01-17 14:39:54.991708785 -0500\n +++ openssl/apps/enc.c 2020-01-17 14:41:33.215704269 -0500\n @@ -482,6 +482,7 @@\n */\n\n BIO_get_cipher_ctx(benc, &ctx);\n + EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);\n\n if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {\n BIO_printf(bio_err, \"Error setting cipher %s\\n\",\n EOF\n ```\n\n \u003cbr /\u003e\n\n4. Run the following commands to build the OpenSSL binaries and libraries from\n the patched source, test the build for validity, and install the binaries\n and libraries into the `${HOME}/local` directory.\n\n ```none\n CPUS=$(getconf _NPROCESSORS_ONLN)\n cd ${HOME}/build/openssl\n ./config --prefix=${HOME}/local --openssldir=${HOME}/local/ssl\n make -j${CPUS}\n make test\n make install\n ```\n\n Do not omit or modify the `--prefix` or `--openssldir` flags, to ensure that\n you do not overwrite the system's OpenSSL installation.\n5. Run the following command to check that the new OpenSSL binary installed\n successfully:\n\n ```none\n test -x ${HOME}/local/bin/openssl || echo FAIL\n ```\n\n You should see no output if the binaries are installed correctly. If you see\n `FAIL`, check the output of the `make`, `make test`, and `make install`\n commands you ran earlier.\n6. The patched OpenSSL binaries are dynamically linked against the OpenSSL\n libraries in `${HOME}/local/ssl/lib/`, but the `ld` command does not\n index these libraries by default. Run the following commands to create a\n wrapper script that adds the patched libraries to the `${LD_LIBRARY_PATH}`\n before invoking the CLI for the patched OpenSSL.\n\n\n ```\n cat \u003e ${HOME}/local/bin/openssl.sh \u003c\u003c-EOF\n #!/bin/bash\n env LD_LIBRARY_PATH=${HOME}/local/lib/ ${HOME}/local/bin/openssl \"\\$@\"\n EOF\n chmod u+x ${HOME}/local/bin/openssl.sh\n ```\n\n \u003cbr /\u003e\n\n7. Check that the version of OpenSSL that the script starts is the version you\n just built and installed, using the following command:\n\n ```\n ${HOME}/local/bin/openssl.sh version\n ```\n\nYou can now invoke the `${HOME}/local/bin/openssl.sh` wrapper script to\n[manually wrap keys for import](/kms/docs/wrapping-a-key)."]]