hands-on lab

Managing Encryption Keys With Google Cloud KMS

Up to 1h
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.


If you are a security engineer or if you are responsible for the security of the resources in the cloud, you know that encryption keys are essential for encrypting data at REST. For this purpose, Google launched Cloud KMS (Key Management Service). Cloud KMS is a managed service that lets users create, rotate, and handle encryption keys for Google Cloud services such as Cloud SQL databases and Compute Engine disks. By using Cloud KMS, you can handle AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys. In this lab, you will first learn the basic concepts of Cloud KMS, and you will create a Key Ring, a symmetric encryption key and you will understand how to manually rotate and destroy an encryption key.

Learning Objectives

Upon completion of this lab you will be able to:

  • Understand the core concepts of Cloud KMS
  • Define a Key Ring
  • Create symmetric encryption keys
  • Manually rotate an encryption key
  • Destroy and encryption key

Intended Audience

This lab is intended for:

  • Google Cloud Professional Security Engineer (PSE) certification candidates
  • Security Engineers who want to handle encryption at REST on Google Cloud
  • Individuals who want to better understand how to handle encryption keys on Google Cloud


Basic knowledge of encryption is a plus, but it's not required.


December 14th, 2021 - Update the lab to reflect the latest console experience

Environment before

Environment after

About the author

Learning paths

Stefano studies Computer Science and is passionate about technology. He loves working with Cloud services and learning all the best practices for them. Google Cloud Platform and Amazon Web Services are the cloud providers he prefers. He is a Google Cloud Certified Associate Cloud Engineer. Node.js is the programming language he always uses to code. When he's not involved in studying or working, Stefano loves riding his motorbike and exploring new places.

Covered topics

Lab steps

Signing In to the Google Cloud Console
Understanding Core Concepts of Cloud KMS
Creating a Cloud KMS Key Ring
Creating a Symmetric Encryption Key
Performing a Manual Rotation of the Encryption Key
Destroying a Cloud KMS Encryption Key