HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/396/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/396/help/man/man1/gcloud_beta_kms_keys_create.1
.TH "GCLOUD_BETA_KMS_KEYS_CREATE" 1



.SH "NAME"
.HP
gcloud beta kms keys create \- create a new key



.SH "SYNOPSIS"
.HP
\f5gcloud beta kms keys create\fR (\fIKEY\fR\ :\ \fB\-\-keyring\fR=\fIKEYRING\fR\ \fB\-\-location\fR=\fILOCATION\fR) \fB\-\-purpose\fR=\fIPURPOSE\fR [\fB\-\-allowed\-access\-reasons\fR=[\fIALLOWED_ACCESS_REASONS\fR,...]] [\fB\-\-crypto\-key\-backend\fR=\fICRYPTO_KEY_BACKEND\fR] [\fB\-\-default\-algorithm\fR=\fIDEFAULT_ALGORITHM\fR] [\fB\-\-destroy\-scheduled\-duration\fR=\fIDESTROY_SCHEDULED_DURATION\fR] [\fB\-\-import\-only\fR] [\fB\-\-labels\fR=[\fIKEY\fR=\fIVALUE\fR,...]] [\fB\-\-next\-rotation\-time\fR=\fINEXT_ROTATION_TIME\fR] [\fB\-\-protection\-level\fR=\fIPROTECTION_LEVEL\fR;\ default="software"] [\fB\-\-rotation\-period\fR=\fIROTATION_PERIOD\fR] [\fB\-\-skip\-initial\-version\-creation\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

\fB(BETA)\fR Creates a new key within the given keyring.

The flag \f5\-\-purpose\fR is always required when creating a key. The flag
\f5\-\-default\-algorithm\fR is required when creating a symmetric signing key,
an asymmetric key, or an external key. Algorithm and purpose should be
compatible.

The optional flags \f5\-\-rotation\-period\fR and \f5\-\-next\-rotation\-time\fR
define a rotation schedule for the key. A schedule can also be defined by the
\f5\-\-create\-rotation\-schedule\fR command.

The flag \f5\-\-next\-rotation\-time\fR must be in ISO 8601 or RFC3339 format,
and \f5rotation\-period\fR must be in the form INTEGER[UNIT], where units can be
one of seconds (s), minutes (m), hours (h) or days (d).

The optional flag \f5\-\-protection\-level\fR specifies the physical environment
where crypto operations with the key happen. The default is
\f5\fIsoftware\fR\fR; use \f5\fIhsm\fR\fR to create a hardware\-backed key,
\f5\fIexternal\fR\fR to create an externally backed key, or
\f5\fIexternal\-vpc\fR\fR to create an external key over vpc.

The optional flag \f5\-\-labels\fR defines a user specified key/value pair for
the given key.

The flag \f5\-\-skip\-initial\-version\-creation\fR creates a CryptoKey with no
versions. If you import into the CryptoKey, or create a new version in that
CryptoKey, there will be no primary version until one is set using the
\f5\-\-set\-primary\-version\fR command. You must include
\f5\-\-skip\-initial\-version\-creation\fR when creating a CryptoKey with
protection level \f5\fIexternal\fR\fR or \f5\fIexternal\-vpc\fR\fR.

The optional flag \f5\-\-import\-only\fR restricts the key to imported key
versions only. To do so, the flag \f5\-\-skip\-initial\-version\-creation\fR
must also be set.

The optional flag \f5\-\-destroy\-scheduled\-duration\fR defines the destroy
schedule for the key, and must be in the form INTEGER[UNIT], where units can be
one of seconds (s), minutes (m), hours (h) or days (d).

The flag \f5\-\-crypto\-key\-backend\fR defines the resource name for the
backend where the key resides. Required for \f5\fIexternal\-vpc\fR\fR keys.

The optional flag \f5\-\-allowed\-access\-reasons\fR defines the Key Access
Justifications Policy for the key, and is specified as a comma separated list of
zero or more justification codes defined in
https://cloud.google.com/assured\-workloads/key\-access\-justifications/docs/justification\-codes.
The key must be enrolled in Key Access Justifications to use this flag.



.SH "EXAMPLES"

The following command creates a key named \f5\fIfrodo\fR\fR with protection
level \f5\fIsoftware\fR\fR within the keyring \f5\fIfellowship\fR\fR and
location \f5\fIus\-east1\fR\fR:

.RS 2m
$ gcloud beta kms keys create frodo \-\-location=us\-east1 \e
    \-\-keyring=fellowship \-\-purpose=encryption
.RE

The following command creates a key named \f5\fIstrider\fR\fR with protection
level \f5\fIsoftware\fR\fR within the keyring \f5\fIrangers\fR\fR and location
\f5\fIglobal\fR\fR with a specified rotation schedule:

.RS 2m
$ gcloud beta kms keys create strider \-\-location=global \e
    \-\-keyring=rangers \-\-purpose=encryption \-\-rotation\-period=30d \e
    \-\-next\-rotation\-time=2017\-10\-12T12:34:56.1234Z
.RE

The following command creates a raw encryption key named \f5\fIfoo\fR\fR with
protection level \f5\fIsoftware\fR\fR within the keyring \f5\fIfellowship\fR\fR
and location \f5\fIus\-east1\fR\fR with two specified labels:

.RS 2m
$ gcloud beta kms keys create foo \-\-location=us\-east1 \e
    \-\-keyring=fellowship \-\-purpose=raw\-encryption \e
    \-\-default\-algorithm=aes\-128\-cbc \-\-labels=env=prod,team=kms
.RE

The following command creates an asymmetric key named \f5\fIsamwise\fR\fR with
protection level \f5\fIsoftware\fR\fR and default algorithm
\f5\fIec\-sign\-p256\-sha256\fR\fR within the keyring \f5\fIfellowship\fR\fR and
location \f5\fIus\-east1\fR\fR:

.RS 2m
$ gcloud beta kms keys create samwise \-\-location=us\-east1 \e
    \-\-keyring=fellowship \-\-purpose=asymmetric\-signing \e
    \-\-default\-algorithm=ec\-sign\-p256\-sha256
.RE

The following command creates a key named \f5\fIgimli\fR\fR with protection
level \f5\fIhsm\fR\fR and default algorithm
\f5\fIgoogle\-symmetric\-encryption\fR\fR within the keyring
\f5\fIfellowship\fR\fR and location \f5\fIus\-east1\fR\fR:

.RS 2m
$ gcloud beta kms keys create gimli \-\-location=us\-east1 \e
    \-\-keyring=fellowship \-\-purpose=encryption \-\-protection\-level=hsm
.RE

The following command creates a key named \f5\fIlegolas\fR\fR with protection
level \f5\fIexternal\fR\fR and default algorithm
\f5\fIexternal\-symmetric\-encryption\fR\fR within the keyring
\f5\fIfellowship\fR\fR and location \f5\fIus\-central1\fR\fR:

.RS 2m
$ gcloud beta kms keys create legolas \-\-location=us\-central1 \e
    \-\-keyring=fellowship \-\-purpose=encryption \e
    \-\-default\-algorithm=external\-symmetric\-encryption \e
    \-\-protection\-level=external \-\-skip\-initial\-version\-creation
.RE

The following command creates a key named \f5\fIbilbo\fR\fR with protection
level \f5\fIexternal\-vpc\fR\fR and default algorithm
\f5\fIexternal\-symmetric\-encryption\fR\fR and an EkmConnection of
\f5\fIeagles\fR\fR within the keyring \f5\fIfellowship\fR\fR and location
\f5\fIus\-central1\fR\fR:

.RS 2m
$ gcloud beta kms keys create bilbo \-\-location=us\-central1 \e
    \-\-keyring=fellowship \-\-purpose=encryption \e
    \-\-default\-algorithm=external\-symmetric\-encryption \e
    \-\-protection\-level=external\-vpc \e
    \-\-skip\-initial\-version\-creation \e
    \-\-crypto\-key\-backend="projects/$(gcloud config get project)/
    locations/us\-central1/ekmConnections/eagles"
.RE

The following command creates a key named \f5\fIarwen\fR\fR with protection
level \f5\fIsoftware\fR\fR within the keyring \f5\fIfellowship\fR\fR and
location \f5\fIus\-east1\fR\fR with a Key Access Justifications policy that
allows access reasons \f5\fIcustomer\-initiated\-access\fR\fR and
\f5\fIgoogle\-initiated\-system\-operation\fR\fR:

.RS 2m
$ gcloud beta kms keys create arwen \-\-location=us\-east1 \e
    \-\-keyring=fellowship \-\-purpose=encryption \e
    \-\-allowed\-access\-reasons=customer\-initiated\-access,\e
google\-initiated\-system\-operation
.RE



.SH "POSITIONAL ARGUMENTS"

.RS 2m
.TP 2m

Key resource \- The KMS key resource. The arguments in this group can be used to
specify the attributes of this resource. (NOTE) Some attributes are not given
arguments in this group but can be set in other ways.

To set the \f5project\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5key\fR on the command line with a fully specified name;
.IP "\(em" 2m
set the property \f5core/project\fR.
.RE
.sp

This must be specified.


.RS 2m
.TP 2m
\fIKEY\fR

ID of the key or fully qualified identifier for the key.

To set the \f5key\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5key\fR on the command line.
.RE
.sp

This positional argument must be specified if any of the other arguments in this
group are specified.

.TP 2m
\fB\-\-keyring\fR=\fIKEYRING\fR

The KMS keyring of the key.

To set the \f5keyring\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5key\fR on the command line with a fully specified name;
.IP "\(bu" 2m
provide the argument \f5\-\-keyring\fR on the command line.
.RE
.sp

.TP 2m
\fB\-\-location\fR=\fILOCATION\fR

The Google Cloud location for the key.

To set the \f5location\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5key\fR on the command line with a fully specified name;
.IP "\(bu" 2m
provide the argument \f5\-\-location\fR on the command line.
.RE
.sp


.RE
.RE
.sp

.SH "REQUIRED FLAGS"

.RS 2m
.TP 2m
\fB\-\-purpose\fR=\fIPURPOSE\fR

The "purpose" of the key. \fIPURPOSE\fR must be one of:
\fBasymmetric\-encryption\fR, \fBasymmetric\-signing\fR, \fBencryption\fR,
\fBkey\-encapsulation\fR, \fBmac\fR, \fBraw\-encryption\fR.


.RE
.sp

.SH "OPTIONAL FLAGS"

.RS 2m
.TP 2m
\fB\-\-allowed\-access\-reasons\fR=[\fIALLOWED_ACCESS_REASONS\fR,...]

The list of allowed Key Access Justifications access reasons on the key. The key
must be enrolled in Key Access Justifications to configure this field. By
default, this field is absent, and all justification codes are allowed. For more
information about justification codes, see
https://cloud.google.com/assured\-workloads/key\-access\-justifications/docs/justification\-codes.
\fIALLOWED_ACCESS_REASONS\fR must be one of:
\fBcustomer\-authorized\-workflow\-servicing\fR,
\fBcustomer\-initiated\-access\fR, \fBcustomer\-initiated\-support\fR,
\fBgoogle\-initiated\-review\fR, \fBgoogle\-initiated\-service\fR,
\fBgoogle\-initiated\-system\-operation\fR,
\fBgoogle\-response\-to\-production\-alert\fR,
\fBmodified\-customer\-initiated\-access\fR,
\fBmodified\-google\-initiated\-system\-operation\fR,
\fBreason\-not\-expected\fR, \fBreason\-unspecified\fR,
\fBthird\-party\-data\-request\fR.

.TP 2m
\fB\-\-crypto\-key\-backend\fR=\fICRYPTO_KEY_BACKEND\fR

The resource name of the backend environment where the key material for all
CryptoKeyVersions associated with this CryptoKey reside and where all related
cryptographic operations are performed. Currently only applicable for
EXTERNAL_VPC and EkmConnection resource names.

.TP 2m
\fB\-\-default\-algorithm\fR=\fIDEFAULT_ALGORITHM\fR

The default algorithm for the crypto key. For more information about choosing an
algorithm, see https://cloud.google.com/kms/docs/algorithms.
\fIDEFAULT_ALGORITHM\fR must be one of: \fBaes\-128\-cbc\fR,
\fBaes\-128\-ctr\fR, \fBaes\-128\-gcm\fR, \fBaes\-256\-cbc\fR,
\fBaes\-256\-ctr\fR, \fBaes\-256\-gcm\fR, \fBec\-sign\-ed25519\fR,
\fBec\-sign\-p256\-sha256\fR, \fBec\-sign\-p384\-sha384\fR,
\fBec\-sign\-secp256k1\-sha256\fR, \fBexternal\-symmetric\-encryption\fR,
\fBgoogle\-symmetric\-encryption\fR, \fBhmac\-sha1\fR, \fBhmac\-sha224\fR,
\fBhmac\-sha256\fR, \fBhmac\-sha384\fR, \fBhmac\-sha512\fR, \fBkem\-xwing\fR,
\fBml\-kem\-1024\fR, \fBml\-kem\-768\fR,
\fBpq\-sign\-hash\-slh\-dsa\-sha2\-128s\-sha256\fR, \fBpq\-sign\-ml\-dsa\-65\fR,
\fBpq\-sign\-slh\-dsa\-sha2\-128s\fR, \fBrsa\-decrypt\-oaep\-2048\-sha1\fR,
\fBrsa\-decrypt\-oaep\-2048\-sha256\fR, \fBrsa\-decrypt\-oaep\-3072\-sha1\fR,
\fBrsa\-decrypt\-oaep\-3072\-sha256\fR, \fBrsa\-decrypt\-oaep\-4096\-sha1\fR,
\fBrsa\-decrypt\-oaep\-4096\-sha256\fR, \fBrsa\-decrypt\-oaep\-4096\-sha512\fR,
\fBrsa\-sign\-pkcs1\-2048\-sha256\fR, \fBrsa\-sign\-pkcs1\-3072\-sha256\fR,
\fBrsa\-sign\-pkcs1\-4096\-sha256\fR, \fBrsa\-sign\-pkcs1\-4096\-sha512\fR,
\fBrsa\-sign\-pss\-2048\-sha256\fR, \fBrsa\-sign\-pss\-3072\-sha256\fR,
\fBrsa\-sign\-pss\-4096\-sha256\fR, \fBrsa\-sign\-pss\-4096\-sha512\fR,
\fBrsa\-sign\-raw\-pkcs1\-2048\fR, \fBrsa\-sign\-raw\-pkcs1\-3072\fR,
\fBrsa\-sign\-raw\-pkcs1\-4096\fR.

.TP 2m
\fB\-\-destroy\-scheduled\-duration\fR=\fIDESTROY_SCHEDULED_DURATION\fR

The amount of time that versions of the key should spend in the
DESTROY_SCHEDULED state before transitioning to DESTROYED. See $ gcloud topic
datetimes for information on duration formats.

.TP 2m
\fB\-\-import\-only\fR

Restrict this key to imported versions only.

.TP 2m
\fB\-\-labels\fR=[\fIKEY\fR=\fIVALUE\fR,...]

List of label KEY=VALUE pairs to add.

Keys must start with a lowercase character and contain only hyphens (\f5\-\fR),
underscores (\f5_\fR), lowercase characters, and numbers. Values must contain
only hyphens (\f5\-\fR), underscores (\f5_\fR), lowercase characters, and
numbers.

.TP 2m
\fB\-\-next\-rotation\-time\fR=\fINEXT_ROTATION_TIME\fR

Next automatic rotation time of the key. See $ gcloud topic datetimes for
information on time formats.

.TP 2m
\fB\-\-protection\-level\fR=\fIPROTECTION_LEVEL\fR; default="software"

Protection level of the key. \fIPROTECTION_LEVEL\fR must be one of:
\fBsoftware\fR, \fBhsm\fR, \fBexternal\fR, \fBexternal\-vpc\fR.

.TP 2m
\fB\-\-rotation\-period\fR=\fIROTATION_PERIOD\fR

Automatic rotation period of the key. See $ gcloud topic datetimes for
information on duration formats.

.TP 2m
\fB\-\-skip\-initial\-version\-creation\fR

Skip creating the first version in a key and setting it as primary during
creation.


.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

This command is currently in beta and might change without notice. These
variants are also available:

.RS 2m
$ gcloud kms keys create
.RE

.RS 2m
$ gcloud alpha kms keys create
.RE
@ Telegram