• Tink Cryptographic Library
  • Tink Cryptographic Library
  • Guides
  • What is Tink?
  • Install Tink
  • How to use Tink
  • How Tink works
  • I want to...
    • Encrypt data
    • Encrypt large files or data streams
    • Exchange data
    • Protect data from tampering
    • Sign data
    • Use client-side encryption with a cloud provider
  • Key management
  • Overview
  • Protect keys with an external KMS
    • Create a key in an external KMS
    • Get a key URI
    • Get key credentials
  • Use Tinkey to manage keys
    • Tinkey overview
    • Install Tinkey
    • Tinkey command reference
  • Generate an encrypted keyset
  • Generate a plaintext keyset
  • Key management best practices
    • Managing key rotation
    • Create a new key for each purpose
  • Advanced topics
  • I want to encrypt data deterministically
  • I want to protect structured data
  • I want to bind ciphertext to its context
  • I want to meet FIPS 140-2 requirements
  • I want to learn about the Tink wire format
  • Troubleshooting
  • Known issues
  • Contributing to Tink
  • How to contribute to Tink
  • Reference
  • Glossary
  • Authenticated Encryption with Associated Data (AEAD)
  • Streaming AEAD
  • Deterministic AEAD
  • Message Authentication Code (MAC)
  • Hybrid encryption
  • Digital signature
  • Primitives supported by language
  • Key types supported by language
  • Release notes
  • Home
  • Products
  • Tink

Create a key in an external KMS

To protect your keys, you need to create a key encryption key (KEK) in your external Key Management System (KMS). Refer to the documentation for your KMS to learn how:

  • Google Cloud KMS
  • Amazon KMS
  • HashiCorp Vault
Note: If you are using Tink's Java implementation with an external KMS, make sure to add the appropriate dependency to your Java config.

Next:

  • Get a key URI
  • Get key credentials

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2021-04-02 UTC.

  • Connect

    • Blog
    • Facebook
    • Medium
    • Twitter
    • YouTube

  • Programs

    • Women Techmakers
    • Google Developer Groups
    • Google Developers Experts
    • Accelerators
    • Developer Student Clubs

  • Developer consoles

    • Google API Console
    • Google Cloud Platform Console
    • Google Play Console
    • Firebase Console
    • Actions on Google Console
    • Cast SDK Developer Console
    • Chrome Web Store Dashboard
Google Developers
  • Android
  • Chrome
  • Firebase
  • Google Cloud Platform
  • All products
  • Terms
  • Privacy
  • Sign up for the Google Developers newsletter Subscribe