--- title: Implementing a MasterKeyEncryptor using Google Cloud KMS description: During initial startup, PingFederate automatically generates a randomized master key, which by default isn't encrypted. If you're running in Google Cloud, you can configure PingFederate to use Google Cloud Key Management Services (KMS) to encrypt the master key. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_implement_masterkey_encrypt_google_cloud_kms canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_implement_masterkey_encrypt_google_cloud_kms.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps result: Result --- # Implementing a MasterKeyEncryptor using Google Cloud KMS During initial startup, PingFederate automatically generates a randomized master key, which by default isn't encrypted. If you're running in Google Cloud, you can configure PingFederate to use Google Cloud Key Management Services (KMS) to encrypt the master key. ## Before you begin * Make sure that you have an active connection to Google Cloud. Learn more about [setting up Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication/provide-credentials-adc) for authentication in the Google Cloud documentation. * Use Google Cloud KMS to generate a key to use for the PingFederate master key encryption. Learn more about [generating keys](https://cloud.google.com/kms/docs/create-key) in the Google KMS documentation. ## About this task To configure the encryption of the PingFederate master key, modify two files: * `service-points.conf` * `com.pingidentity.crypto.jwk.MasterKeySet.xml` ## Steps 1. Stop PingFederate. 2. Open `/pingfederate/server/default/conf/service-points.conf` in a text editor. 3. Locate the `master.key.encryptor` property: ``` master.key.encryptor=com.pingidentity.crypto.jwk.NoOpMasterKeyEncryptor ``` 4. To enable master key encryption using Google Cloud KMS, replace the lines shown in step 3 with the following lines: ``` master.key.encryptor=com.pingidentity.pingcommons.gcp.key.GcpKmsMasterKeyEncryptor ``` 5. Save and close the file. 6. Open `/pingfederate/server/default/data/config-store/com.pingidentity.crypto.jwk.MasterKeySet.xml` in a text editor. the contents of the file are shown here: ```xml false ``` Uncomment the `` attribute and specify the key that you generated using Google Cloud KMS. The key ID is the resource ID of the key in the Google Cloud KMS. For example, after you've made the change, the file might look like the following: ```xml projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_ key} false ``` | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can also set the key ID using the environment variable `PI_GCP_MASTER_KEY_ENCRYPTOR_KEY_ID`.If the key ID is set in both `MasterKeySet.xml` and the environment variable, and they're different, PingFederate uses the key ID in `MasterKeySet.xml`. | 7. Save and close the file. 8. Start PingFederate ## Result After configuring and starting PingFederate, the PingFederate master key file, `pf.jwk`, is encrypted.