secp256k1 key for signing Hedera transactions. This solution ensures that your private keys are stored securely in Google Cloud’s Hardware Security Module.
SDK constraint: In Rust, C++, and Swift, the one-shot In JavaScript, Java, Python, and Go, the one-shot method accepts
setECDSAKeyWithAlias() / set_ecdsa_key_with_alias() / keyWithAlias() methods require a local PrivateKey and cannot be used in HSM flows. In these SDKs, use the manual two-step pattern:PublicKey directly.Prerequisites
Before you begin, ensure you have:- A Google Cloud Platform (GCP) account with billing enabled
- Google Cloud SDK (gcloud) installed and configured (Installation Instructions)
- Node.js (version 18.0.0 or higher)
- A Hedera Testnet account. If you don’t have one, you can register at the Hedera Developer Portal
Part 1: Google Cloud HSM Setup
1. Enable Required APIs
Enable the Cloud KMS API for your project.2. Create a Key Ring
Create a key ring to organize your keys. Key rings must be created in a specific location.3. Create an HSM-Backed Key
Create asecp256k1 key with HSM protection. This requires Cloud HSM, which provides FIPS 140-2 Level 3 certified hardware.
Note: HSM protection level requires Cloud HSM, which may have additional costs. For development, you can use
software protection level, but for production, HSM is recommended.4. Set Up Service Account
Create a service account for your application to authenticate with GCP.5. Grant Permissions
Grant the service account permission to use the key for signing operations.6. Create and Download Service Account Key
Create a key file for the service account to authenticate your application.Part 2: Application Setup
1. Install Dependencies
Create a new Node.js project and install the required dependencies.2. Create the .env File
Create a .env file with your GCP credentials and Hedera account details.
3. Create the Signer Function
Create a custom signer function that uses Google Cloud KMS to sign transaction bytes.4. Create and Sign a Transaction
Use the custom signer to create and sign a Hedera transaction.Part 3: Verification
1. Verify Key Configuration
Verify that your KMS key is configured correctly:purpose: ASYMMETRIC_SIGNalgorithm: EC_SIGN_P256_SHA256protectionLevel: HSM