Skip to main content
This tutorial demonstrates how to use a Google Cloud HSM-backed secp256k1 key for signing Hedera transactions. This solution ensures that your private keys are stored securely in Google Cloud’s Hardware Security Module.
SDK constraint: In Rust, C++, and Swift, the one-shot setECDSAKeyWithAlias() / set_ecdsa_key_with_alias() / keyWithAlias() methods require a local PrivateKey and cannot be used in HSM flows. In these SDKs, use the manual two-step pattern:
In JavaScript, Java, Python, and Go, the one-shot method accepts PublicKey directly.

Prerequisites

Before you begin, ensure you have:
  • A Google Cloud Platform (GCP) account with billing enabled
  • Google Cloud SDK (gcloud) installed and configured (Installation Instructions)
  • Node.js (version 18.0.0 or higher)
  • A Hedera Testnet account. If you don’t have one, you can register at the Hedera Developer Portal

Part 1: Google Cloud HSM Setup

1. Enable Required APIs

Enable the Cloud KMS API for your project.

2. Create a Key Ring

Create a key ring to organize your keys. Key rings must be created in a specific location.

3. Create an HSM-Backed Key

Create a secp256k1 key with HSM protection. This requires Cloud HSM, which provides FIPS 140-2 Level 3 certified hardware.
Note: HSM protection level requires Cloud HSM, which may have additional costs. For development, you can use software protection level, but for production, HSM is recommended.

4. Set Up Service Account

Create a service account for your application to authenticate with GCP.

5. Grant Permissions

Grant the service account permission to use the key for signing operations.

6. Create and Download Service Account Key

Create a key file for the service account to authenticate your application.

Part 2: Application Setup

1. Install Dependencies

Create a new Node.js project and install the required dependencies.

2. Create the .env File

Create a .env file with your GCP credentials and Hedera account details.

3. Create the Signer Function

Create a custom signer function that uses Google Cloud KMS to sign transaction bytes.

4. Create and Sign a Transaction

Use the custom signer to create and sign a Hedera transaction.

Part 3: Verification

1. Verify Key Configuration

Verify that your KMS key is configured correctly:
The output should show:
  • purpose: ASYMMETRIC_SIGN
  • algorithm: EC_SIGN_P256_SHA256
  • protectionLevel: HSM

2. Test Transaction Signing

Run your application and verify that transactions are being signed successfully with the GCP HSM key.

Cleanup

To avoid ongoing charges, delete the KMS key and related resources when you’re done:
Important: Deleting a KMS key is irreversible after the retention period. Make sure you have backups of any data before deletion.

Resources