Supporting compliance with key management

This page provides information about supporting compliance with key management using encryption for Assured Workloads.


Encryption key management is fundamental to supporting regulatory compliance of Google Cloud resources. Assured Workloads supports compliance through encryption in the following ways:

  1. CJIS or ITAR: Mandated customer-managed keys and separation of duties, and optional for Impact Level 4 (IL4) and Impact Level 5 (IL5).

    1. CMEK: Assured Workloads mandates the use of customer-managed encryption keys (CMEK) to support these control packages.
    2. Key management project: Assured Workloads creates a key management project to align with NIST 800-53 security controls, the key management project is separated from resource folders to establish separation of duties between security administrators and developers.
    3. Key ring: Assured Workloads also creates a key ring to store your keys. The CMEK project restricts key ring creation to compliant locations that you select. After you create the key ring, you manage creating or importing encryption keys. Strong encryption, key management, and separation of duties all support positive security and compliance outcomes on Google Cloud.

  2. Other control packages (including IL4 and IL5): Google-managed keys and other encryption options.

Encryption strategies

This section describes Assured Workloads encryption strategies.

Assured Workloads CMEK Creation

CMEK lets you have advanced controls over your data and key management by enabling you to manage your complete key lifecycle, from creation to deletion. This capability is critical to supporting cryptographic erase requirements in the Cloud Computing SRG.


CMEK-integrated services

CMEK covers the following services, which store customer data for CJIS.

Other services: Custom Key Management

For services that aren't integrated with CMEK, or for customers whose control packages don't require CMEK, Assured Workloads customers have the option to use Google-managed Cloud Key Management Service keys. This option is offered in order to provide customers with additional options for key management to fit your organizational needs. Today, CMEK integration is limited to the in-scope services which support CMEK capabilities. Google-managed KMS is an acceptable encryption method as it covers all Google Cloud products and services by default providing FIPS 140-2 validated encryption in transit and at rest.

For other products supported by Assured Workloads, see Supported products by control package.

Key management roles

Administrators and developers typically support compliance and security best practices through key management and separation of duties. For example, while developers might have access to the Assured Workloads resources folder, administrators have access to the CMEK key management project.


Administrators typically control access to the encryption project and the key resources within it. The administrators are responsible for allocating key resource IDs to developers to encrypt resources. This practice separates the management of keys from the development process and provides the security administrators with the ability to manage encryption keys centrally in the CMEK project.

Security administrators can use the following encryption key strategies with Assured Workloads:


During development, when you provision and configure in-scope Google Cloud resources that require a CMEK encryption key, you request the resource ID of the key from your administrator. If you don't use CMEK, we recommend that you use Google-managed keys to ensure data is encrypted.

The request method is determined by your organization as part of your documented security processes and procedures.

What's next