Identity & Security

Use third-party keys in the cloud with Cloud External Key Manager, now beta

At Google Cloud Next UK last month, we announced the alpha version of Google Cloud’s External Key Manager (Cloud EKM). Today, Cloud EKM is available in beta, so we wanted to provide a deeper look at what Cloud EKM is and how it can be valuable for your organization. 

In a first for any public cloud, Cloud EKM will let you achieve full separation between your data and your encryption keys. At its heart, Cloud EKM lets you protect data at rest in BigQuery and Compute Engine using encryption keys that are stored and managed in a third-party key management system that’s deployed outside Google’s infrastructure.

Cloud EKM.png
Cloud EKM provides the bridge between Cloud KMS and an external key manager.

This approach offers several unique security benefits: 

  • Maintain key provenance over your third-party keys. You have strict control over the creation, location, and distribution of your keys.  

  • Full control over who accesses your keys. Because keys are always stored outside Google Cloud, you can enforce that access to data at rest for BigQuery and Compute Engine requires an external key. 

  • Centralized key management. Use one key manager for both on-premises and cloud-based keys, ensuring a single policy point and allowing enterprises to easily take advantage of hybrid deployments. 

To make Cloud EKM easy to implement, we are working with five industry-leading key management vendors: Equinix, Fortanix, Ionic, Thales, and Unbound. (The Ionic and Fortanix integrations are ready today; Equinix, Thales, and Unbound are coming soon.) Check out the videos below to learn more.

Equinix and Cloud EKM

Fortanix and Cloud EKM

Ionic and Cloud EKM

Thales and Cloud EKM

Unbound and Cloud EKM

For more information on Cloud EKM, including how to get started, check out the documentation.