Identity & Security

Built-in transparency, automation, and interoperability for Cloud KMS

#security

Cloud KMS helps customers implement scalable, centralized, fast cloud key management for their projects and apps on Google Cloud. As use of Cloud KMS has grown, many organizations have looked for ways to better understand crypto assets and to make more informed decisions around data management and compliance.  In response, the Cloud KMS team is pleased to announce several new features to help customers meet goals around increased transparency, improved interoperability, and greater automation as they use Cloud KMS.

Transparency:  Key Inventory Dashboard

One major request we’ve heard from our largest adopters of Cloud KMS is for improved transparency around their crypto inventory. The newly-launched Key Inventory Dashboard helps customers more easily explore, search, and review the keys used in their organization, all from one place in the Google Cloud Console.

Key Inventory Dashboard provides you comprehensive information about your cryptographic keys, details such as key name, creation date, latest/next rotation dates and rotation frequency, among many other attributes. These insights are comprehensively presented in table form, which makes it easy to sort and filter keys by various attributes.

1 Cloud KMS.jpg
Key Inventory Dashboard summarizes details about each key in a project –including key name, region, and rotation frequency
2 Cloud KMS.jpg
Filtering results in Key Inventory Dashboard using Key attributes

The Key Inventory Dashboard is just the first step -- stay tuned for announcements in the coming months about additional ways we’re bringing increased transparency to customers’ key inventory.

Interoperability:  PKCS#11

Today, customers need to use the Cloud KMS API to make use of Cloud KMS or Cloud HSM.  But we know that many customers want (and sometimes need) to use the PKCS#11 standard to allow their applications to make use of Google Cloud cryptography.  We want to support these needs while also giving customers more options for easily integrating their applications and infrastructure with Google Cloud.

Our Cloud KMS PKCS #11 Library – an open source project now in General Availability – allows you to access software keys in Cloud KMS or hardware keys in Cloud HSM and use them for encrypt and decrypt operations with the PKCS #11 v2.40 API.  Additionally, we are announcing that this library is being made available as an open source project and we welcome the community’s contributions for possible inclusion in subsequent versions.

Our investment in the PKCS#11 library is one of several efforts to increase customer ease of integrating their applications and infrastructure with Google Cloud.  As we continue to plan new ways for customers to make use of Cloud KMS, we welcome additional customer feedback about what encryption features and methods will be most helpful in bringing more data and workloads to Google Cloud.

Automation: Variable Key Destruction and Fast Key Deletion

Through improved automation, customers now have the ability to decide how long after they schedule a key for destruction that destruction will occur, as well as additional assurance about how quickly Google will fully purge customers’ destroyed key material.

For newly created or imported software or hardware keys, customers may use our new Variable Key Destruction feature to specify a length  of time between 0-120 days (for imported keys) and 1-120 days (for non-imported keys created within Google Cloud) that a key will remain in “Scheduled for destruction” state after a customer requests the key to be destroyed.  This increased control and automation means that customers can specify the destruction window that is right for them.  Customers who need to destroy keys very shortly after attempting to do so can rest assured that their keys will be destroyed more quickly; alternatively, those who want a longer window to prevent inadvertent key destruction may opt for this. In all cases, customers may specify a key destruction window that has day, hour, or even minute-level granularity.

Once a customer key has been destroyed, our new Fast Key Deletion functionality – rolling out by late October – will assure customers that all remnants of their destroyed key material will be fully purged from all parts of Google’s infrastructure.  Fast Key Deletion reduces Google’s data deletion commitment on destroyed keys from 180 days to 45 days. This means that all traces of destroyed key material will now be completely removed from Google’s data centers no later than 45 days after the time of destruction.  

While Google completely purges all key material that customers want to destroy, customers who import keys to Google Cloud now have new options to recover keys once they are destroyed.  With the new Key Re-Import feature, imported keys previously listed in “Destroyed” state can be restored to “Enabled” by re-uploading the original key material.  Re-Import can be conducted both via the command line interface as well as via Cloud Console.  This allows customers with imported keys who purposefully destroyed a key or who accidentally destroyed a key to later reimport that key.

3 Cloud KMS.jpg
Key Re-Import allows customers to re-import key material for keys that were previously destroyed.

What’s Next for Cloud KMS

We’re continuing our work to make encryption from Google Cloud the most complete, secure, and easy-to-use of any major cloud provider. Stay tuned for further updates on how we’re working to deliver additional transparency, interoperability, and automation. As always, we welcome your feedback. To learn more about all the features of Cloud KMS, see our documentation.