Jump to Content
Security & Identity

What's new with Cloud EKM

April 11, 2022
https://storage.googleapis.com/gweb-cloudblog-publish/images/cyber_map_security_2880x1200.max-2600x2600.jpg
Jasika Bawa

Product Manager, Google Cloud

Google Cloud External Key Manager (Cloud EKM) lets you protect your cloud data with encryption keys that are stored and managed in a third-party key management system outside Google Cloud’s infrastructure. This allows you to achieve full separation between your encryption keys and your data stored in the cloud, making you the ultimate arbiter of access to your data. We are continuously innovating and developing the functionality of Cloud EKM, so let's explore some recent updates we’ve made.

New functionality

Available today, we have added several much-anticipated features to Cloud EKM to help meet customer requirements:

Cloud EKM over VPC

Many customers want to incorporate an additional layer of security and reliability when connecting their key manager to the cloud. To help meet this need, we are introducing Cloud EKM support for Virtual Private Cloud (VPC) networks. This support allows Cloud EKM to connect via a secured private network, giving customers stricter control over network access to their external key manager. For more information, see Using Cloud EKM with VPC.

Support for asymmetric keys

In addition to symmetric encryption keys, Cloud EKM now recognizes both RSA as well as Elliptic Curve asymmetric keys created in a supported external key manager. With support for asymmetric keys, you can sign approvals granted via Access Approval. Asymmetric keys can add a layer of assurance when granting administrative access to customer data. You can also use the external asymmetric keys to sign data just as you would a cloud native key. For more information, see Asymmetric signing keys.

Protection level organization policy

We've made a new organization policy available for Cloud KMS that allows for fine-grained control over what types of keys are used. By using this org policy, you can specify that only specified KMS key types, for example EXTERNAL or EXTERNAL_VPC, may be created. This function can help meet specific requirements for separation of data or data sovereignty, ensuring only externally-managed keys are used with certain workloads. For more information, see Organization policy constraints.

Cloud EKM supports the Google Cloud services which typically store customers' most sensitive data assets, and we are constantly adding support for more services. For example, we recently added Cloud EKM support for Cloud Storage, allowing customers to leverage Google-scale storage while adhering to local regulations and holding their keys in their own key manager. For a complete list, see our currently supported services, and if you're interested in using Cloud EKM with a GCP service that is not yet supported, you can make feature suggestions here.

Best practices for Cloud EKM

The newly published Reference architectures for reliable deployment of Cloud EKM services guide provides recommendations for running a highly available and reliable external key manager integrated with Cloud EKM. These recommendations answer some of the most common questions and concerns we’ve heard from customers. The recommendations are aimed at operators of an external key manager, meaning that if a supported partner operates your EKM, you might share some of these responsibilities with a partner, depending on the design of their product and how it integrates with Cloud EKM.

Take encryption into your own hands

Being deliberate about encryption is critical for securing your sensitive data on Google Cloud. We’re always evolving our encryption products to meet your needs and help you achieve your business goals, and we hope that the additional features mentioned in this blog will allow you to make better use of your key management infrastructure. To get started with Cloud EKM, check out our documentation to learn more or try it for yourself in the GCP console.

Posted in