Cloud External Key Manager

Encrypt data with encryption keys that are stored and managed in a third-party key management system.

View documentation for this product.

Encrypt data in BigQuery and Compute Engine with encryption keys that are stored and managed in a third-party key management system that’s deployed outside Google’s infrastructure.

Store and manage encryption keys outside of Google Cloud

Cloud External Key Manager (Cloud EKM) lets you encrypt data in BigQuery and Compute Engine with encryption keys that are stored and managed in a third-party key management system that’s deployed outside Google’s infrastructure. External Key Manager allows you to maintain separation between your data at rest and your encryption keys while still leveraging the power of cloud for compute and analytics.

Maintain key provenance logo

Maintain key provenance

Visibility into who has access to your keys, when they have been used, and where they are located.

Full control over key access logo

Full control over key access

Enforce that access to data at rest for BigQuery and Compute Engine requires an external key.

Centralized key management logo

Centralized key management

Use one key manager for both on-premises and cloud-based keys, ensuring a single policy point.

Features

 

Create external keys

Generate your external key using one of the following external key managers: Equinix, Fortanix, Ionic, Thales, and Unbound. Once you have linked your external key with Cloud KMS, you can use it to protect data at rest in BigQuery and Compute Engine.

 

Simple configuration

Create an externally managed key directly from the Cloud KMS console.

 

Create a KMS key ring in one of the regions recommended by your external key manager.

 

Key and data separation

Maintain separation between your data at rest and your encryption keys while still leveraging the power of cloud for compute and analytics.

Product architecture

With External Key Manager, enterprises can protect data in BigQuery and Compute Engine with encryption keys stored in the third-party key management system of their choice.
A diagram that shows how External Key Manager protects data in BigQuery and Compute Engine with encryption keys stored in a third-party key management system.

Partners

Google Cloud partners with industry-leading external key management vendors.

Resources

Pricing

Cloud EKM is priced at $0.03 per 10,000 operations and $3.00 per key version per month.

Take the next step

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Need help getting started?
Work with a trusted partner
Continue browsing