Store and manage encryption keys outside of Google Cloud
Cloud External Key Manager (Cloud EKM) lets you encrypt data in BigQuery and Compute Engine with encryption keys that are stored and managed in a third-party key management system that’s deployed outside Google’s infrastructure. External Key Manager allows you to maintain separation between your data at rest and your encryption keys while still leveraging the power of cloud for compute and analytics.
Maintain key provenance
Visibility into who has access to your keys, when they have been used, and where they are located.
Full control over key access
Enforce that access to data at rest for BigQuery and Compute Engine requires an external key.
Centralized key management
Use one key manager for both on-premises and cloud-based keys, ensuring a single policy point.
Create external keys
Generate your external key using one of the following external key managers: Equinix, Fortanix, Ionic, Thales, and Unbound. Once you have linked your external key with Cloud KMS, you can use it to protect data at rest in BigQuery and Compute Engine.
Create an externally managed key directly from the Cloud KMS console.
Link external keys to a KMS key
Create a KMS key ring in one of the regions recommended by your external key manager.
Key and data separation
Maintain separation between your data at rest and your encryption keys while still leveraging the power of cloud for compute and analytics.
Google Cloud partners with industry-leading external key management vendors.
Cloud EKM is priced at $0.03 per 10,000 operations and $3.00 per key version per month.