Cloud HSMBETA

Protect your cryptographic keys in a fully managed cloud-hosted hardware security module (HSM) service.

Enterprise Grade Access Control

Overview

Cloud HSM is a cloud-hosted hardware security module (HSM) service on Google Cloud Platform. With Cloud HSM, you can host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 certified HSMs. With this fully managed service, you can protect your most sensitive workloads without the need to worry about the operational overhead of managing an HSM cluster.

cryptographic keys

Maintain control over cryptographic keys

With Cloud HSM, the keys that you create and use cannot be removed from HSMs. Using Cloud HSM, you can verifiably attest that your cryptographic keys were created within a hardware device.

satisfy compliance requirements

Help satisfy compliance requirements

Cloud HSM can help you meet compliance mandates requiring that keys and crypto operations be performed within a hardware environment. With Cloud HSM, it’s simple to generate keys protected by a FIPS 140-2 Level 3 device.

Automate time-consuming

Automate time-consuming tasks

With this fully managed HSM service, you don’t need to deal with the administrative overhead of tasks like cluster management, scaling, and patching. Simply interface with and automate your use of the service through APIs.

Easily integrate

Easily integrate with Cloud KMS

Cloud HSM service is fully integrated with Cloud Key Management Service (KMS), which allows you to easily create and use customer-managed encryption keys (CMEK) that are generated and protected by a FIPS 140-2 Level 3 hardware device.

Pay for what you use

Pay for what you use

With this API-based service, you only pay for the HSM operations that you perform. With Cloud HSM, you can reduce costs associated with maintaining on-premises HSMs.

Cloud HSM features

Symmetric and asymmetric key support

Encrypt, decrypt, and sign with AES-256 symmetric and RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 asymmetric cryptographic keys.

Statement attestation

Verify that a key was created in the HSM with attestation tokens generated for key creation operations.

Integration with Cloud KMS

Generate and store customer-managed encryption keys in Cloud HSM.

Multi-region support

Cloud HSM is available in several global locations and in multi-regions, allowing you to place your service where you want for low latency and high availability. Once a key is created in a particular region, it’s bound to the hardware devices in that region.

Cloud HSM pricing

Cloud HSM pricing includes a flat rate for key versions and a usage rate for key operations.

Key operations Price per 10,000 operations
AES256, RSA 2048 $0.03
RSA 3072, RSA 4096 $0.15
EC P256, EC P384 $0.15

Key versions Price per month
AES256, RSA2048 $1.00
RSA 3072, RSA 4096 0–2000 key versions: $2.50
2001+ key versions: $1.00
EC P256, EC P384 0–2000 key versions: $2.50
2001+ key versions: $1.00

Resources and integrations

Try tutorials, launch quickstarts, and explore reviews.

Encryption at Rest in Google Cloud Platform

Encryption in Transit in Google Cloud

Cloud Key Management Service (KMS)

Google Cloud

Get started

Learn and build

New to GCP? Get started with any GCP product for free with a $300 credit.

Need more help?

Our experts will help you build the right solution or find the right partner for your needs.

This product is in beta. For more information on our product launch stages, see here.