Cloud HSM is a cloud-hosted hardware security module (HSM) service on Google Cloud Platform. With Cloud HSM, you can host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 certified HSMs. With this fully managed service, you can protect your most sensitive workloads without the need to worry about the operational overhead of managing an HSM cluster.
Maintain control over cryptographic keys
With Cloud HSM, the keys that you create and use cannot be removed from HSMs. Using Cloud HSM, you can verifiably attest that your cryptographic keys were created within a hardware device.
Help satisfy compliance requirements
Cloud HSM can help you meet compliance mandates requiring that keys and crypto operations be performed within a hardware environment. With Cloud HSM, it’s simple to generate keys protected by a FIPS 140-2 Level 3 device.
Automate time-consuming tasks
With this fully managed HSM service, you don’t need to deal with the administrative overhead of tasks like cluster management, scaling, and patching. Simply interface with and automate your use of the service through APIs.
Easily integrate with Cloud KMS
Cloud HSM service is fully integrated with Cloud Key Management Service (KMS), which allows you to easily create and use customer-managed encryption keys (CMEK) that are generated and protected by a FIPS 140-2 Level 3 hardware device.
Pay for what you use
With this API-based service, you only pay for the HSM operations that you perform. With Cloud HSM, you can reduce costs associated with maintaining on-premises HSMs.
Cloud HSM features
Symmetric and asymmetric key support
Encrypt, decrypt, and sign with AES-256 symmetric and RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 asymmetric cryptographic keys.
Verify that a key was created in the HSM with attestation tokens generated for key creation operations.
Integration with Cloud KMS
Generate and store customer-managed encryption keys in Cloud HSM.
Cloud HSM is available in several global locations and in multi-regions, allowing you to place your service where you want for low latency and high availability. Once a key is created in a particular region, it’s bound to the hardware devices in that region.
|Key versions||Price per month|
|RSA 3072, RSA 4096||0–2000 key versions: $2.50
2001+ key versions: $1.00
|EC P256, EC P384||0–2000 key versions: $2.50
2001+ key versions: $1.00
Resources and integrations
Try tutorials, launch quickstarts, and explore reviews.
Encryption at Rest in Google Cloud Platform
Encryption in Transit in Google Cloud
Cloud Key Management Service (KMS)
Learn and build
New to GCP? Get started with any GCP product for free with a $300 credit.
Need more help?
Our experts will help you build the right solution or find the right partner for your needs.
This product is in beta. For more information on our product launch stages, see here.