Cloud HSM

Protect your cryptographic keys in a fully managed cloud-hosted hardware security module (HSM) service.

View documentation for this product.

Cloud HSM Overview logo


Cloud HSM is a cloud-hosted hardware security module (HSM) service on Google Cloud Platform. With Cloud HSM, you can host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 certified HSMs. With this fully managed service, you can protect your most sensitive workloads without the need to worry about the operational overhead of managing an HSM cluster.

Maintain control over cryptographic keys logo

Maintain control over cryptographic keys

With Cloud HSM, the keys that you create and use cannot be removed from HSMs. Using Cloud HSM, you can verifiably attest that your cryptographic keys were created within a hardware device.

Help satisfy compliance requirements logo

Help satisfy compliance requirements

Cloud HSM can help you meet compliance mandates requiring that keys and crypto operations be performed within a hardware environment. With Cloud HSM, it’s simple to generate keys protected by a FIPS 140-2 Level 3 device.

Automate time-consuming tasks logo

Automate time-consuming tasks

With this fully managed HSM service, you don’t need to deal with the administrative overhead of tasks like cluster management, scaling, and patching. Simply interface with and automate your use of the service through APIs.

Easily integrate with Cloud KMS logo

Easily integrate with Cloud KMS

Cloud HSM service is fully integrated with Cloud Key Management Service (KMS), which allows you to easily create and use customer-managed encryption keys (CMEK) that are generated and protected by a FIPS 140-2 Level 3 hardware device.

Pay for what you use logo

Pay for what you use

With this API-based service, you only pay for the HSM operations that you perform. With Cloud HSM, you can reduce costs associated with maintaining on-premises HSMs.


Symmetric and asymmetric key support

Encrypt, decrypt, and sign with AES-256 symmetric and RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 asymmetric cryptographic keys.

Statement attestation

Verify that a key was created in the HSM with attestation tokens generated for key creation operations.

Integration with Cloud KMS

Generate and store customer-managed encryption keys in Cloud HSM.

Multi-region support

Cloud HSM is available in the US multi-region as well as in several regions across the Americas, Europe, and Asia Pacific.



Cloud HSM pricing includes a flat rate for key versions and a usage rate for key operations.

Key operations Price per 10,000 operations
AES256, RSA 2048 $0.03
RSA 3072, RSA 4096 $0.15
EC P256, EC P384 $0.15
Key versions Price per month
AES256, RSA2048 $1.00
RSA 3072, RSA 4096 0–2000 key versions: $2.50
2001+ key versions: $1.00
EC P256, EC P384 0–2000 key versions: $2.50
2001+ key versions: $1.00

Take the next step

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Need help getting started?
Work with a trusted partner
Continue browsing