Cloud Key Management Service

Manage encryption keys on Google Cloud Platform

Try It Free View My Console

Encryption Key Management

Cloud KMS is a cloud-hosted key management service that lets you manage encryption for your cloud services the same way you do on-premises. You can generate, use, rotate and destroy AES256 encryption keys. Cloud KMS is integrated with IAM and Cloud Audit Logging so that you can manage permissions on individual keys, and monitor how these are used. Use Cloud KMS to protect secrets and other sensitive data which you need to store in Google Cloud Platform.

Scalable, Automated, Fast

Keep millions of encryption keys, allowing you determine the level of granularity at which to encrypt your data. Set keys to automatically rotate regularly, using a new primary version to encrypt data and limit the scope of data accessible with any single key version. Keep as many active key versions as you want. Rely on our low latency to ensure you can access your keys quickly.

Greater Management Over Key Use

Manage IAM permissions for user-level permissions on individual keys, and grant access to both individual users and service accounts. View admin activity and key use logs with Cloud Audit Logging, using Cloud KMS as a central point to filter access to your most sensitive data. Monitor logs to ensure proper use of your keys.

Easily Encrypt Secrets

Wrap secrets up to 64KiB in size, to allow you to protect secrets like user credentials and API tokens. Take plaintext secrets out of source code, deployment managers, containers, and metadata, and make these accessible to users as well as service accounts via decryption using the Cloud KMS API.

Implement Envelope Encryption

Implement a key hierarchy with a local data encryption key (DEK), protected by a key encryption key (KEK) in Cloud KMS. Manage keys used to encrypt your data at the application layer, stored in your storage systems, at Google, or anywhere else.

Cloud KMS Features

Manage encryption keys on Google Cloud Platform

AES256 keys
Cloud KMS allows you to create, use, rotate, automatically rotate, and destroy AES256 symmetric encryption keys.
Encrypt and decrypt via API
Cloud KMS is a REST API that can use a key to encrypt or decrypt data, such as secrets, for storage.
Automated and at-will key rotation
Cloud KMS allows you to rotate a key at will, and also set a rotation schedule to automatically generate a new key version at a fixed time interval. Multiple versions of a key can be active at any time for decryption, with only one primary key version used for encrypting new data.
Delay for key destruction
Cloud KMS has a built-in 24 hour delay for key material destruction, to prevent accidental or malicious data loss.
High global availability
Cloud KMS is available in several global locations, allowing you to place your service where you want for low latency.

“Google is transparent about how it does its encryption by default, and Cloud KMS makes it easy to implement best practices. Features like automatic key rotation let us rotate our keys frequently with zero overhead and stay in line with our internal compliance demands. Cloud KMS’ low latency allows us to use it for frequently performed operations. This allows us to expand the scope of the data we choose to encrypt from sensitive data, to operational data that does not need to be indexed.”

— Leonard Austin, CTO at Ravelin

Cloud KMS pricing

Cloud KMS pricing includes a flat rate for key versions, and a usage rate for key operations. Learn More

Key versions Price
Active key versions $0.06 per month
Key operations Price
Key use operations (Encrypt/ Decrypt) $0.03 per 10,000 operations
Key admin operations Free