` `

Cloud Key Management Service

Manage encryption keys on Google Cloud Platform

Try It Free

Cryptographic key management

Cloud KMS is a cloud-hosted key management service that lets you manage cryptographic keys for your cloud services the same way you do on premises. You can generate, use, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys. Cloud KMS is integrated with Cloud IAM and Cloud Audit Logging so that you can manage permissions on individual keys and monitor how these are used. Use Cloud KMS to protect secrets and other sensitive data that you need to store in Google Cloud Platform.

Scalable, automated, fast

Keep millions of cryptographic keys, allowing you to determine the level of granularity at which to encrypt your data. Set keys to automatically rotate regularly, using a new primary version to encrypt data and limit the scope of data accessible with any single key version. Keep as many active key versions as you want. Rely on our low latency to ensure you can access your keys quickly.

Greater management over key use

Manage Cloud IAM permissions for user-level permissions on individual keys and grant access to both individual users and service accounts. View admin activity and key use logs with Cloud Audit Logging, using Cloud KMS as a central point to filter access to your most sensitive data. Monitor logs to ensure proper use of your keys.

Easily encrypt and sign data

Cloud KMS gives you the flexibility to encrypt your data with either a symmetric or asymmetric key that’s under your control. You can also perform signing operations with both RSA and elliptic curve keys of various lengths.

Implement envelope encryption

Implement a key hierarchy with a local data encryption key (DEK), protected by a key encryption key (KEK) in Cloud KMS. Manage keys used to encrypt your data at the application layer, stored in your storage systems, at Google, or anywhere else.

Help satisfy compliance needs

With Cloud KMS, you can manage the encryption keys used to protect sensitive data residing across GCP with customer managed encryption keys (CMEK). For compliance mandates requiring that keys and crypto operations be performed within a hardware environment, the Cloud KMS integration with Cloud HSM makes it simple to create a key protected by a FIPS 140-2 Level 3 device.

Cloud KMS features

Manage cryptographic keys on Google Cloud Platform.

Symmetric and asymmetric key support
Cloud KMS allows you to create, use, rotate, automatically rotate, and destroy AES256 symmetric and RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 asymmetric cryptographic keys.
Encrypt and decrypt via API
Cloud KMS is a REST API that can use a key to encrypt, decrypt, or sign data such as secrets for storage.
Automated and at-will key rotation
Cloud KMS allows you to rotate a key at will, and also set a rotation schedule for symmetric keys to automatically generate a new key version at a fixed time interval. Multiple versions of a symmetric key can be active at any time for decryption, with only one primary key version used for encrypting new data.
Delay for key destruction
Cloud KMS has a built-in 24-hour delay for key material destruction, to prevent accidental or malicious data loss.
High global availability
Cloud KMS is available in several global locations and across multi-regions, allowing you to place your service where you want for low latency and high availability.

“Google is transparent about how it does its encryption by default, and Cloud KMS makes it easy to implement best practices. Features like automatic key rotation let us rotate our keys frequently with zero overhead and stay in line with our internal compliance demands. Cloud KMS’ low latency allows us to use it for frequently performed operations. This allows us to expand the scope of the data we choose to encrypt from sensitive data, to operational data that does not need to be indexed.”

— Leonard Austin, CTO at Ravelin

Cloud KMS pricing

Cloud KMS pricing includes a flat rate for key versions, and a usage rate for key operations. Learn More

Key versions Price
Active key versions $0.06 per month

If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

Key operations Price
Key use operations (Encrypt/ Decrypt) $0.03 per 10,000 operations
Key admin operations Free
If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

Send feedback about...