- Symmetric and asymmetric key support
- Cloud KMS allows you to create, use, rotate, automatically rotate, and destroy AES256 symmetric and RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 asymmetric cryptographic keys.
- Encrypt and decrypt via API
- Cloud KMS is a REST API that can use a key to encrypt, decrypt, or sign data such as secrets for storage.
- Automated and at-will key rotation
- Cloud KMS allows you to rotate a key at will, and also set a rotation schedule for symmetric keys to automatically generate a new key version at a fixed time interval. Multiple versions of a symmetric key can be active at any time for decryption, with only one primary key version used for encrypting new data.
- Delay for key destruction
- Cloud KMS has a built-in 24-hour delay for key material destruction, to prevent accidental or malicious data loss.
- High global availability
- Cloud KMS is available in several global locations and across multi-regions, allowing you to place your service where you want for low latency and high availability.
- Integration with GKE
- Encrypt Kubernetes secrets at the application-layer in GKE with keys you manage in Cloud KMS.
“Google is transparent about how it does its encryption by default, and Cloud KMS makes it easy to implement best practices. Features like automatic key rotation let us rotate our keys frequently with zero overhead and stay in line with our internal compliance demands. Cloud KMS’ low latency allows us to use it for frequently performed operations. This allows us to expand the scope of the data we choose to encrypt from sensitive data, to operational data that does not need to be indexed.”— Leonard Austin, CTO at Ravelin
|Active key versions||$0.06 per month|
|Key use operations (Encrypt/ Decrypt)||$0.03 per 10,000 operations|
|Key admin operations||Free|