Cloud Key Management Service (Cloud KMS) lets you create and manage encryption keys for use in compatible Google Cloud services and in your own applications. Using Cloud KMS, you can do the following:
Generate software or hardware keys, import existing keys into Cloud KMS, or link external keys in your compatible external key management (EKM) system.
Use customer-managed encryption keys (CMEKs) in Google Cloud products with CMEK integration. CMEK integrations use your CMEK keys to encrypt or "wrap" your data encryption keys (DEKs). Wrapping DEKs with key encryption keys (KEKs) is called envelope encryption.
Use Cloud KMS keys for encryption and decryption operations. For example, you can use the Cloud KMS API or client libraries to use your Cloud KMS keys for client-side encryption.
Use Cloud KMS keys to create or verify digital signatures or message authentication code (MAC) signatures.
Choose the right encryption for your needs
You can use the following table to identify which type of encryption meets your needs for each use case. The best solution for your needs might include a mix of encryption approaches. For example, you might use software keys for your least sensitive data and hardware or external keys for your most sensitive data. For additional information about the encryption options described in this section, see Protecting data in Google Cloud on this page.
Encryption type | Cost | Compatible services | Features |
---|---|---|---|
Google Cloud default encryption | Included | All Google Cloud services that store customer data |
|
Customer-managed encryption keys -
software (Cloud KMS keys) |
Low - $0.06 per key version | 30+ services |
|
Customer-managed encryption keys -
hardware (Cloud HSM keys) |
Medium - $1.00 to $2.50 per key version per month | 30+ services |
|
Customer-managed encryption keys -
external (Cloud EKM keys) |
High - $3.00 per key version per month | 20+ services |
|
Client-side encryption using Cloud KMS keys | Cost of active key versions depends on the protection level of the key. | Use client libraries in your applications |
|
Customer-supplied encryption keys | Might increase costs associated with Compute Engine or Cloud Storage |
|
|
Confidential Computing | Additional cost for each confidential VM; might increase log usage and associated costs |
|
Protecting data in Google Cloud
Google Cloud default encryption
By default, data at rest in Google Cloud is protected by keys in Keystore, Google's internal key management service. Keys in Keystore are managed automatically by Google, with no configuration required on your part. Most services automatically rotate keys for you. Keystore supports a primary key version and a limited number of older key versions. The primary key version is used to encrypt new data encryption keys. Older key versions can still be used to decrypt existing data encryption keys.
This default encryption uses cryptographic modules that are validated to be FIPS 140-2 Level 1 compliant. If you don't have specific requirements for a higher level of protection, using default encryption can meet your needs with no additional costs.
Customer-managed encryption keys (CMEKs)
For use cases that require a higher level of control or protection, you can use customer-managed Cloud KMS keys in compatible services. When you use Cloud KMS keys in CMEK integrations, you can use organization policies to ensure that CMEK keys are used as specified in the policies. For example, you can set an organization policy that ensures your compatible Google Cloud resources use your Cloud KMS keys for encryption. Organization policies can also specify which project the key resources must reside in.
The features and level of protection provided depend on the protection level of the key:
Software keys - You can generate software keys in Cloud KMS and use them in all Google Cloud locations. You can create symmetric keys with automatic rotation or asymmetric keys with manual rotation. Customer-managed software keys use FIPS 140-2 Level 1 validated software cryptography modules. You also have control over the rotation period, Identity and Access Management (IAM) roles and permissions, and organization policies that govern your keys. You can use your software keys with over 30 compatible Google Cloud resources.
Imported software keys - You can import software keys that you created elsewhere for use in Cloud KMS. You can import new key versions to manually rotate imported keys. You can use IAM roles and permissions and organization policies to govern usage of your imported keys.
Hardware keys and Cloud HSM - You can generate hardware keys in a cluster of FIPS 140-2 Level 3 Hardware Security Modules (HSMs). You have control over the rotation period, IAM roles and permissions, and organization policies that govern your keys. When you create HSM keys using Cloud HSM, Google manages the HSM clusters so you don't have to. You can use your HSM keys with over 30 compatible Google Cloud resources—the same services that support software keys. For the highest level of security compliance, use hardware keys.
External keys and Cloud EKM - You can use keys that reside in an external key manager (EKM). Cloud EKM lets you use keys held in a supported key manager to secure your Google Cloud resources. You can connect to your EKM over the internet or over a Virtual Private Cloud (VPC). Some Google Cloud services that support software or hardware keys do not support Cloud EKM keys.
Cloud KMS keys
You can use your Cloud KMS keys in custom applications using the Cloud KMS client libraries or Cloud KMS API. The client libraries and API let you encrypt and decrypt data, sign data, and validate signatures.
Customer-supplied encryption keys (CSEKs)
Cloud Storage and Compute Engine can use customer-supplied encryption keys (CSEKs). With customer-supplied encryption keys, you store the key material and provide it to Cloud Storage or Compute Engine when needed. Google does not store your CSEKs in any way.
Confidential Computing
In Compute Engine, GKE, and Dataproc, you can use the Confidential Computing platform to encrypt your data-in-use. Confidential Computing ensures that your data stays private and encrypted even while it's being processed.