Cloud External Key Manager

This topic provides an overview of Cloud External Key Manager (Cloud EKM).

Terminology

External key manager (EKM)

The key manager used outside of Google Cloud to manage your keys.
Cloud External Key Manager (Cloud EKM)

A Google Cloud service for using your external keys that are managed within a supported EKM.
Cloud EKM through the internet

A version of Cloud EKM where Google Cloud communicates with your external key manager over the internet.
Cloud EKM through a VPC

A version of Cloud EKM where Google Cloud communicates with your external key manager over a Virtual Private Cloud (VPC). For more information, see VPC network overview.

Overview

With Cloud EKM, you can use keys that you manage within a supported external key management partner to protect data within Google Cloud. You can protect data at rest in supported CMEK integration services, or by calling the Cloud Key Management Service API directly.

Cloud EKM provides several benefits:

Key provenance: You control the location and distribution of your externally managed keys. Externally managed keys are never cached or stored within Google Cloud. Instead, Cloud EKM communicates directly with the external key management partner for each request.
Access control: You manage access to your externally managed keys. Before you can use an externally managed key in Google Cloud, you must grant the Google Cloud project access to use the key. You can revoke this access at any time.
Centralized key management: You can manage your keys and access policies from a single user interface, whether the data they protect resides in the cloud or on your premises.

In all cases, the key resides on the external system, and is never sent to Google.

You can communicate with your external key manager via the internet or via a Virtual Private Cloud (VPC).

Supported key managers

You can store external keys in the following external key management partner systems:

Supported today:
- Fortanix
- Futurex
- Thales
- Virtru

Services that support CMEK with Cloud EKM

The following services support integration with Cloud KMS for external (Cloud EKM) keys:

Artifact Registry
BigQuery
Cloud Bigtable
Cloud Composer
Cloud Functions
Cloud Logging: Data in the Log Router and Data in Logging storage
Cloud Run
Cloud Spanner
Cloud SQL
Cloud Storage
Compute Engine: Persistent disks , Snapshots , and Custom images
Dataflow
Dataproc
Dataproc Metastore
Eventarc
Google Distributed Cloud Edge
Google Kubernetes Engine: Data on VM disks and Application-layer secrets
Pub/Sub
Secret Manager
Speaker ID (Restricted GA)
Vertex AI

How it works

This section provides a broad overview of how Cloud EKM works with an external key. You can also follow the step-by-step instructions to create a Cloud EKM key accessed via the internet or via a VPC.

First, you create or use an existing key in a supported external key management partner system. This key has a unique URI or key path.
Next, you grant your Google Cloud project access to use the key, in the external key management partner system.
In your Google Cloud project, you create a Cloud EKM key, using the URI or key path for the externally managed key.

Within Google Cloud, the key appears alongside your other Cloud KMS and Cloud HSM keys, with protection level EXTERNAL or EXTERNAL_VPC. The Cloud EKM key and the external key management partner key work together to protect your data. The external key is never exposed to Google.

The following diagram shows how Cloud KMS fits into the key management model. This diagram uses Compute Engine and BigQuery as two examples; you can also see the full list of services that support Cloud EKM keys.

Diagram illustrating encryption and decryption with Cloud EKM

You can learn about the considerations and restrictions when using Cloud EKM.

Considerations

When you use a Cloud EKM key, Google has no control over the availability of your externally managed key in the external key management partner system. If you lose keys that you manage outside of Google Cloud, Google can't recover your data.
Review the guidelines about external key management partners and regions when choosing the locations for your Cloud EKM keys.
Review the Cloud EKM Service Level Agreement (SLA).
Communicating with an external service over the internet can lead to problems with reliability, availability, and latency. For applications with low tolerance for these types of risks, consider using Cloud HSM or Cloud KMS to store your key material.
- If an external key is unavailable, Cloud KMS returns a FAILED_PRECONDITION error and provides details in the PreconditionFailure error detail.
  
  Enable data audit logging to maintain a record of all errors related to Cloud EKM. Error messages contain detailed information to help pinpoint the source of the error. An example of a common error is when an external key management partner does not respond to a request within a reasonable timeframe.
- You need a support contract with the external key management partner. Google Cloud
  
  support can only help with issues in Google Cloud services and cannot directly assist with issues on external systems. Sometimes, you must work with support on both sides to troubleshoot interoperability issues.
Cloud EKM can be used with Hosted Private HSM to create a single-tenant HSM solution integrated with Cloud KMS. To learn more, choose a Cloud EKM partner that supports single-tenant HSMs and review the requirements for Hosted Private HSMs.

Caution: When you use Cloud EKM keys over the internet, there's a risk that the key can become unavailable. Depending on which services you're using, this can cause fatal errors or inaccessible data. For example, if you use an external CMEK key to encrypt Google Kubernetes Engine application-layer secrets, your nodes can become unavailable if they can't decrypt the secrets. Inability to access the external key can also cause permanent data loss. For example, if the CMEK key used to encrypt a Cloud Spanner database remains unavailable for more than 30 consecutive days, Cloud Spanner automatically deletes the database. When the current key version is not available, you cannot recover the data by rotating to a new key version. For better availability, consider using Cloud EKM over VPC or Cloud HSM keys.

Restrictions

Automatic rotation is not supported.
When you create a Cloud EKM key using the API or the Google Cloud CLI, it must not have an initial key version. This does not apply to Cloud EKM keys created using the Google Cloud console.
Cloud EKM operations are subject to specific quotas in addition to the quotas on Cloud KMS operations.

Symmetric encryption keys

Symmetric encryption keys are only supported for the following:
- Customer managed encryption keys (CMEK) in supported integration services.
- Symmetric encryption and decryption using Cloud KMS directly.
Data that is encrypted by Cloud EKM using an externally managed key cannot be decrypted without using Cloud EKM.

Asymmetric signing keys

Asymmetric signing keys are limited to a subset of Cloud KMS algorithms.
Asymmetric signing keys are only supported for:
- Asymmetric signing using Cloud KMS directly.
- Custom signing key with Access Approval.
Once an asymmetric signing algorithm is set on a Cloud EKM key, it cannot be modified.
Signing must be done on the data field.

External key managers and regions

Cloud EKM needs to be able to reach your keys quickly to avoid an error. When creating a Cloud EKM key, choose a Google Cloud location that is geographically near the location of the external key management partner key. Refer to the partner's documentation for details about that partner's location availability.

Cloud EKM via the internet: available in any Google Cloud locations supported for Cloud KMS, except for global
Cloud EKM via a VPC: only available in regional locations supported for Cloud KMS

Consult your external key management partner's documentation to determine which locations they support.

Multi-region use

When you use an externally managed key with a multi-region, the metadata of the key is available in multiple data centers within the multi-region. This metadata includes the information needed to communicate with the external key management partner. If your application fails over from one data center to another within the multi-region, the new data center initiates key requests. The new data center may have different network characteristics from the previous data center, including distance from the external key management partner and the likelihood of timeouts. We recommend only using a multi-region with Cloud EKM if your chosen external key manager provides low latency to all areas of that multi-region.

Monitor Cloud EKM usage

You can use Cloud Monitoring to monitor your EKM connection. The following metrics can help you understand your EKM usage:

cloudkms.googleapis.com/ekm/external/request_latencies
cloudkms.googleapis.com/ekm/external/request_count

For more information about these metrics, see cloudkms metrics. You can create a dashboard to track these metrics. To learn how to set up a dashboard to monitor your EKM connection, see Monitor EKM usage.

What's next

Read more about using Cloud EKM via the internet and using Cloud EKM via a VPC.
Start using the API.
Read through the Cloud KMS API Reference.
Learn about Logging in Cloud KMS. Logging is based on operations, and applies to keys with both HSM and software protection levels.
See Reference architectures for reliable deployment of Cloud EKM services for recommendations on configuring an External Key Manager (EKM) service deployment integrated with Cloud EKM.

Getting support

If you experience an issue with Cloud EKM, contact Support.