This topic provides an overview of Cloud External Key Manager (Cloud EKM).
External key manager (EKM)
The key manager used outside of Google Cloud to manage your keys.
Cloud External Key Manager (Cloud EKM)
A Google Cloud service for using your external keys that are managed within a supported EKM.
Cloud EKM through the internet
A version of Cloud EKM where Google Cloud communicates with your external key manager over the internet.
Cloud EKM through a VPC
A version of Cloud EKM where Google Cloud communicates with your external key manager over a Virtual Private Cloud (VPC). For more information, see VPC network overview.
With Cloud EKM, you can use keys that you manage within a supported external key management partner to protect data within Google Cloud. You can protect data at rest in supported CMEK integration services, or by calling the Cloud Key Management Service API directly.
Cloud EKM provides several benefits:
Key provenance: You control the location and distribution of your externally-managed keys. Externally-managed keys are never cached or stored within Google Cloud. Instead, Cloud EKM communicates directly with the external key management partner for each request.
Access control: You manage access to your externally-managed keys. Before you can use an externally-managed key to encrypt or decrypt data in Google Cloud, you must grant the Google Cloud project access to use the key. You can revoke this access at any time.
Centralized key management: You can manage your keys and access policies from a single location and user interface, whether the data they protect resides in the cloud or on your premises.
In all cases, the key resides on the external system, and is never sent to Google.
Supported key managers
You can store external keys in the following external key management partner systems:
Services that support CMEK with Cloud EKM
- Artifact Registry
- Cloud Bigtable
- Cloud Composer
- Cloud Functions
- Cloud Logging: Log Router and Log Storage
- Cloud Run
- Cloud Spanner
- Cloud SQL
- Cloud Storage
- Compute Engine (including Persistent Disk)
- Dataproc Metastore
- Google Distributed Cloud Edge
- Google Kubernetes Engine: Data on VM disks or Application-layer Secrets
- Speaker ID (Restricted GA)
- Secret Manager
- Vertex AI
How it works
This section provides a broad overview of how Cloud EKM works with an external key. You can also follow the step-by-step instructions to create a Cloud EKM key accessed via the internet or create a Cloud EKM key accessed via a VPC.
- First, you create or use an existing key in a supported external key management partner system. This key has a unique URI or key path.
- Next, you grant your Google Cloud project access to use the key, in the external key management partner system.
- In your Google Cloud project, you create a Cloud EKM key, using the URI or key path for the externally-managed key.
Within Google Cloud, the key appears alongside your other
Cloud KMS and Cloud HSM keys, with protection level
EXTERNAL_VPC. The Cloud EKM key and the
external key management partner key work together to protect your data. The external key is
never exposed to Google.
The following diagram shows how Cloud KMS fits into the key management model (using Compute Engine and BigQuery as two examples, the full supported services list is in here).
When you use a Cloud EKM key, Google has no control over the availability of your externally-managed key in the external key management partner system. Google can't recover your data if you lose keys you manage outside of Google Cloud.
Review the guidelines about external key management partners and regions when choosing the locations for your Cloud EKM keys.
Review the Cloud EKM Service Level Agreement (SLA).
Communicating with an external service over the internet can lead to problems with reliability, availability, and latency. For applications with low tolerance for these types of risks, consider using Cloud HSM or Cloud KMS to store your key material.
If an external key is unavailable, Cloud KMS returns a
FAILED_PRECONDITIONerror and provides details in the
Enable data audit logging to maintain a record of all errors related to Cloud EKM. Error messages contain detailed information to help pinpoint the source of the error. An example of a common error is when an external key management partner does not respond to a request within a reasonable timeframe.
You need a support contract with the external key management partner. Google Cloud support can only provide support for issues in Google Cloud services and cannot directly assist with issues on external systems. You may need to work with support on both sides to troubleshoot interoperability issues.
Cloud EKM can be used with Hosted Private HSM to create a single-tenant HSM solution integrated with Cloud KMS. Choose a Cloud EKM partner that supports single-tenant HSMs and review the requirements at Hosted Private HSM to learn more.
- Automatic rotation is not supported.
- When you create a Cloud EKM key using the API or the Google Cloud CLI, it must not have an initial key version. This does not apply to Cloud EKM keys created using the console.
- Cloud EKM operations are subject to specific quotas in addition to the quotas on Cloud KMS operations.
Symmetric encryption keys
- Symmetric encryption keys are only supported for the following:
- Customer managed encryption keys (CMEK) in supported integration services.
- Symmetric encryption and decryption using Cloud KMS directly.
- Data that is encrypted by Cloud EKM using an externally-managed key cannot be decrypted without using Cloud EKM.
Asymmetric signing keys
- Asymmetric signing keys are limited to a subset of Cloud KMS algorithms.
- Asymmetric signing keys are only supported for:
- Once an asymmetric signing algorithm is set on a Cloud EKM key, it cannot be modified.
- Signing must be done on the
External key managers and regions
Cloud EKM needs to be able to reach your keys quickly to avoid an error. When creating a Cloud EKM key, choose a Google Cloud location that is geographically near the location of the external key management partner key. Refer to the partner's documentation for details about that partner's location availability.
- Cloud EKM via the internet: available in any Google Cloud
locations supported for Cloud KMS,
- Cloud EKM via a VPC: only available in regional locations supported for Cloud KMS
Consult your external key management partner's documentation to determine which locations they support.
When you use an externally-managed key with a multi-region, the metadata of the key, including the information needed to communicate with the external key management partner, is available in multiple datacenters within the multi-region. If your application fails over from one datacenter to another within the multi-region, the new datacenter initiates key requests. The new datacenter may have different network characteristics from the previous datacenter, including distance from the external key management partner and the likelihood of timeouts. We recommend only using a multi-region with Cloud EKM if your chosen external key manager provides low latency to all areas of that multi-region.
Start using the API.
Take a look at the Cloud KMS API Reference.
Learn about Logging in Cloud KMS. Logging is based on operations, and applies to keys with both HSM and software protection levels.
See Reference architectures for reliable deployment of Cloud EKM services for recommendations on configuring a External Key Manager (EKM) service deployment integrated with Cloud EKM.
If you experience an issue with Cloud EKM, contact Support.