This topic provides an overview of Cloud External Key Manager (Cloud EKM).
External key manager (EKM)
The key manager used outside of Google Cloud to manage your keys.
Cloud External Key Manager (Cloud EKM)
A Google Cloud service for using your external keys that are managed within a supported EKM.
Cloud EKM through the internet
A version of Cloud EKM where Google Cloud communicates with your external key manager over the internet.
Cloud EKM through a VPC
A version of Cloud EKM where Google Cloud communicates with your external key manager over a Virtual Private Cloud (VPC). For more information, see VPC network overview.
With Cloud EKM, you can use keys that you manage within a supported external key management partner to protect data within Google Cloud. You can protect data at rest in supported CMEK integration services, or by calling the Cloud Key Management Service API directly.
Cloud EKM provides several benefits:
Key provenance: You control the location and distribution of your externally managed keys. Externally managed keys are never cached or stored within Google Cloud. Instead, Cloud EKM communicates directly with the external key management partner for each request.
Access control: You manage access to your externally managed keys. Before you can use an externally managed key in Google Cloud, you must grant the Google Cloud project access to use the key. You can revoke this access at any time.
Centralized key management: You can manage your keys and access policies from a single user interface, whether the data they protect resides in the cloud or on your premises.
In all cases, the key resides on the external system, and is never sent to Google.
Supported key managers
You can store external keys in the following external key management partner systems:
Services that support CMEK with Cloud EKM
The following services support integration with Cloud KMS for external (Cloud EKM) keys:
- Artifact Registry
- Cloud Bigtable
- Cloud Composer
- Cloud Functions
- Cloud Logging: Log Router and Log Storage
- Cloud Run
- Cloud Spanner
- Cloud SQL
- Cloud Storage
- Compute Engine (including Persistent Disk)
- Dataproc Metastore
- Google Distributed Cloud Edge
- Google Kubernetes Engine: Data on VM disks or Application-layer Secrets
- Speaker ID (Restricted GA)
- Secret Manager
- Vertex AI
How it works
- First, you create or use an existing key in a supported external key management partner system. This key has a unique URI or key path.
- Next, you grant your Google Cloud project access to use the key, in the external key management partner system.
- In your Google Cloud project, you create a Cloud EKM key, using the URI or key path for the externally managed key.
Within Google Cloud, the key appears alongside your other
Cloud KMS and Cloud HSM keys, with protection level
EXTERNAL_VPC. The Cloud EKM key and the
external key management partner key work together to protect your data. The external key is
never exposed to Google.
The following diagram shows how Cloud KMS fits into the key management model. This diagram uses Compute Engine and BigQuery as two examples; you can also see the full list of services that support Cloud EKM keys.
When you use a Cloud EKM key, Google has no control over the availability of your externally managed key in the external key management partner system. If you lose keys that you manage outside of Google Cloud, Google can't recover your data.
Review the guidelines about external key management partners and regions when choosing the locations for your Cloud EKM keys.
Review the Cloud EKM Service Level Agreement (SLA).
Communicating with an external service over the internet can lead to problems with reliability, availability, and latency. For applications with low tolerance for these types of risks, consider using Cloud HSM or Cloud KMS to store your key material.
If an external key is unavailable, Cloud KMS returns a
FAILED_PRECONDITIONerror and provides details in the
Enable data audit logging to maintain a record of all errors related to Cloud EKM. Error messages contain detailed information to help pinpoint the source of the error. An example of a common error is when an external key management partner does not respond to a request within a reasonable timeframe.
You need a support contract with the external key management partner. Google Cloud
support can only help with issues in Google Cloud services and cannot directly assist with issues on external systems. Sometimes, you must work with support on both sides to troubleshoot interoperability issues.
Cloud EKM can be used with Hosted Private HSM to create a single-tenant HSM solution integrated with Cloud KMS. To learn more, choose a Cloud EKM partner that supports single-tenant HSMs and review the requirements for Hosted Private HSMs.
- Automatic rotation is not supported.
- When you create a Cloud EKM key using the API or the Google Cloud CLI, it must not have an initial key version. This does not apply to Cloud EKM keys created using the Google Cloud console.
- Cloud EKM operations are subject to specific quotas in addition to the quotas on Cloud KMS operations.
Symmetric encryption keys
- Symmetric encryption keys are only supported for the following:
- Customer managed encryption keys (CMEK) in supported integration services.
- Symmetric encryption and decryption using Cloud KMS directly.
- Data that is encrypted by Cloud EKM using an externally managed key cannot be decrypted without using Cloud EKM.
Asymmetric signing keys
- Asymmetric signing keys are limited to a subset of Cloud KMS algorithms.
- Asymmetric signing keys are only supported for:
- Once an asymmetric signing algorithm is set on a Cloud EKM key, it cannot be modified.
- Signing must be done on the
External key managers and regions
Cloud EKM needs to be able to reach your keys quickly to avoid an error. When creating a Cloud EKM key, choose a Google Cloud location that is geographically near the location of the external key management partner key. Refer to the partner's documentation for details about that partner's location availability.
- Cloud EKM via the internet: available in any Google Cloud
locations supported for Cloud KMS,
- Cloud EKM via a VPC: only available in regional locations supported for Cloud KMS
Consult your external key management partner's documentation to determine which locations they support.
When you use an externally managed key with a multi-region, the metadata of the key is available in multiple data centers within the multi-region. This metadata includes the information needed to communicate with the external key management partner. If your application fails over from one data center to another within the multi-region, the new data center initiates key requests. The new data center may have different network characteristics from the previous data center, including distance from the external key management partner and the likelihood of timeouts. We recommend only using a multi-region with Cloud EKM if your chosen external key manager provides low latency to all areas of that multi-region.
Monitor Cloud EKM usage
You can use Cloud Monitoring to monitor your EKM connection. The following metrics can help you understand your EKM usage:
For more information about these metrics, see cloudkms metrics. You can create a dashboard to track these metrics. To learn how to set up a dashboard to monitor your EKM connection, see Monitor EKM usage.
Start using the API.
Read through the Cloud KMS API Reference.
Learn about Logging in Cloud KMS. Logging is based on operations, and applies to keys with both HSM and software protection levels.
See Reference architectures for reliable deployment of Cloud EKM services for recommendations on configuring an External Key Manager (EKM) service deployment integrated with Cloud EKM.
If you experience an issue with Cloud EKM, contact Support.