Cloud External Key Manager

Stay organized with collections Save and categorize content based on your preferences.

This topic provides an overview of Cloud External Key Manager (Cloud EKM).

Terminology

  • External key manager (EKM)

    The key manager used outside of Google Cloud to manage your keys.

  • Cloud External Key Manager (Cloud EKM)

    A Google Cloud service for using your external keys that are managed within a supported EKM.

  • Cloud EKM through the internet

    A version of Cloud EKM where Google Cloud communicates with your external key manager over the internet.

  • Cloud EKM through a VPC

    A version of Cloud EKM where Google Cloud communicates with your external key manager over a Virtual Private Cloud (VPC). For more information, see VPC network overview.

Overview

With Cloud EKM, you can use keys that you manage within a supported external key management partner to protect data within Google Cloud. You can protect data at rest in supported CMEK integration services, or by calling the Cloud Key Management Service API directly.

Cloud EKM provides several benefits:

  • Key provenance: You control the location and distribution of your externally-managed keys. Externally-managed keys are never cached or stored within Google Cloud. Instead, Cloud EKM communicates directly with the external key management partner for each request.

  • Access control: You manage access to your externally-managed keys. Before you can use an externally-managed key to encrypt or decrypt data in Google Cloud, you must grant the Google Cloud project access to use the key. You can revoke this access at any time.

  • Centralized key management: You can manage your keys and access policies from a single location and user interface, whether the data they protect resides in the cloud or on your premises.

In all cases, the key resides on the external system, and is never sent to Google.

You can communicate with your external key manager via the internet or via a Virtual Private Cloud (VPC).

Supported key managers

You can store external keys in the following external key management partner systems:

Services that support CMEK with Cloud EKM

The following services support integration with Cloud KMS for external (Cloud EKM) keys:

How it works

This section provides a broad overview of how Cloud EKM works with an external key. You can also follow the step-by-step instructions to create a Cloud EKM key accessed via the internet or create a Cloud EKM key accessed via a VPC.

  1. First, you create or use an existing key in a supported external key management partner system. This key has a unique URI or key path.
  2. Next, you grant your Google Cloud project access to use the key, in the external key management partner system.
  3. In your Google Cloud project, you create a Cloud EKM key, using the URI or key path for the externally-managed key.

Within Google Cloud, the key appears alongside your other Cloud KMS and Cloud HSM keys, with protection level EXTERNAL or EXTERNAL_VPC. The Cloud EKM key and the external key management partner key work together to protect your data. The external key is never exposed to Google.

The following diagram shows how Cloud KMS fits into the key management model (using Compute Engine and BigQuery as two examples, the full supported services list is in here).

Diagram illustrating encryption and decryption with Cloud EKM

You can learn about the considerations and restrictions when using Cloud EKM.

Considerations

  • When you use a Cloud EKM key, Google has no control over the availability of your externally-managed key in the external key management partner system. Google can't recover your data if you lose keys you manage outside of Google Cloud.

  • Review the guidelines about external key management partners and regions when choosing the locations for your Cloud EKM keys.

  • Review the Cloud EKM Service Level Agreement (SLA).

  • Communicating with an external service over the internet can lead to problems with reliability, availability, and latency. For applications with low tolerance for these types of risks, consider using Cloud HSM or Cloud KMS to store your key material.

    • If an external key is unavailable, Cloud KMS returns a FAILED_PRECONDITION error and provides details in the PreconditionFailure error detail.

      Enable data audit logging to maintain a record of all errors related to Cloud EKM. Error messages contain detailed information to help pinpoint the source of the error. An example of a common error is when an external key management partner does not respond to a request within a reasonable timeframe.

    • You need a support contract with the external key management partner. Google Cloud support can only provide support for issues in Google Cloud services and cannot directly assist with issues on external systems. You may need to work with support on both sides to troubleshoot interoperability issues.

  • Cloud EKM can be used with Hosted Private HSM to create a single-tenant HSM solution integrated with Cloud KMS. Choose a Cloud EKM partner that supports single-tenant HSMs and review the requirements at Hosted Private HSM to learn more.

Restrictions

  • Automatic rotation is not supported.
  • When you create a Cloud EKM key using the API or the Google Cloud CLI, it must not have an initial key version. This does not apply to Cloud EKM keys created using the Google Cloud console.
  • Cloud EKM operations are subject to specific quotas in addition to the quotas on Cloud KMS operations.

Symmetric encryption keys

Asymmetric signing keys

External key managers and regions

Cloud EKM needs to be able to reach your keys quickly to avoid an error. When creating a Cloud EKM key, choose a Google Cloud location that is geographically near the location of the external key management partner key. Refer to the partner's documentation for details about that partner's location availability.

  • Cloud EKM via the internet: available in any Google Cloud locations supported for Cloud KMS, except for global
  • Cloud EKM via a VPC: only available in regional locations supported for Cloud KMS

Consult your external key management partner's documentation to determine which locations they support.

Multi-region use

When you use an externally-managed key with a multi-region, the metadata of the key, including the information needed to communicate with the external key management partner, is available in multiple datacenters within the multi-region. If your application fails over from one datacenter to another within the multi-region, the new datacenter initiates key requests. The new datacenter may have different network characteristics from the previous datacenter, including distance from the external key management partner and the likelihood of timeouts. We recommend only using a multi-region with Cloud EKM if your chosen external key manager provides low latency to all areas of that multi-region.

What's next

Getting support

If you experience an issue with Cloud EKM, contact Support.