About Cloud KMS

What is Cloud KMS? What can it do?

Cloud KMS is a cloud-hosted key management service that lets you manage encryption for your cloud services the same way you do on-premises. You can generate, use, rotate, and destroy AES-256 encryption keys. Cloud KMS is integrated with Cloud Identity and Access Management and Cloud Audit Logging so that you can manage permissions on individual keys, and monitor how they are used.

Can I store secrets?

Using Cloud KMS, you can encrypt secrets that you store elsewhere. As an example, you can store a secret in a Cloud Storage bucket. For details, see Storing secrets.

Is there an SLA?

Yes, see Cloud KMS Service Level Agreement.

How do I provide product feedback?

Contact the engineering team at

How do I provide documentation feedback?

While viewing Cloud KMS documentation, click Send feedback near the top right of the page. This will open a feedback form.

If I need help, what are my options?

We invite our users to post their questions on Stack Overflow. Along with the active Stack Overflow community, our team actively monitors Stack Overflow posts and answers questions with the tag google-cloud-kms.

We also offer various levels of support depending on your needs. For additional support options, see our Cloud Platform Support Packages.

Does Cloud KMS have any quotas?

Yes, Cloud KMS has quotas for the following:

  • Read requests: The number of key, key ring, and key version read requests per minute.

  • Write requests: The number of key, key ring, and key version write requests per minute.

  • Cryptographic requests: The number of encryption and decryption requests per minute.

How do I find out how much quota I am using, or have remaining?

You can view your current project quota in the Cloud KMS Quotas page of the Google Cloud Platform Console.

How do I request more quota?

You can automatically increase your quotas (up to a limit) using the Cloud KMS Quotas page of the GCP Console. If you would like to further increase your quota, apply for higher quota.

Is there a limit on the number of keys I can have?



What kind of key does Cloud KMS generate?

256-bit Advanced Encryption Standard (AES-256) symmetric keys in Galois Counter Mode (GCM).

How is key material generated?

Cloud KMS keys are generated using Google’s common cryptographic library using a random number generator (RNG) built by Google. This RNG is based on NIST 800-90Ar1 CTR-DRBG and generates an AES-256 key. For more details, see Key management.

Which library is used to generate key material?

Cloud KMS keys are generated using Google’s common cryptographic library which implements cryptographic algorithms using BoringSSL. For more information, see Google’s common cryptographic library.

Are keys constrained to a geographic location?

Keys belong to a region, but are not constrained to that region. For more information, see Cloud KMS locations.

Are keys HSM-backed?

No, the keys are not backed by a hardware security module.

Can I auto-delete keys?


Can I auto-rotate keys?

Yes, see Automatic rotation: Setting the rotation period for a key.

Does key rotation re-encrypt data? If not, why?

Key rotation does not automatically re-encrypt data. When you decrypt data, Cloud KMS knows which key version to use for the decryption. As long as a key version is not disabled or destroyed, Cloud KMS will be able to use the key version for the decryption.

Why can't I delete key or key rings?

To prevent resource name collisions, key ring and key resources CANNOT be deleted. Key versions also cannot be deleted, but key version material can be destroyed so that the resources can no longer be used. For more information, see Lifetime of objects.

Can I export keys?

No. Keys are not exportable from Cloud KMS by design. All encryption and decryption with these keys must be done within Cloud KMS. This helps prevent leaks and misuse, and enables Cloud KMS to emit an audit trail when keys are used.

Can I import keys?


How long after I destroy a key version can I get it back?

After you schedule a key version for destruction, you have 24 hours before the key version is actually destroyed. During that time, if needed you can restore the key version.

Can I change the 24 hour period before a scheduled key is destroyed?


When I make changes to a key, how quickly do the changes take effect?

Some operations to Cloud KMS resources are strongly consistent, while others are eventually consistent and may take up to a couple of hours to propagate.

For example, creating a key ring or key, or enabling a key version, are strongly consistent operations. Changing the state of an existing key or disabling a key version are eventually consistent operations.

When you disable a user's Cloud IAM access to a Cloud KMS resource, it can take up to 60 seconds for the change to propagate.

Authorization and authentication

How do I authenticate to the Cloud KMS API?

How clients authenticate may vary a bit depending on the platform on which the code is running. For details, see Accessing the API.

What Cloud IAM roles should I use?

To enforce the principle of least privilege, ensure that the user and service accounts in your organization have only the permissions essential to performing their intended functions. For more information, see Separation of duties.

When I remove a Cloud IAM permission, how quickly is it removed?

Removal of a permission should be in effect in less than one hour.


What is additional authenticated data, and when would I use it?

Additional authenticated data (AAD) is any string that you pass to Cloud KMS as part of an encrypt or decrypt request. It is used as an integrity check and can help protect your data from a confused deputy attack. For more information, see Additional authenticated data.

Are data access logs on by default? How do I enable data access logs?

Data access logs are not on by default. To enable data access logs, see Enabling data access logs.

How do Cloud KMS keys relate to service account keys?

Service account keys are used for service-to-service authentication within Google Cloud Platform. Service account keys are unrelated to Cloud KMS keys.

How do Cloud KMS keys relate to API keys?

API keys are a simple encrypted string that can be used when calling certain APIs that don't need to access private user data and are used to track API requests associated with your project for quota and billing. API keys are unrelated to Cloud KMS keys.

Send feedback about...

Cloud KMS Documentation