Cloud Key Management Service overview

Cloud Key Management Service (Cloud KMS) lets you create and manage cryptographic keys for use in compatible Google Cloud services and in your own applications. Using Cloud KMS, you can do the following:

  • Generate software or hardware keys, import existing keys into Cloud KMS, or link external keys in your compatible external key management (EKM) system.
  • Use customer-managed encryption keys (CMEKs) in Google Cloud products with CMEK integration. CMEK integrations use your Cloud KMS keys to encrypt or "wrap" your data encryption keys (DEKs). Wrapping DEKs with key encryption keys (KEKs) is called envelope encryption.
  • Use Cloud KMS Autokey to automate provisioning and assignment. With Autokey, you don't need to provision key rings, keys, and service accounts ahead of time. Instead, they are generated on demand as part of resource creation.
  • Use Cloud KMS keys for encryption and decryption operations. For example, you can use the Cloud KMS API or client libraries to use your Cloud KMS keys for client-side encryption.
  • Use Cloud KMS keys to create or verify digital signatures or message authentication code (MAC) signatures.

Choose the right encryption for your needs

You can use the following table to identify which type of encryption meets your needs for each use case. The best solution for your needs might include a mix of encryption approaches. For example, you might use software keys for your least sensitive data and hardware or external keys for your most sensitive data. For additional information about the encryption options described in this section, see Protecting data in Google Cloud on this page.

Encryption type Cost Compatible services Features
Google-owned and Google-managed encryption keys (Google Cloud default encryption) Included All Google Cloud services that store customer data
  • No configuration required.
  • Automatically encrypts customer data saved in any Google Cloud service.
  • Most services automatically rotate keys.
  • Supports encryption using AES-256.
  • FIPS 140-2 Level 1 validated.
Customer-managed encryption keys - software
(Cloud KMS keys)
$0.06 per key version 40+ services
Customer-managed encryption keys - hardware
(Cloud HSM keys)
$1.00 to $2.50 per key version per month 40+ services
Customer-managed encryption keys - external
(Cloud EKM keys)
$3.00 per key version per month 30+ services
  • You control IAM roles and permissions; enable, disable, or destroy key versions.
  • Keys are never sent to Google.
  • Key material resides in a compatible external key management (EKM) provider.
  • Compatible Google Cloud services connect to your EKM provider over a Virtual Private Cloud (VPC).
  • Supports symmetric keys for encryption and decryption.
  • Manually rotate your keys in coordination with Cloud EKM and your EKM provider.
  • FIPS 140-2 Level 2 or FIPS 140-2 Level 3 validated, depending on the EKM.
  • Keys are unique to a customer.
Client-side encryption using Cloud KMS keys Cost of active key versions depends on the protection level of the key. Use client libraries in your applications
Customer-supplied encryption keys Might increase costs associated with Compute Engine or Cloud Storage
  • You provide key materials when needed.
  • Key material resides in-memory - Google does not permanently store your keys on our servers.
Confidential Computing Additional cost for each confidential VM; might increase log usage and associated costs
  • Provides encryption-in-use for VMs handling sensitive data or workloads.
  • Keys can't be accessed by Google.

Protecting data in Google Cloud

Google-owned and Google-managed encryption keys (Google Cloud default encryption)

By default, data at rest in Google Cloud is protected by keys in Keystore, Google Cloud's internal key management service. Keys in Keystore are managed automatically by Google Cloud, with no configuration required on your part. Most services automatically rotate keys for you. Keystore supports a primary key version and a limited number of older key versions. The primary key version is used to encrypt new data encryption keys. Older key versions can still be used to decrypt existing data encryption keys. You can't view or manage these keys or review key usage logs. Data from multiple customers might use the same key encryption key.

This default encryption uses cryptographic modules that are validated to be FIPS 140-2 Level 1 compliant.

Customer-managed encryption keys (CMEKs)

Cloud KMS keys that are used to protect your resources in CMEK-integrated services are customer-managed encryption keys (CMEKs). You can own and control CMEKs, while delegating key creation and assignment tasks to Cloud KMS Autokey. To learn more about automating provisioning for CMEKs, see Cloud Key Management Service with Autokey.

You can use your Cloud KMS keys in compatible services to help you meet the following goals:

  • Own your encryption keys.

  • Control and manage your encryption keys, including choice of location, protection level, creation, access control, rotation, use, and destruction.

  • Selectively delete data protected by your keys in the case of off-boarding or to remediate security events (crypto-shredding).

  • Create dedicated, single-tenant keys that establish a cryptographic boundary around your data.

  • Log administrative and data access to encryption keys.

  • Meet current or future regulation that requires any of these goals.

When you use Cloud KMS keys with CMEK-integrated services, you can use organization policies to ensure that CMEKs are used as specified in the policies. For example, you can set an organization policy that ensures that your compatible Google Cloud resources use your Cloud KMS keys for encryption. Organization policies can also specify which project the key resources must reside in.

The features and level of protection provided depend on the protection level of the key:

  • Software keys - You can generate software keys in Cloud KMS and use them in all Google Cloud locations. You can create symmetric keys with automatic rotation or asymmetric keys with manual rotation. Customer-managed software keys use FIPS 140-2 Level 1 validated software cryptography modules. You also have control over the rotation period, Identity and Access Management (IAM) roles and permissions, and organization policies that govern your keys. You can use your software keys with many compatible Google Cloud resources.

  • Imported software keys - You can import software keys that you created elsewhere for use in Cloud KMS. You can import new key versions to manually rotate imported keys. You can use IAM roles and permissions and organization policies to govern usage of your imported keys.

  • Hardware keys and Cloud HSM - You can generate hardware keys in a cluster of FIPS 140-2 Level 3 Hardware Security Modules (HSMs). You have control over the rotation period, IAM roles and permissions, and organization policies that govern your keys. When you create HSM keys using Cloud HSM, Google Cloud manages the HSM clusters so you don't have to. You can use your HSM keys with many compatible Google Cloud resources—the same services that support software keys. For the highest level of security compliance, use hardware keys.

  • External keys and Cloud EKM - You can use keys that reside in an external key manager (EKM). Cloud EKM lets you use keys held in a supported key manager to secure your Google Cloud resources. You connect to your EKM over a Virtual Private Cloud (VPC). Some Google Cloud services that support Cloud KMS keys don't support Cloud EKM keys.

To learn more about which Cloud KMS locations support which protection levels, see Cloud KMS locations.

Cloud KMS keys

You can use your Cloud KMS keys in custom applications using the Cloud KMS client libraries or Cloud KMS API. The client libraries and API let you encrypt and decrypt data, sign data, and validate signatures.

Customer-supplied encryption keys (CSEKs)

Cloud Storage and Compute Engine can use customer-supplied encryption keys (CSEKs). With customer-supplied encryption keys, you store the key material and provide it to Cloud Storage or Compute Engine when needed. Google Cloud does not store your CSEKs in any way.

Confidential Computing

In Compute Engine, GKE, and Dataproc, you can use the Confidential Computing platform to encrypt your data-in-use. Confidential Computing ensures that your data stays private and encrypted even while it's being processed.