Cloud KMS locations

Within a project, Cloud Key Management Service resources can be created in one of many locations. These represent the geographical regions where requests to Cloud KMS regarding a given resource are handled, and where the corresponding cryptographic keys are stored. You should consider the network performance implications of the Location you choose to host Cloud KMS resources.

Types of locations for Cloud KMS

There are four types of locations where you can create Cloud KMS resources.

  • Regional locations: A regional location consists of zones in a specific geographical place, such as Iowa.

  • Dual-regional locations: A dual-regional location consists of zones in two specific geographical places, such as Iowa and South Carolina. Dual-region locations are only supported for use with Cloud Storage resources.

  • Multi-regional locations: A multi-regional location consists of zones spread across a general geographical area, such as the United States.

  • The global location: There is a special multi-regional location for Cloud KMS resources called "global". When created in the global location, your Cloud KMS resources are available from zones spread around the world.

Interactions with resources in a location close to you are more likely to be fast and reliable. Choose a specific region if the users and services that depend on a Cloud KMS resource are geographically concentrated. Remember that users and services who are far away from the location chosen may experience higher latency.

When you use dual-regional locations, multi-regional locations, or the global location, read operations, like keyRings.list will be served by a data center close to the requesting user or service. However, write operations, like keyRings.create, must propagate to multiple data centers when performed on multi-region or global resources, and will be slower as a result. If your usage of Cloud KMS involves many read operations from users and services around the world, or involves very few write operations, consider creating dual-region, multi-region, or global resources.

Regional locations

Cloud KMS resources can be created in the following regional locations:

Region name Region description Cloud HSM available Cloud EKM available
Asia Pacific
asia-east1 Taiwan Yes Yes
asia-east2 Hong Kong Yes Yes
asia-northeast1 Tokyo Yes Yes
asia-northeast2 Osaka Yes Yes
asia-south1 Mumbai Yes Yes
asia-southeast1 Singapore Yes Yes
australia-southeast1 Sydney Yes Yes
Europe
europe-north1 Finland Yes Yes
europe-west1 Belgium Yes Yes
europe-west2 London Yes Yes
europe-west3 Frankfurt Yes Yes
europe-west4 Netherlands Yes Yes
europe-west6 Zürich Yes Yes
North America
northamerica-northeast1 Montréal Yes Yes
us-central1 Iowa Yes Yes
us-east1 South Carolina Yes Yes
us-east4 Northern Virginia Yes Yes
us-west1 Oregon Yes Yes
us-west2 Los Angeles Yes Yes
South America
southamerica-east1 São Paulo Yes Yes

Dual-regional locations

Dual-regional locations are only supported for use with Cloud Storage resources.

Cloud KMS resources can be created in the following dual-regional locations:

Dual-region name Dual-region description Cloud HSM available Cloud EKM available
eur4 Finland and Netherlands No Yes
nam4 Iowa and South Carolina No Yes

Multi-regional locations

Cloud KMS resources can be created in the following multi-regional locations:

Multi-region name Multi-region description Cloud HSM available Cloud EKM available
global Global No Yes
asia Asia Pacific Yes Yes
europe Europe Yes Yes
us United States Yes Yes

Determining available regions

gcloud

gcloud kms locations list

In the output from the command, the HSM_AVAILABLE column indicates whether the location supports Cloud HSM.

API

Use the Locations.get and Locations.list methods.

The response from these methods contains an hsmAvailable field. The hsmAvailable field is a bool that indicates whether the location supports Cloud HSM.

Locations and CMEK integrations

If you use customer-managed encryption key (CMEK) integrations in other Google Cloud services, the locations you use for the services must match the locations of your Cloud KMS, Cloud HSM, or Cloud External Key Manager keys exactly. This applies to regional, dual-regional, and multi-regional locations.

For more information about CMEK integrations, see the relevant section of Encryption at rest.

More about locations

  • For more information about building applications to meet your latency, availability and durability requirements, see Geography and Regions.
  • For more information about Google Cloud locations and data centers, see Cloud Locations.
Was this page helpful? Let us know how we did:

Send feedback about...

Cloud KMS Documentation