Within a project, Cloud Key Management Service resources can be created in one of many
locations. These represent the geographical regions where
requests to Cloud KMS regarding a given resource are handled, and
where the corresponding cryptographic keys are stored. You should consider the
network performance implications of the
Location you choose to host
Cloud KMS resources.
Types of locations for Cloud KMS
There are four types of locations where you can create Cloud KMS resources.
Regional locations: A regional location consists of zones in a specific geographical place, such as Iowa.
Dual-regional locations: A dual-regional location consists of zones in two specific geographical places, such as Iowa and South Carolina. Dual-region locations are only supported for use with Cloud Storage resources.
Multi-regional locations: A multi-regional location consists of zones spread across a general geographical area, such as the United States.
The global location: There is a special multi-regional location for Cloud KMS resources called "global". When created in the global location, your Cloud KMS resources are available from zones spread around the world.
Interactions with resources in a location close to you are more likely to be fast and reliable. Choose a specific region if the users and services that depend on a Cloud KMS resource are geographically concentrated. Remember that users and services who are far away from the location chosen may experience higher latency.
When you use dual-regional locations, multi-regional locations, or the global
location, read operations, like
will be served by a data center close to the requesting user or service.
However, write operations, like
must propagate to multiple data centers when performed on multi-region or
global resources, and will be slower as a result. If your usage of
Cloud KMS involves many read operations from users and services
around the world, or involves very few write operations, consider creating
dual-region, multi-region, or global resources.
Cloud KMS resources can be created in the following regional locations:
|Region name||Region description||Cloud HSM available||Cloud EKM available|
Dual-regional locations are only supported for use with Cloud Storage resources.
Cloud KMS resources can be created in the following dual-regional locations:
|Dual-region name||Dual-region description||Cloud HSM available||Cloud EKM available|
||Finland and Netherlands||No||Yes|
||Iowa and South Carolina||No||Yes|
Cloud KMS resources can be created in the following multi-regional locations:
|Multi-region name||Multi-region description||Cloud HSM available||Cloud EKM available|
Determining available regions
gcloud kms locations list
In the output from the command, the
HSM_AVAILABLE column indicates whether
the location supports Cloud HSM.
The response from these methods contains an
hsmAvailable field is a
bool that indicates whether the
location supports Cloud HSM.
Locations and CMEK integrations
If you use customer-managed encryption key (CMEK) integrations in other Google Cloud services, the locations you use for the services must match the locations of your Cloud KMS, Cloud HSM, or Cloud External Key Manager keys exactly. This applies to regional, dual-regional, and multi-regional locations.
For more information about CMEK integrations, see the relevant section of Encryption at rest.