Cloud KMS locations

Within a project, Cloud Key Management Service resources can be created in one of many locations. These represent the geographical regions where a Cloud KMS resource is stored and can be accessed. A key's location impacts the performance of applications using the key. Some resources, such as Cloud HSM keys, are not available in every location.

Key material for Cloud KMS and Cloud HSM keys is confined to the selected region while at rest and in use.

The following tables list locations available for use in Cloud KMS for different parts of the world. You can filter these locations by location type, Cloud HSM support, and Cloud EKM support:

Filter by:

Americas

Location name Location type Location description Cloud HSM available Cloud EKM available
ca Multi-region Multiple regions in Canada No Yes
nam3 Multi-region Northern Virginia and South Carolina Yes Via internet only
nam4 Multi-region Iowa, South Carolina, and Oklahoma Yes Via internet only
nam6 Multi-region Iowa and South Carolina Yes Via internet only
nam7 Multi-region Iowa, Northern Virginia, and Oklahoma Yes Via internet only
nam8 Multi-region Los Angeles, Oregon, and Salt Lake City Yes Via internet only
nam9 Multi-region Northern Virginia and Iowa Yes Via internet only
nam10 Multi-region Iowa, Salt Lake City, and Oklahoma Yes Via internet only
nam11 Multi-region Iowa, South Carolina, and Oklahoma Yes Via internet only
nam12 Multi-region Iowa, Northern Virginia, Oklahoma, and Oregon Yes Via internet only
northamerica-northeast1 Region Montréal Yes Yes
northamerica-northeast2 Region Toronto Yes Yes
southamerica-east1 Region São Paulo Yes Yes
southamerica-west1 Region Santiago Yes Yes
us Multi-region Multiple regions in the United States Yes Via internet only
us-central1 Region Iowa Yes Yes
us-east1 Region South Carolina Yes Yes
us-east4 Region Northern Virginia Yes Yes
us-east5 Region Columbus Yes Yes
us-west1 Region Oregon Yes Yes
us-west2 Region Los Angeles Yes Yes
us-west3 Region Salt Lake City Yes Yes
us-west4 Region Las Vegas Yes Yes
us-south1 Region Dallas Yes Yes

Europe and Middle East

Location name Location type Location description Cloud HSM available Cloud EKM available
africa-south1 Region Johannesburg No Yes
eur3 Multi-region Belgium and Netherlands Yes Via internet only
eur4 Multi-region Finland, Netherlands, and Belgium Yes Via internet only
eur5 Multi-region London, Netherlands, and Belgium Yes Via internet only
eur6 Multi-region Netherlands, Frankfurt, and Zürich Yes Via internet only
europe Multi-region Multiple regions in the European Union1 Yes Via internet only
europe-central2 Region Warsaw Yes Yes
europe-north1 Region Finland Yes Yes
europe-southwest1 Region Madrid Yes Yes
europe-west1 Region Belgium Yes Yes
europe-west2 Region London Yes Yes
europe-west3 Region Frankfurt Yes Yes
europe-west4 Region Netherlands Yes Yes
europe-west6 Region Zürich Yes Yes
europe-west8 Region Milan Yes Yes
europe-west9 Region Paris Yes Yes
europe-west10 Region Berlin Yes Yes
europe-west12 Region Turin Yes Yes
it Multi-region Multiple regions in Italy No Via internet only
me-central1 Region Doha Yes Yes
me-central2 Region Dammam Yes Yes
me-west1 Region Tel Aviv Yes Yes
1 Resources created in the europe multi-region are not stored in the europe-west2 (London) or europe-west6 (Zürich) data centers.

Asia-Pacific

Location name Location type Location description Cloud HSM available Cloud EKM available
asia Multi-region Multiple regions in Asia Yes Via internet only
asia1 Multi-region Tokyo, Osaka, and Seoul Yes Via internet only
in Multi-region Multiple regions in India Yes Yes
asia-east1 Region Taiwan Yes Yes
asia-east2 Region Hong Kong Yes Yes
asia-northeast1 Region Tokyo Yes Yes
asia-northeast2 Region Osaka Yes Yes
asia-northeast3 Region Seoul Yes Yes
asia-south1 Region Mumbai Yes Yes
asia-south2 Region Delhi Yes Yes
asia-southeast1 Region Singapore Yes Yes
asia-southeast2 Region Jakarta Yes Yes
au Multi-region Multiple regions in Australia No Yes
australia-southeast1 Region Sydney Yes Yes
australia-southeast2 Region Melbourne Yes Yes

Worldwide

Location name Location type Location description Cloud HSM available Cloud EKM available
global global Yes No
nam-eur-asia1 Multi-region North America, Europe, and Asia
(Iowa, Oklahoma, Belgium, and Taiwan)
Yes No

Types of locations for Cloud KMS

You can create Cloud KMS, Cloud HSM, and Cloud EKM resources in different types of locations in Google Cloud, depending on your availability requirements. Locations are added regularly. For specific information about each location, see Locations.

You can learn more about choosing the best type of location.

The following location types are available to Cloud KMS:

  • Regional locations: A regional location's data centers exist in a specific geographical place. For example, a resource created in the us-central1 region is located in the central United States.
  • Multi-regional locations: A multi-regional location's data centers are spread across a large geographical area. For example, a resource created in the europe multi-region persists in multiple data centers within the European Union. You can't choose which data centers within the multi-region will contain your data.
  • The global location: The global location is a special multi-region. Its datacenters are spread throughout the world. You can't choose which data centers within the global multi-region will contain your data.

Choosing the best type of location

As a rule, design your application so that all of its components are geographically near each other and near your application's clients. The location of your keys is an important aspect of your application's design. After creation, a key cannot be moved or exported.

When using a multi-regional location, such as the europe multi-region, resources persist in multiple datacenters spread across the multi-region. Creating and updating keys in multi-regional locations, including the global location, might be less efficient than using a single-region location. For more information, see Reading from and writing to multi-region locations.

Use the global location if all of the following are true:

  • Your application's components are distributed globally.
  • You have infrequent reads or writes but use other cryptographic operations frequently.
  • Your keys have no geographic residency requirements.
  • You aren't using external keys.

For Customer-Managed Encryption Keys (CMEK) integrations, you must use the same exact location as other resources related to the integration. Some CMEK integrations don't support the global location. For more information about CMEK integrations, see Customer-managed encryption keys (CMEK).

Cloud EKM resources rely on connectivity between Google Cloud and an external key management service, outside of Google Cloud. For Cloud External Key Manager resources, select a location geographically as near as possible to the location where keys are stored on the external key management service.

Cloud HSM depends on availability of physical hardware in a location's datacenters. For Cloud HSM resources, select a location that supports Cloud HSM.

Cloud HSM resources have location-specific quotas. Cloud KMS quotas are global.

Multi-regional locations have separate quotas, independent of the quotas for single-region locations. For example, to create Cloud HSM resources in the eur5 multi-region, you must have HSM quota in eur5, even if you already have quota in the single regions that participate in eur5, such as europe-west2.

Reading from and writing to multi-region locations

Reading and writing resources or associated metadata in multi-regional locations, including the global location, may be slower than reading or writing from a single region.

  • When you create or read key versions, consensus is always required among the datacenters storing the key material. Reads and writes to a single region are often more efficient than those to a multi-regional location.
  • When you perform cryptographic operations, such as when encrypting or decrypting data, consensus is not required. For cryptographic operations, multi-regional locations perform similarly to single-region locations.
  • When you store your keys in a location or locations geographically near the data they protect or validate, cryptographic operations are usually more efficient.

The trade-offs between performance and availability are unique to each application. Multi-region locations, including global, are best suited for read-heavy workloads.

Determining available regions

You can use the Google Cloud CLI or Cloud Key Management Service API to get a list of available regions.

gcloud

gcloud kms locations list

In the output from the command, the HSM_AVAILABLE column indicates whether the location supports Cloud HSM. The EKM_AVAILABLE column indicates whether the location supports Cloud External Key Manager. Note that EKM via VPC keys are currently only available in regional locations.

API

Use the Locations.get and Locations.list methods.

The responses from both of these methods include boolean fields related to a location's capabilities:

  • If a location supports Cloud HSM keys, hsmAvailable is true.

  • If a location supports Cloud EKM keys, ekmAvailable is true. Note that EKM via VPC keys are currently only available in regional locations.

What's next