Protection levels

This topic compares the different protection levels supported in Cloud KMS:

Software: Cloud KMS keys with the SOFTWARE protection level are used for cryptographic operations that are performed in software. Cloud KMS keys can be generated by Google or imported.
Hardware: Cloud HSM keys with the HARDWARE protection level are stored in a Google-owned Hardware Security Module (HSM). Cryptographic operations using these keys are performed in our HSMs. You can use Cloud HSM keys the same way you use Cloud KMS keys. Cloud HSM keys can be generated by Google or imported.
External via internet: Cloud EKM keys with the EXTERNAL protection level are generated and stored in your external key management (EKM) system. Cloud EKM stores additional cryptographic material and a path to your unique key, which is used to access your key over the internet.
External via VPC: Cloud EKM keys with the EXTERNAL_VPC protection level are generated and stored in your external key management (EKM) system. Cloud EKM stores additional cryptographic material and a path to your unique key, which is used to access your key over a virtual private cloud (VPC) network.

Keys with all of these protection levels share the following features:

Use your keys for customer-managed encryption key (CMEK) integrated Google Cloud services.

Note: Some CMEK-integrated services do not support Cloud EKM keys. To learn which CMEK-integrated services support Cloud EKM keys, see CMEK integrations.
Use your keys with the Cloud KMS APIs or client libraries, without any specialized code based on the protection level of the key.
Control access to your keys using Identity and Access Management (IAM) roles.
Control whether each key version is Enabled or Disabled from Cloud KMS.
Key operations are captured in audit logs. Data access logging can be enabled.

Software protection level

Cloud KMS uses the BoringCrypto module (BCM) for all cryptographic operations for software keys. The BCM is FIPS 140-2 validated. Cloud KMS software keys use FIPS 140-2 Level 1–validated Cryptographic Primitives of the BCM.

Software key versions are much cheaper than hardware or external key versions. Software keys are a good choice for use cases that do not have specific regulatory requirements for a higher FIPs 140-2 validation level.

Hardware protection level

Cloud HSM helps you enforce regulatory compliance for your workloads in Google Cloud. With Cloud HSM, you can generate encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 validated HSMs. The service is fully managed, so you can protect your most sensitive workloads without worrying about the operational overhead of managing an HSM cluster. Cloud HSM provides a layer of abstraction on top of the HSM modules. This abstraction lets you use your keys in CMEK integrations or the Cloud KMS APIs or client libraries without HSM-specific code.

Hardware key versions are more expensive, but they provide substantial security benefits relative to software keys. Each Cloud HSM key has an attestation statement that contains certified information about your key. This attestation and its associated certificate chains can be used to verify the authenticity of the statement and attributes of the key and HSM.

External protection levels

Cloud External Key Manager (Cloud EKM) keys are keys that you manage in a supported external key management (EKM) partner service and use in Google Cloud services and Cloud KMS APIs and client libraries. Cloud EKM keys can be software-backed or hardware-backed, depending on your EKM provider. You can use your Cloud EKM keys in CMEK-integrated services or using the Cloud KMS APIs and client libraries.

Cloud EKM key versions are more expensive than Google-hosted software or hardware key versions. When you use Cloud EKM keys, you can be sure that Google can't access your key material.

To see which CMEK-integrated services support Cloud EKM keys, see CMEK integrations and apply the Show only EKM compatible services filter.

External via internet protection level

You can use Cloud EKM keys over the internet in all locations supported by Cloud KMS except nam-eur-asia1 and global.

External via VPC protection level

You can use Cloud EKM keys over a VPC network for better availability of your external keys. This better availability means that there's less of a chance of your Cloud EKM keys and the resources they protect becoming unavailable.

You can use Cloud EKM keys over a VPC network in all regional locations supported by Cloud KMS. Cloud EKM over a VPC network is not available in multi-region locations.

What's next

Learn about compatible services that let you use your keys in Google Cloud.
Learn how to create key rings and create encryption keys.
Learn about importing software or hardware keys.
Learn about external keys.
Learn about other considerations for using Cloud EKM.