This page documents production updates to Cloud Key Management Service. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.
Current version: v1
You can see the latest product updates for all of Google Cloud on the Google Cloud release notes page.
To get the latest product updates delivered to you, add the URL of this page to your
feed
reader, or add the feed URL directly: https://cloud.google.com/feeds/kms-release-notes.xml
July 14, 2020
Cloud HSM resources are available in the us-west4
and asia-southeast2
regions. Cloud KMS resources were already available in these regions.
For information about which Cloud Locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, see the Cloud KMS regional locations.
June 22, 2020
June 08, 2020
Cloud KMS and Cloud EKM resources are available in the asia-southeast2
region. Cloud HSM resources are not available in this region.
For information about which Cloud Locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, see the Cloud KMS regional locations.
May 28, 2020
Several fields related to data integrity have been added to the Cloud KMS API, along with guidelines for using them. To learn more about maintaining data integrity when performing cryptographic operations, see Verifying end-to-end data integrity.
April 20, 2020
Cloud KMS and Cloud EKM resources are available in the us-west4
region. Cloud HSM resources are not available in this region.
Cloud HSM resources are available in the global
multi-regional location.
For information about which Cloud Locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, see the Cloud KMS regional locations.
April 15, 2020
Cloud External Key Manager (Cloud EKM) is generally available.
March 18, 2020
Importing keys into Cloud KMS software keys is generally available (GA).
March 05, 2020
Cloud EKM resources are now available in the asia-northeast3
and us-west3
locations.
February 25, 2020
Cloud KMS resources can now be created in the us-west3
region.
Cloud HSM resources are now also available in the us-west3
region.
Cloud EKM resources are not available in the us-west3
region.
For information about which Cloud Locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, refer to Cloud KMS locations.
February 20, 2020
You can now import key material into Cloud KMS software keys. For more information, see Key import. Importing key material into Cloud HSM keys is already generally available.
January 24, 2020
Cloud KMS resources can now be created in the asia-northeast3
region.
Cloud HSM resources are now also available in the asia-northeast3
region.
Learn more about Cloud Locations. For the list of all regions supported by Cloud KMS, Cloud HSM, and Cloud EKM, see the Cloud KMS regional locations.
December 17, 2019
Cloud External Key Manager (Cloud EKM) (Beta) allows you to encrypt data stored in Google Cloud using keys stored in a supported partner external key management system. You can encrypt or decrypt data in BigQuery, Compute Engine persistent disks, or directly using the Cloud KMS API.
You can learn about changes to the API since the Alpha release.
August 22, 2019
The Cryptographic Requests quota has been increased from 600 QPM to 60,000 QPM. If you use quotas to determine how much you are billed, this change could increase the amount you end up spending on your Cloud KMS.
If you require a smaller quota than 60,000 QPM, or you don't need a quota increase, go to the Cloud Console Quotas page and set a new value for Cryptographic requests per minute. HSM specific quotas will not be increased.
July 02, 2019
The gcloud beta kms import-jobs
command group was released as part of gcloud 253.0.0
.
July 01, 2019
Introduction of import key functionality into the Cloud KMS beta release.
The following are additions to the API definition.
New resources
ImportJob
has been added as a resource.
The ImportJob
resource contains the following methods:
ImportJobs.create
ImportJobs.get
ImportJobs.getIamPolicy
ImportJobs.list
ImportJobs.setIamPolicy
ImportJobs.testIamPermissions
The ImportJob
resource contains the following enums:
The ImportJob
resource contains the following type:
New methods
New fields
CreateCryptoKeyRequest.skip_initial_version_creation
CryptoKeyVersions.import_failure_reason
CryptoKeyVersions.import_job
CryptoKeyVersions.import_time
New enums
New permissions
cloudkms.cryptoKeyVersions.useToImport
cloudkms.importJobs.create
cloudkms.importJobs.get
cloudkms.importJobs.getIamPolicy
cloudkms.importJobs.list
cloudkms.importJobs.setIamPolicy
For more information about Cloud KMS permissions, see Permissions and roles.
June 28, 2019
Cloud HSM resources are now available in the following regional locations:
asia-east2
europe-west6
us-west2
For the list of all supported regions, see Supported regions.
June 27, 2019
Introduction of the Cloud KMS beta release to support filtering and sorting results from the following list
operations.
For more information, see Sorting and filtering list results.
June 20, 2019
Cloud HSM resources are now available in the following regional locations:
asia-northeast1
asia-northeast2
For the list of all supported regions, see Supported regions.
June 11, 2019
The gcloud kms
command group was updated as part of gcloud 250.0.0.
- Promoted the following commands to GA.
gcloud kms asymmetric-decrypt
.gcloud kms asymmetric-sign
.gcloud kms keys versions get-public-key
.
- Promoted the following flags in
gcloud kms keys
command group to GA.--attestation-file
.--default-algorithm
.--purpose
.--protection-level
.
June 04, 2019
Cloud HSM resources are now available in the following regional locations:
asia-south1
europe-north1
europe-west1
europe-west4
For the list of all supported regions, see Supported regions for Cloud HSM.
May 13, 2019
Cloud HSM resources are now available in the us
multi-regional location. For the list of all supported regions, see Supported regions for Cloud HSM.
April 18, 2019
Cloud KMS resources can now be created in the asia-northeast2
region. Learn more about Cloud Locations.
April 02, 2019
Cloud HSM resources are now available in the asia-southeast
1 regional location. For the list of all supported regions, see Supported regions for Cloud HSM.
March 11, 2019
Cloud KMS resources can now be created in the europe-west6
region. Learn more about Cloud Locations.
February 26, 2019
CAVIUM_V2_COMPRESSED
has been added as an enum value to AttestationFormat
. To learn how to verify an attestation that is in the CAVIUM_V2_COMPRESSED
format, see Verifying Attestations.
December 14, 2018
Announced general availability of asymmetric keys and Cloud HSM in Cloud KMS.
December 13, 2018
Cloud HSM resources are now available in the europe-west3
regional location. For the list of all supported regions, see Supported regions for Cloud HSM.
December 06, 2018
Cloud HSM resources are now available in the europe-west2
regional location. For the list of all supported regions, see Supported regions for Cloud HSM.
November 12, 2018
Cloud KMS resources can now be created in the eur4
and nam4
dual-regions. Learn more about Cloud Locations.
October 26, 2018
Cloud KMS resources can now be created in the asia-east2
region. Learn more about Cloud Locations.
October 11, 2018
New algorithms have been added:
- RSA_SIGN_PSS_4096_SHA512
- RSA_SIGN_PKCS1_4096_SHA512
- RSA_DECRYPT_OAEP_4096_SHA512
For the list of all supported algorithms, see Key purposes and algorithms.
September 27, 2018
Cloud HSM resources are now available in the us-central1
regional location. For the list of all supported regions, see Supported regions for Cloud HSM.
September 05, 2018
Attestations that are downloaded via the Google Cloud Platform Console are no longer base64-encoded. This matches the raw format of the attestations downloaded via the gcloud
command-line tool and the Cloud KMS API. The instructions for Verifying Attestations expect the attestation to be in raw format, not base64-encoded.
August 20, 2018
Introduction of asymmetric keys and Cloud HSM into the Cloud KMS beta release.
Additions to the API definition:
- New method for creating digital signatures:
- New method for retrieving an asymmetric key's public key:
- New method for decrypting data encoded with an asymmetric public key generated by Cloud KMS:
- New types:
- New fields:
- The CryptoKey.list method now contains a versionView query parameter that lists the fields of the primary key version to include in the response.
- The CryptoKeyVersion.list method now contains a view query parameter that lists the fields to include in the response.
- The LocationMetadata resource returned by the Locations.get and Locations.list methods now contain an
hsm_available
field. Thehsm_available
field is abool
that indicates whether the location supports Hardware Security Modules (HSMs).
Cloud HSM resources are now available in the us-east1
and us-west1
regional locations.
July 14, 2018
Cloud KMS resources can now be created in the us-west2
region. Learn more about Cloud Locations.
June 14, 2018
Cloud KMS resources can now be created in the europe-north1
region. Learn more about Cloud Locations.
April 12, 2018
Cloud KMS resources can now be created in the following regions:
asia-south1
australia-southeast1
europe-west2
europe-west3
northamerica-northeast1
southamerica-east1
us-east4
Learn more about Cloud Locations.
April 11, 2018
The URL of the Cloud KMS page in the Google Cloud Platform Console has been changed from https://console.cloud.google.com/iam-admin/kms to https://console.cloud.google.com/security/kms.
April 03, 2018
The name of the Cloud KMS page in the Google Cloud Platform Console has been changed from Encryption keys to Cryptographic keys.
March 29, 2018
Cloud KMS resources can now be created in the asia-northeast1
region. Learn more about Cloud Locations.
February 08, 2018
Cloud KMS resources can now be created in the asia
, europe
, and us
multi-regional locations. Learn more about Cloud KMS locations.
January 31, 2018
Announced general availability of IAM custom roles for Cloud KMS.
January 22, 2018
The gcloud kms locations list
command now supports the europe-west4
region.
January 17, 2018
The Google Cloud Platform console now supports the europe-west4
region. You can create new key rings in this region using the console, the API and the gcloud
command-line tool. The gcloud kms locations list
command will support this region approximately January 22, 2018. Learn more about Cloud Locations.
January 10, 2018
Cloud KMS resources can now be created in the europe-west4
region. You can use this region to create new key rings using the API and the gcloud
command-line tool. This region will not be viewable in the Google Cloud Platform console or returned by gcloud kms locations list
until approximately January 17, 2018. Learn more about Cloud Locations.
October 11, 2017
Promoted keys update
from gcloud beta kms
to gcloud kms
as part of gcloud 175.0.0.
October 04, 2017
The Envelope Encryption topic provides more information about key wrapping and envelope encryption.
September 19, 2017
Batch operations are no longer supported.
September 06, 2017
Labels can now be applied to CryptoKeys:
- The
CryptoKey
type now contains thelabels
field. - To learn more about this feature, see Labeling CryptoKeys.
gcloud
changes:
- The
gcloud kms keys create
command has a new parameter,--labels
. Use this parameter to specify labels when you create a key. - The output from the
gcloud kms keys list
command now contains aLABELS
column. - The
gcloud beta kms keys update
command is new. This command supports updating an existing key.
These changes are effective in gcloud
version 170.0.0.
August 23, 2017
Cloud KMS resources can now be created in the asia-southeast1
region. Learn more about Cloud Locations.
August 18, 2017
Cloud KMS is now available in a larger group of countries.
June 14, 2017
Promoted encrypt
and decrypt
commands from gcloud beta kms
to gcloud kms
as part of gcloud 159.0.0.
June 07, 2017
API version v1beta1 has been turned off. Please use v1 API endpoint.
As part of gcloud 158.0.0, when using gcloud
to update IAM policies, data access logs can be enabled for key rings and keys, in addition to projects which were already supported.
May 31, 2017
Added encrypt
and decrypt
commands to gcloud beta kms
as part of gcloud 157.0.0.
- Added examples for using
gcloud beta kms encrypt
andgcloud beta kms decrypt
.
May 02, 2017
Data Access audit logs can now be self-enabled for Cloud KMS. For more information, see Cloud Audit Logging documentation.
- Updated documentation on logs types in Cloud KMS.
April 17, 2017
Cloud KMS resources can now be created in the us-west1
region. Learn more about Cloud Locations.
March 22, 2017
Promoted gcloud beta kms
commands to gcloud kms
as part of gcloud 148.0.0.
March 15, 2017
Renamed cryptokey
to key
as part of gcloud 147.0.0.
Renamed gcloud kms cryptokeys
as gcloud kms keys
.
Renamed the --cryptokey
flag as --key
.
Deprecated the cryptokey
variants.
March 08, 2017
Launch of Cloud KMS to General Availability.
- Updated client libraries and code samples in C#, Go, Java, Node.js, PHP, Python, and Ruby.
- New Secret Management documentation that explains how to protect secrets using Cloud KMS.
- Added a Service Level Agreement (SLA).
API version from v1beta1 to v1.
- The v1beta1 API is deprecated and will be turned down no sooner than June 7, 2017.
- To start using the v1 API, follow the process to install the client library for your preferred language. Other than the API version, your code shouldn't need any other changes.
January 11, 2017
Launch of Cloud KMS to Beta. Use Cloud KMS to create, use, rotate, automatically rotate, and destroy symmetric AES256 encryption keys. Cloud KMS is accessible via
- REST API
- Google APIs Client Libraries in go, python, and java
- Cloud Console user interface