Release notes

Cloud EKM now supports Dataflow Appliance and Pub/Sub. For more information, see Cloud External Key Manager.

The europe-central2 region in Warsaw is now available. See Cloud KMS locations for more details.

Cloud EKM adds support for Dataflow shuffle and Secret Manager. For more information, see Cloud External Key Manager.

Cloud EKM now supports Cloud SQL and GKE. For more information, see Cloud External Key Manager.

Cloud HSM resources are available in the us-west4 and asia-southeast2 regions. Cloud KMS resources were already available in these regions.

For information about which Cloud Locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, see the Cloud KMS regional locations.

Keys hosted by Thales are now supported in Cloud EKM. To learn more, see Cloud EKM.

Cloud KMS and Cloud EKM resources are available in the asia-southeast2 region. Cloud HSM resources are not available in this region.

For information about which Cloud Locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, see the Cloud KMS regional locations.

Several fields related to data integrity have been added to the Cloud KMS API, along with guidelines for using them. To learn more about maintaining data integrity when performing cryptographic operations, see Verifying end-to-end data integrity.

Hosted Private HSM is generally available.

Cloud KMS and Cloud EKM resources are available in the us-west4 region. Cloud HSM resources are not available in this region.

Cloud HSM resources are available in the global multi-regional location.

For information about which Cloud Locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, see the Cloud KMS regional locations.

Cloud External Key Manager (Cloud EKM) is generally available.

Importing keys into Cloud KMS software keys is generally available (GA).

Cloud EKM resources are now available in the asia-northeast3 and us-west3 locations.

Cloud KMS resources can now be created in the us-west3 region.

Cloud HSM resources are now also available in the us-west3 region.

Cloud EKM resources are not available in the us-west3 region.

For information about which Cloud Locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, refer to Cloud KMS locations.

You can now import key material into Cloud KMS software keys. For more information, see Key import. Importing key material into Cloud HSM keys is already generally available.

Cloud KMS resources can now be created in the asia-northeast3 region.

Cloud HSM resources are now also available in the asia-northeast3 region.

Learn more about Cloud Locations. For the list of all regions supported by Cloud KMS, Cloud HSM, and Cloud EKM, see the Cloud KMS regional locations.

Cloud External Key Manager (Cloud EKM) (Beta) allows you to encrypt data stored in Google Cloud using keys stored in a supported partner external key management system. You can encrypt or decrypt data in BigQuery, Compute Engine persistent disks, or directly using the Cloud KMS API.

You can learn about changes to the API since the Alpha release.

The gcloud beta kms import-jobs command group was released as part of gcloud 253.0.0.

Introduction of import key functionality into the Cloud KMS beta release.

The following are additions to the API definition.

New resources

ImportJob has been added as a resource.

The ImportJob resource contains the following methods:

• ImportJobs.create
• ImportJobs.get
• ImportJobs.getIamPolicy
• ImportJobs.list
• ImportJobs.setIamPolicy
• ImportJobs.testIamPermissions

The ImportJob resource contains the following enums:

• ImportJobState
• ImportMethod

The ImportJob resource contains the following type:

• WrappingPublicKey

New methods

• CryptoKeyVersions.import

New fields

• CreateCryptoKeyRequest.skip_initial_version_creation
• CryptoKeyVersions.import_failure_reason
• CryptoKeyVersions.import_job
• CryptoKeyVersions.import_time

New enums

• CryptoKeyVersionState.PENDING_IMPORT
• CryptoKeyVersionState.IMPORT_FAILED

New permissions

• cloudkms.cryptoKeyVersions.useToImport
• cloudkms.importJobs.create
• cloudkms.importJobs.get
• cloudkms.importJobs.getIamPolicy
• cloudkms.importJobs.list
• cloudkms.importJobs.setIamPolicy

For more information about Cloud KMS permissions, see Permissions and roles.

Cloud HSM resources are now available in the following regional locations:

• asia-east2
• europe-west6
• us-west2

For the list of all supported regions, see Supported regions.

Introduction of the Cloud KMS beta release to support filtering and sorting results from the following list operations.

• keyRings.list
• cryptoKeys.list
• cryptoKeyVersions.list

For more information, see Sorting and filtering list results.

Cloud HSM resources are now available in the following regional locations:

• asia-northeast1
• asia-northeast2

For the list of all supported regions, see Supported regions.

Cloud HSM resources are now available in the following regional locations:

• asia-south1
• europe-north1
• europe-west1
• europe-west4

For the list of all supported regions, see Supported regions for Cloud HSM.

Cloud HSM resources are now available in the us multi-regional location. For the list of all supported regions, see Supported regions for Cloud HSM.

Cloud KMS resources can now be created in the asia-northeast2 region. Learn more about Cloud Locations.

Cloud HSM resources are now available in the asia-southeast1 regional location. For the list of all supported regions, see Supported regions for Cloud HSM.

Cloud KMS resources can now be created in the europe-west6 region. Learn more about Cloud Locations.

CAVIUM_V2_COMPRESSED has been added as an enum value to AttestationFormat. To learn how to verify an attestation that is in the CAVIUM_V2_COMPRESSED format, see Verifying Attestations.

Announced general availability of asymmetric keys and Cloud HSM in Cloud KMS.

Cloud HSM resources are now available in the europe-west3 regional location. For the list of all supported regions, see Supported regions for Cloud HSM.

Cloud HSM resources are now available in the europe-west2 regional location. For the list of all supported regions, see Supported regions for Cloud HSM.

Cloud KMS resources can now be created in the eur4 and nam4 dual-regions. Learn more about Cloud Locations.

Cloud KMS resources can now be created in the asia-east2 region. Learn more about Cloud Locations.

New algorithms have been added:

• RSA_SIGN_PSS_4096_SHA512
• RSA_SIGN_PKCS1_4096_SHA512
• RSA_DECRYPT_OAEP_4096_SHA512

For the list of all supported algorithms, see Key purposes and algorithms.

Cloud HSM resources are now available in the us-central1 regional location. For the list of all supported regions, see Supported regions for Cloud HSM.

Attestations that are downloaded via the Google Cloud Platform Console are no longer base64-encoded. This matches the raw format of the attestations downloaded via the gcloud command-line tool and the Cloud KMS API. The instructions for Verifying Attestations expect the attestation to be in raw format, not base64-encoded.

Introduction of asymmetric keys and Cloud HSM into the Cloud KMS beta release.

Additions to the API definition:

• New method for creating digital signatures:
  • CryptoKeys.asymmetricSign
• New method for retrieving an asymmetric key's public key:
  • CryptoKeyVersions.getPublicKey
• New method for decrypting data encoded with an asymmetric public key generated by Cloud KMS:
  • CryptoKeyVersions.asymmetricDecrypt
• New types:
  • CryptoKeyVersionAlgorithm
  • CryptoKeyVersionTemplate
  • CryptoKeyVersionView
  • ProtectionLevel
• New fields:
  • CryptoKey.versionTemplate
  • CryptoKeyVersion.algorithm
  • CryptoKeyVersion.attestation
  • CryptoKeyVersion.generateTime
  • CryptoKeyVersion.protectionLevel
  • LocationMetadata.hsmAvailable
• The CryptoKey.list method now contains a versionView query parameter that lists the fields of the primary key version to include in the response.
• The CryptoKeyVersion.list method now contains a view query parameter that lists the fields to include in the response.
• The LocationMetadata resource returned by the Locations.get and Locations.list methods now contain an hsm_available field. The hsm_available field is a bool that indicates whether the location supports Hardware Security Modules (HSMs).

Cloud HSM resources are now available in the us-east1 and us-west1 regional locations.

Cloud KMS resources can now be created in the us-west2 region. Learn more about Cloud Locations.

Cloud KMS resources can now be created in the europe-north1 region. Learn more about Cloud Locations.

Cloud KMS resources can now be created in the following regions:

• asia-south1
• australia-southeast1
• europe-west2
• europe-west3
• northamerica-northeast1
• southamerica-east1
• us-east4

Learn more about Cloud Locations.

The name of the Cloud KMS page in the Google Cloud Platform Console has been changed from Encryption keys to Cryptographic keys.

Cloud KMS resources can now be created in the asia-northeast1 region. Learn more about Cloud Locations.

Cloud KMS resources can now be created in the asia, europe, and us multi-regional locations. Learn more about Cloud KMS locations.

Announced general availability of IAM custom roles for Cloud KMS.

The gcloud kms locations list command now supports the europe-west4 region.

The Google Cloud Platform console now supports the europe-west4 region. You can create new key rings in this region using the console, the API and the gcloud command-line tool. The gcloud kms locations list command will support this region approximately January 22, 2018. Learn more about Cloud Locations.

Cloud KMS resources can now be created in the europe-west4 region. You can use this region to create new key rings using the API and the gcloud command-line tool. This region will not be viewable in the Google Cloud Platform console or returned by gcloud kms locations list until approximately January 17, 2018. Learn more about Cloud Locations.

Labels can now be applied to CryptoKeys:

• The CryptoKey type now contains the labels field.
• To learn more about this feature, see Labeling CryptoKeys.

gcloud changes:

• The gcloud kms keys create command has a new parameter, --labels. Use this parameter to specify labels when you create a key.
• The output from the gcloud kms keys list command now contains a LABELS column.
• The gcloud beta kms keys update command is new. This command supports updating an existing key.

These changes are effective in gcloud version 170.0.0.

Cloud KMS resources can now be created in the asia-southeast1 region. Learn more about Cloud Locations.

Added encrypt and decrypt commands to gcloud beta kms as part of gcloud 157.0.0.

• Added examples for using gcloud beta kms encrypt and gcloud beta kms decrypt.

Data Access audit logs can now be self-enabled for Cloud KMS. For more information, see Cloud Audit Logging documentation.

• Updated documentation on logs types in Cloud KMS.

Cloud KMS resources can now be created in the us-west1 region. Learn more about Cloud Locations.

Launch of Cloud KMS to General Availability.

• Updated client libraries and code samples in C#, Go, Java, Node.js, PHP, Python, and Ruby.
• New Secret Management documentation that explains how to protect secrets using Cloud KMS.
• Added a Service Level Agreement (SLA).

Launch of Cloud KMS to Beta. Use Cloud KMS to create, use, rotate, automatically rotate, and destroy symmetric AES256 encryption keys. Cloud KMS is accessible via

• REST API
• Google APIs Client Libraries in go, python, and java
• Cloud Console user interface