Cloud Key Management Service

Manage encryption keys on Google Cloud Platform.

View documentation for this product.

Cloud KMS Overview logo

Cryptographic key management

Cloud KMS is a cloud-hosted key management service that lets you manage cryptographic keys for your cloud services the same way you do on-premises. You can generate, use, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys. Cloud KMS is integrated with Cloud Identity and Access Management and Cloud Audit Logs so that you can manage permissions on individual keys and monitor how these are used. Use Cloud KMS to protect secrets and other sensitive data that you need to store in Google Cloud Platform.

Scalable, automated, fast logo

Scalable, automated, fast

Keep millions of cryptographic keys, allowing you to determine the level of granularity at which to encrypt your data. Set keys to automatically rotate regularly, using a new primary version to encrypt data and limit the scope of data accessible with any single key version. Keep as many active key versions as you want. Rely on our low latency to ensure you can access your keys quickly.

Greater management over key use logo

Greater management over key use

Manage Cloud IAM permissions for user-level permissions on individual keys and grant access to both individual users and service accounts. View admin activity and key use logs with Cloud Audit Logs, using Cloud KMS as a central point to filter access to your most sensitive data. Monitor logs to ensure proper use of your keys.

Easily encrypt and sign data logo

Easily encrypt and sign data

Cloud KMS gives you the flexibility to encrypt your data with either a symmetric or asymmetric key that’s under your control. You can also perform signing operations with both RSA and elliptic curve keys of various lengths.

Implement envelope encryption logo

Implement envelope encryption

Implement a key hierarchy with a local data encryption key (DEK), protected by a key encryption key (KEK) in Cloud KMS. Manage keys used to encrypt your data at the application layer, stored in your storage systems, at Google, or anywhere else.

Help satisfy compliance needs logo

Help satisfy compliance needs

With Cloud KMS, you can manage the encryption keys used to protect sensitive data residing across GCP with customer managed encryption keys (CMEK). For compliance mandates requiring that keys and crypto operations be performed within a hardware environment, the Cloud KMS integration with Cloud HSM makes it simple to create a key protected by a FIPS 140-2 Level 3 device.


Symmetric and asymmetric key support

Cloud KMS allows you to create, use, rotate, automatically rotate, and destroy AES256 symmetric and RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 asymmetric cryptographic keys.

Delay for key destruction

Cloud KMS has a built-in 24-hour delay for key material destruction, to prevent accidental or malicious data loss.

Encrypt and decrypt via API

Cloud KMS is a REST API that can use a key to encrypt, decrypt, or sign data such as secrets for storage.

High global availability

Cloud KMS is available in several global locations and across multi-regions, allowing you to place your service where you want for low latency and high availability.

Automated and at-will key rotation

Cloud KMS allows you to rotate a key at will, and also set a rotation schedule for symmetric keys to automatically generate a new key version at a fixed time interval. Multiple versions of a symmetric key can be active at any time for decryption, with only one primary key version used for encrypting new data.

Integration with GKE

Encrypt Kubernetes secrets at the application-layer in GKE with keys you manage in Cloud KMS.

Google is transparent about how it does its encryption by default, and Cloud KMS makes it easy to implement best practices. Features like automatic key rotation let us rotate our keys frequently with zero overhead and stay in line with our internal compliance demands. Cloud KMS’ low latency allows us to use it for frequently performed operations. This allows us to expand the scope of the data we choose to encrypt from sensitive data, to operational data that does not need to be indexed.

Leonard Austin, CTO, Ravelin


Cloud KMS pricing includes a flat rate for key versions, and a usage rate for key operations. Learn More

Key versions Price
Active key versions $0.06 per month

If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

Key operations Price
Key use operations (Encrypt/ Decrypt) $0.03 per 10,000 operations
Key admin operations Free

If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

Take the next step

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Need help getting started?
Work with a trusted partner
Continue browsing