Automatically provision and assign customer-managed encryption keys with KMS Autopilot. Private Preview is open. Sign up now.
Jump to
Cloud Key Management

Cloud Key Management

Manage encryption keys on Google Cloud.
  • Deliver scalable, centralized, fast cloud key management

  • Help satisfy compliance, privacy, and security needs

  • Apply hardware security modules (HSMs) effortlessly to your most sensitive data

  • Use an external KMS to protect your data in Google Cloud and separate the data from the key

  • Approve or deny any request for your encryption keys based on clear and precise justifications


Scale your security globally

Scale your application to Google’s global footprint while letting Google worry about the challenges of key management, including managing redundancy, latency, and data residency.

Help achieve your compliance requirements

Easily encrypt your data in the cloud using software-backed encryption keys, FIPS 140-2 Level 3 validated HSMs, customer-provided keys or an External Key Manager. 

Leverage from integration with Google Cloud products

Use customer-managed encryption keys (CMEK) to control the encryption of data across Google Cloud products while benefiting from additional security features, such as Google Cloud IAM and audit logs.

Key features

Core features

Centrally manage encryption keys

A cloud-hosted key management service that lets you manage symmetric and asymmetric cryptographic keys for your cloud services the same way you do on-premises. You can generate, use, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys.

Deliver hardware key security with HSM

Toggle between software- and hardware-protected encryption keys with the press of a button. Host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 validated HSMs. With this fully managed service, you can protect your most sensitive workloads without the need to worry about the operational overhead of managing an HSM cluster.

Provide support for external keys with EKM

Encrypt data in integrated Google services with encryption keys that are stored and managed in a third-party key management system that’s deployed outside Google’s infrastructure. External Key Manager allows you to maintain separation between your data at rest and your encryption keys while still leveraging the power of cloud for compute and analytics.

Be the ultimate arbiter of access to your data

Key Access Justifications works with Cloud EKM to greatly advance the control you have over your data. It’s the only product that gives you visibility into every request for an encryption key, a justification for that request, and a mechanism to approve or deny decryption in the context of that request. These controls are covered by Google’s integrity commitments.

View all features



Google Cloud Basics

Cloud Key Management Service documentation

Learn how to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service.
Google Cloud Basics

Cloud HSM documentation

Get an overview of Cloud HSM and learn how to create and use HSM-protected encryption keys in Cloud Key Management Service.
Google Cloud Basics

Cloud External Key Manager documentation

Find an overview of Cloud External Key Manager (Cloud EKM).

Cloud Key Management Service deep dive

Learn more about the inner workings of the Cloud KMS platform and how it helps you protect the keys and other sensitive data that you store in Google Cloud.