Cloud Key Management Service (Cloud KMS) lets you create and manage CMEK keys foruse in compatible Google Cloud services and in your own applications.Using Cloud KMS, you can do the following:
Generate software or hardware keys, import existing keys intoCloud KMS, or link external keys in your compatible external keymanagement (EKM) system.
Use customer-managed encryption keys (CMEKs) in Google Cloudproducts with CMEK integration. CMEK integrations useyour CMEK keys to encrypt or "wrap" your data encryption keys (DEKs).Wrapping DEKs with key encryption keys (KEKs) is calledenvelope encryption.
Use Cloud KMS Autokey(Preview) to automate provisioning andassignment. With Autokey, you don't need to provision key rings,keys, and service accounts ahead of time. Instead, they are generated ondemand as part of resource creation.
Use Cloud KMS keys for encryption and decryption operations. Forexample, you can use the Cloud KMS API or client libraries touse your Cloud KMS keys for client-sideencryption.
Use Cloud KMS keys to create or verifydigital signatures ormessage authentication code (MAC) signatures.
Choose the right encryption for your needs
You can use the following table to identify which type of encryption meets yourneeds for each use case. The best solution for your needs might includea mix of encryption approaches. For example, you might use software keys foryour least sensitive data and hardware or external keys for your most sensitivedata. For additional information about the encryption options described in thissection, see Protecting data in Google Cloud onthis page.
| Encryption type | Cost | Compatible services | Features |
|---|---|---|---|
| Google-owned and Google-managed keys (Google Cloud default encryption) | Included | All Google Cloud services that store customer data |
|
| Customer-managed encryption keys - software (Cloud KMS keys) | $0.06 per key version | 40+services |
|
| Customer-managed encryption keys - hardware (Cloud HSM keys) | $1.00 to $2.50 per key version per month | 40+services |
|
| Customer-managed encryption keys - external (Cloud EKM keys) | $3.00 per key version per month | 30+services |
|
| Client-side encryption using Cloud KMS keys | Cost of active key versions depends on the protection level of the key. | Use client libraries in your applications |
|
| Customer-supplied encryption keys | Might increase costs associated with Compute Engine or Cloud Storage |
|
|
| Confidential Computing | Additional cost for each confidential VM; might increase log usage and associated costs |
|
|
Protecting data in Google Cloud
Google-owned and Google-managed keys (Google Cloud default encryption)
By default, data at rest in Google Cloud is protected by keys inKeystore, Google's internal key management service. Keys in Keystore are managedautomatically by Google, with no configuration required on your part. Mostservices automatically rotate keys for you. Keystore supports a primary keyversion and a limited number of older key versions. The primary key version isused to encrypt new data encryption keys. Older key versions can still be usedto decrypt existing data encryption keys. You can't view or manage these keys orreview key usage logs. Data from multiple customers might use the same keyencryption key.
This default encryption uses cryptographic modules that are validated to beFIPS 140-2 Level 1 compliant.
Customer-managed encryption keys (CMEKs)
Cloud KMS keys that are used to protect your resources inCMEK-integrated services are customer-managed encryption keys (CMEKs). You canown and control CMEKs, while delegating key creation and assignment tasks toCloud KMS Autokey (Preview). To learnmore about automating provisioning for CMEKs, see Cloud Key Management Service withAutokey.
You can use your Cloud KMS keys incompatible services to help you meet the following goals:
Own your encryption keys.
Control and manage your encryption keys, including choice of location,protection level, creation, access control, rotation, use, and destruction.
Selectively delete data protected by your keys in the case of off-boarding orto remediate security events (crypto-shredding).
Create dedicated, single-tenant keys that establish a cryptographic boundaryaround your data.
Log administrative and data access to encryption keys.
Meet current or future regulation that requires any of these goals.
When you use Cloud KMS keys withCMEK-integrated services, you can useorganization policies to ensure that CMEKs are used as specified in thepolicies. For example, you can set an organization policy that ensures that yourcompatible Google Cloud resources use your Cloud KMSkeys for encryption. Organization policies can also specify which project thekey resources must reside in.
The features and level of protection provided depend on the protection level ofthe key:
Software keys - You can generate software keys in Cloud KMS anduse them in all Google Cloud locations. Youcan create symmetric keys with automatic rotation orasymmetric keys with manual rotation. Customer-managed software keys useFIPS 140-2 Level 1 validated softwarecryptography modules. You also have control over the rotation period,Identity and Access Management (IAM) roles and permissions, and organization policiesthat govern your keys. You can use your software keys with over 40compatible Google Cloud resources.
Imported software keys - You can import software keys that you createdelsewhere for use in Cloud KMS. You can import new key versions tomanually rotate imported keys. You can use IAM roles andpermissions and organization policies to govern usage of your imported keys.
Hardware keys and Cloud HSM - You can generate hardware keys ina cluster of FIPS 140-2 Level 3 HardwareSecurity Modules (HSMs). You have control over the rotation period,IAM roles and permissions, and organization policies thatgovern your keys. When you create HSM keys using Cloud HSM, Googlemanages the HSM clusters so you don't have to. You can use your HSM keyswith over 40 compatible Google Cloudresources—the same services that supportsoftware keys. For the highest level of security compliance, use hardwarekeys.
External keys and Cloud EKM - You can use keys that reside inan external key manager (EKM). Cloud EKM lets you use keys held ina supported key manager to secure yourGoogle Cloud resources. You can connect to your EKMover the internet or over aVirtual Private Cloud (VPC). Some Google Cloudservices that support software or hardware keys do not supportCloud EKM keys.
Cloud KMS keys
You can use your Cloud KMS keys in custom applications using theCloud KMS client libraries orCloud KMS API. The client librariesand API let you encrypt and decrypt data, sign data, and validate signatures.
Customer-supplied encryption keys (CSEKs)
Cloud Storage and Compute Engine can usecustomer-supplied encryption keys (CSEKs). With customer-suppliedencryption keys, you store the key material and provide it toCloud Storage or Compute Engine when needed. Google does notstore your CSEKs in any way.
Confidential Computing
In Compute Engine, GKE, and Dataproc, you canuse the Confidential Computing platform to encrypt your data-in-use.Confidential Computing ensures that your data stays private and encrypted evenwhile it's being processed.
