John has a Google account and he wants to save an important document in the cloud
Manage encryption keys on Google Cloud. Deliver scalable, centralized, fast cloud key management Help satisfy compliance, privacy, and security needs Apply hardware security modules (HSMs) effortlessly to your most sensitive data Use an external KMS to
protect your data in Google Cloud and separate the data from the key Approve or deny any request for your encryption keys based on clear and precise justifications Benefits Scale your application to Google’s global footprint while
letting Google worry about the challenges of key management, including managing redundancy and latency. Easily encrypt your data in the cloud using software-backed encryption keys, FIPS 140-2 Level 3 validated HSMs, customer-provided keys or an External Key Manager. Use customer-managed encryption keys (CMEK) to control the encryption of data across Google Cloud products while benefiting from additional security features such as Google Cloud IAM and audit logs. Key features Key featuresCentrally manage encryption keysA cloud-hosted key management service that lets you manage symmetric and asymmetric cryptographic keys for your cloud services the same way you do on-premises. You can generate, use, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys. Deliver hardware key security with HSMToggle between software- and hardware-protected encryption keys with the press of a button. Host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 validated HSMs. With this fully managed service, you can protect your most sensitive workloads without the need to worry about the operational overhead of managing an HSM cluster. Provide support for external keys with EKMEncrypt data in BigQuery and Compute Engine with encryption keys that are stored and managed in a third-party key management system that’s deployed outside Google’s infrastructure. External Key Manager allows you to maintain separation between your data at rest and your encryption keys while still leveraging the power of cloud for compute and analytics. Be the ultimate arbiter of access to your dataKey Access Justifications works with Cloud EKM to greatly advance the control you have over your data. It’s the only product that gives you visibility into every request for an encryption key, a justification for that request, and a mechanism to approve or deny decryption in the context of that request. These controls are covered by Google’s integrity commitments. View all features Documentation DocumentationCloud Key Management Service documentationLearn how to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service. Cloud HSM documentationGet an overview of Cloud HSM and learn how to create and use HSM-protected encryption keys in Cloud Key Management Service. Cloud External Key Manager documentationFind an overview of Cloud External Key Manager (Cloud EKM). Cloud Key Management Service deep diveLearn more about the inner workings of the Cloud KMS platform and how it helps you protect the keys and other sensitive data that you store in Google Cloud. Using customer-managed encryption keys (CMEK) with GKELearn how to use customer-managed encryption keys (CMEK) on Google Kubernetes Engine (GKE). Using customer-managed encryption keys with Cloud SQLThe CMEK feature lets you use your own cryptographic keys for data at rest in Cloud SQL, including MySQL, PostgreSQL, and SQL Server. Using customer-managed encryption keys (CMEK) with DataprocSee how to use CMEK to encrypt data on the PDs associated with the VMs in your Dataproc cluster and/or the cluster metadata. Using customer-managed encryption keys with Data FusionLearn how customer-managed encryption keys provide user control over the data written by Cloud Data Fusion pipelines. Use cases Use casesUse case Support regulatory compliance Cloud KMS, together with Cloud HSM and Cloud EKM, supports a wide range of compliance mandates that call for specific key management procedures and technologies. It does so in a scalable, cloud-native way, without undermining the agility of the cloud implementation. Various mandates call for hardware encryption (HSM), keys being separated from data (EKM), or keys being handled securely (KMS overall). Key management is compliant with FIPS 140-2. Use case Manage encryption keys via secure hardware Customers who are subject to compliance regulations may be required to store their keys and perform crypto operations in a FIPS 140-2 Level 3 validated device. By allowing customers to store their keys in a FIPS validated HSM, they are able to meet their regulator’s demand and maintain compliance in the cloud. This is also critical for customers seeking a level of assurance that the cloud provider cannot see or export their key material. Use case Manage encryption keys outside the cloud Customers subject to regulatory or regional security requirements need to adopt cloud computing while retaining the encryption keys in their possession. External Key Manager allows them to maintain separation between data at rest and encryption keys while still leveraging the power of cloud for compute and analytics. This is accomplished with full visibility into who has access to the keys, when they have been used, and where they are located.
Use case Key Access Justifications and EKM data flow Key Access Justifications gives Google Cloud customers visibility into every request for an encryption key, a justification for that request, and a mechanism to approve or deny decryption in the context of that request. The use cases focus on both enforcement and visibility for data access.
Use case Ubiquitous data encryption Seamlessly encrypt data as it is sent to the cloud, using your external key management solution, in a way that only a confidential VM service can decrypt and compute on it.
All features All features
Pricing Pricing
Cloud Key Management Service charges for usage and varies based on the following products: Cloud Key Management Service, Cloud External Key Manager, and Cloud HSM.
If you pay in a currency other than USD, the prices listed in your currency on Google Cloud SKUs apply. Partners PartnersImplement External Key Manager with one of these industry-leading key management vendors.
Take the next stepStart building on Google Cloud with $300 in free credits and 20+ always free products. Take the next stepStart your next project, explore interactive tutorials, and manage your account.
[{ "type": "thumb-down", "id": "hardToUnderstand", "label":"Hard to understand" },{ "type": "thumb-down", "id": "incorrectInformationOrSampleCode", "label":"Incorrect information or sample code" },{ "type": "thumb-down", "id": "missingTheInformationSamplesINeed", "label":"Missing the information/samples I need" },{ "type": "thumb-down", "id": "otherDown", "label":"Other" }] [{ "type": "thumb-up", "id": "easyToUnderstand", "label":"Easy to understand" },{ "type": "thumb-up", "id": "solvedMyProblem", "label":"Solved my problem" },{ "type": "thumb-up", "id": "otherUp", "label":"Other" }] |