Google Cloud Key Management Services
In this article, we will take a closer look at Google’s Cloud Key Management Services. When users store data into Google Cloud, the data is automatically encrypted at rest. We use Google’s Cloud Key Management service to gain better control over managing the encrypted data-at-rest and encryption keys.
Source and Control of cryptographic keys
- Cloud KMS’s software backed key gives users the ability to encrypt data with either a symmetric or asymmetric key that the users control.
- CloudHSM provides hardware keys. Symmetric and asymmetric keys are only used in FIPS 140-2 Level 3 validated Hardware Security Modules(HSMs).
- Bring Your Own Key(BYOK) is also available for users to import their cryptographic keys into Cloud KMS.
- Cloud External Key Manager (Cloud EKM), which uses external Key Managers such as Thales or Fortanix can also be used.

Cryptographic keys in Cloud KMS

CloudKMS supports both asymmetric keys and symmetric keys. A symmetric key is used for symmetric encryption to protect some corpus of data, such as using AES-256 in GCM mode to encrypt a block of plaintext. An asymmetric key can be used for asymmetric encryption or for creating digital signatures.
CloudKMS components
In this section, we discuss a few points about additional parameters associated to Google CloudKMS resources such as keys and keyrings.
- Project
Google Cloud KMS resources belong to Google Cloud Project, like all other Google Cloud Resources. Users can host data in a project that is different from the project in which Cloud KMS keys reside. This capability supports the best practice of separation of duties between the key administrators and data administrators.
- Locations
Within a project, Cloud KMS resources are created in one location.
Key Hierarchy

- Data encryption key (DEK):
A key used to encrypt data.
- Key encryption key (KEK):
A key used to encrypt, or wrap, a data encryption key. All Cloud KMS platform options (software, hardware, and external backends) let you control the key encryption key.
- KMS Master Key:
The key used to encrypt the key encryption keys (KEK). This key is distributed in memory. The KMS Master Key is backed up on hardware devices. This key is responsible for encrypting your keys.
- Root KMS:
Google’s internal key management service.
CloudKMS platform overview
The Cloud KMS platform supports multiple cryptographic algorithms and provides methods to encrypt and digitally sign using both hardware and software-backed keys.

Applications can use Google services that are enabled to use customer-managed encryption keys (CMEK). CMEK in turn uses the Cloud KMS API. The Cloud KMS API lets users use either software (Cloud KMS) or hardware (Cloud HSM) keys. Both software and hardware-based keys leverage Google’s redundant backup protections.
The Cloud KMS platform provides two backends (excluding Cloud EKM), which are exposed in the Cloud KMS API as
- Software Protection Level
The protection level software applies to keys that may be unwrapped by a software security module to perform cryptographic operations.
- HSM protection Level
The protection level HSM applies to keys that can only be unwrapped by Hardware Security Modules that perform all cryptographic operations with the keys.
Google Cloud supports CMEK for several services, including
- Cloud Storage
- BigQuery
- Compute Engine.
- Keys with protection level software, and the cryptographic operations performed with them, comply with FIPS 140-2 Level 1.
- Keys with protection level HSM, and the cryptographic operations performed with them, comply with FIPS 140-2 Level 3.