Read time: 4 minutes, 14 seconds
Provisioning and Handling of HSMs
Vendor-controlled firmware on Cloud HSM
Google Cloud HSM Key Hierarchy
Cloud KMS uses Google’s internal data storage, which is highly available, and also supports a number of Google’s critical systems.
Cloud KMS uses authenticated encryption to store customer key material in the datastore. Additionally, all metadata is authenticated using a hash-based message authentication code (HMAC) to ensure it has not been altered or corrupted while at-rest. Every hour, a batch job scans all key material and metadata and verifies that the HMACs are valid and that the key material can decrypt successfully.
Cloud KMS uses several types of backups for the datastore:
- By default, the datastore keeps a change history of every row for several hours. In an emergency, this lifetime can be extended to provide more time to remediate issues.
- Every hour, the datastore records a snapshot. The snapshot can be validated and used for restoration, if needed. These snapshots are kept for four days.
- Every day, a full backup is copied to disk and tape.
Cloud KMS datastore backups reside in their associated Google Cloud region. These backups are all encrypted at-rest.
At the Cloud KMS application layer, customer key material is encrypted before it is stored. Datastore engineers do not have access to plaintext customer key material. Additionally, the datastore encrypts all data it manages before writing to permanent storage. This means access to underlying storage layers, including disks or tape, would not allow access to even the encrypted Cloud KMS data without access to the datastore encryption keys. These datastore encryption keys are stored in Google’s internal KMS.