Google Cloud External Key Manager
Google Cloud External Key Manager (Cloud EKM) provides a secure way to manage encryption keys externally while integrating with Google Cloud services.
| Category | Data Security & Encryption |
|---|---|
| This page updated | a month ago |
| Pricing Details | Pricing varies based on usage and the external key management partner. |
| Target Audience | Organizations looking to enhance their data security in Google Cloud by managing encryption keys externally. |
Google Cloud External Key Manager (Cloud EKM) is designed for maintaining control and separation between your encryption keys and the data they protect within Google Cloud. This is achieved through a technical architecture that integrates your external key management system with Google Cloud's Key Management Service (KMS).
Cloud EKM allows you to use keys managed by a supported external key management partner, such as Thales or Fortanix, to protect data in Google Cloud. The external key material never leaves the external key manager and is never cached or stored within Google Cloud. Instead, Cloud EKM communicates directly with the external key manager for each cryptographic operation, using a key URI or key path to identify the external key material.
Operationally, setting up Cloud EKM involves authorizing your external key manager to access your VPC network and granting your Google Cloud project service account access to the crypto space within your external key manager. This setup ensures that access to the externally managed keys is strictly controlled and can be revoked at any time. The integration can be done either over the internet or via a Virtual Private Cloud (VPC), with the latter being more secure but limited to regional locations.
Key considerations include the geographical proximity of the external key manager to the Google Cloud KMS region to avoid latency issues and ensure quick access to the keys. Additionally, managing keys and access policies from a single interface is crucial, whether the data resides in the cloud or on-premises. However, losing access to either the Cloud EKM key version or the external key can result in irrecoverable data, highlighting the importance of robust key management practices.
Technically, Cloud EKM supports both symmetric and asymmetric keys, with symmetric keys involving additional internal key material in Cloud KMS for an extra layer of encryption. The service integrates with various Google Cloud services such as BigQuery and Compute Engine, ensuring that data at rest is protected using customer-managed encryption keys (CMEK).