Cloud Key Management

Encryption Key Management

Cloud KMS is a cloud-hosted key management service that lets you manage encryption for your cloud services the same way you do on-premises. You can generate, use, rotate and destroy AES256 encryption keys. Cloud KMS is integrated with IAM and Cloud Audit Logging so that you can manage permissions on individual keys, and monitor how these are used. Use Cloud KMS to protect secrets and other sensitive data which you need to store in Google Cloud Platform.

Scalable, Automated, Fast

Keep millions of encryption keys, allowing you to determine the level of granularity at which to encrypt your data. Set keys to automatically rotate regularly, using a new primary version to encrypt data and limit the scope of data accessible with any single key version. Keep as many active key versions as you want. Rely on our low latency to ensure you can access your keys quickly.

Greater Management Over Key Use

Manage IAM permissions for user-level permissions on individual keys, and grant access to both individual users and service accounts. View admin activity and key use logs with Cloud Audit Logging, using Cloud KMS as a central point to filter access to your most sensitive data. Monitor logs to ensure proper use of your keys.

Easily Encrypt Secrets

Wrap secrets up to 64KiB in size, to allow you to protect secrets like user credentials and API tokens. Take plaintext secrets out of source code, deployment managers, containers, and metadata, and make these accessible to users as well as service accounts via decryption using the Cloud KMS API.

Implement Envelope Encryption

Implement a key hierarchy with a local data encryption key (DEK), protected by a key encryption key (KEK) in Cloud KMS. Manage keys used to encrypt your data at the application layer, stored in your storage systems, at Google, or anywhere else.


Manage encryption keys on Google Cloud Platform

AES256 keys

Cloud KMS allows you to create, use, rotate, automatically rotate, and destroy AES256 symmetric encryption keys.

Encrypt and decrypt via API

Cloud KMS is a REST API that can use a key to encrypt or decrypt data, such as secrets, for storage.

Automated and at-will key rotation

Cloud KMS allows you to rotate a key at will, and also set a rotation schedule to automatically generate a new key version at a fixed time interval. Multiple versions of a key can be active at any time for decryption, with only one primary key version used for encrypting new data.

Delay for key destruction

Cloud KMS has a built-in 24 hour delay for key material destruction, to prevent accidental or malicious data loss.

High global availability

Cloud KMS is available in several global locations, allowing you to place your service where you want for low latency.