Protection levels

This page compares the different protection levels supported inCloud KMS:

Software
Cloud KMS keys with theSOFTWARE protection level are used forcryptographic operations that are performed in software. Cloud KMSkeys can be generated by Google or imported.
Multi-tenant hardware
Cloud HSM keys with theHSM protection level are stored in aGoogle-owned Hardware Security Module (HSM). Cryptographic operations usingthese keys are performed in our HSMs. You can use Cloud HSM keysthe same way you use Cloud KMS keys. Cloud HSM keyscan be generated by Google or imported.
Single-tenant hardware
Cloud HSM keys with theHSM_SINGLE_TENANT protection level arestored in a single-tenant instance in a Google-owned Hardware SecurityModule (HSM). You control and manage the Single-tenant Cloud HSMinstance, which is a dedicated cluster of HSM partitions that you manage.Cryptographic operations using these keys are performed in our HSMs. You canuse single-tenant Cloud HSM keys the same way you useCloud KMS keys. Single-tenant Cloud HSM keys can begenerated by Google or imported. For more information, seeSingle-tenant Cloud HSM.
External over the internet
Cloud EKM keys with theEXTERNAL protection level are generatedand stored in your external key management (EKM) system. Cloud EKMstores additional cryptographic material and a path to your unique key,which is used to access your key over the internet.
External over VPC
Cloud EKM keys with theEXTERNAL_VPC protection level aregenerated and stored in your external key management (EKM) system.Cloud EKM stores additional cryptographic material and a path toyour unique key, which is used to access your key over avirtual privatecloud (VPC) network.

Keys with all of these protection levels share the following features:

Software protection level

Cloud KMS uses theBoringCrypto module (BCM) for all cryptographicoperations for software keys. The BCM isFIPS 140-2 validated. Cloud KMS software keys use FIPS 140-2 Level 1–validatedCryptographic Primitives of the BCM.

The software protection level is the cheapest protection level.Software keys are a good choice for use cases that do not havespecific regulatory requirements for a higher FIPs 140-2 validation level.

Hardware protection level

Cloud HSM helps you enforce regulatory compliance for your workloads inGoogle Cloud. With Cloud HSM, you can generate encryption keysand perform cryptographic operations inFIPS 140-2 Level3 validated HSMs. The service is fully managed, soyou can protect your most sensitive workloads without worrying about theoperational overhead of managing an HSM cluster. Cloud HSM provides alayer of abstraction on top of the HSM modules.This abstraction lets you use your keys in CMEK integrations or theCloud KMS APIs or client libraries without HSM-specific code.

Hardware key versions are more expensive, but they provide substantial securitybenefits relative to software keys.Each Cloud HSM key has anattestation statement that contains certified information about your key.This attestation and its associated certificate chains can be used to verifythe authenticity of the statement and attributes of the key and HSM.

Single-tenant hardware protection level

With Single-tenant Cloud HSM, you create and manage your ownSingle-tenant Cloud HSM instance within Google-managed HSMs. Each instance isa cluster of dedicated partitions on HSMs in a Google Cloud region. Yourinstance administrators have administrative control of your instance.

Single-tenant Cloud HSM provides the same functionality asMulti-tenant Cloud HSM, with the added benefit of cryptographic isolationfrom other Google Cloud customers. For more information aboutfunctionality shared by all Cloud HSM keys, seeHardware protectionlevel earlier on this page.

Single-tenant Cloud HSM instances incur additional expenses relative toMulti-tenant Cloud HSM.

External protection levels

Cloud External Key Manager (Cloud EKM) keys are keys that you manage in asupportedexternal key management (EKM) partner service and use inGoogle Cloud services and Cloud KMS APIs and client libraries.Cloud EKM keys can be software-backed or hardware-backed, depending onyour EKM provider. You can use your Cloud EKM keys in CMEK-integratedservices or using the Cloud KMS APIs and client libraries.

Cloud EKM protection levels are the most expensive.When you use Cloud EKM keys, you can be surethat Google Cloud can't access your key material.

To see which CMEK-integrated services support Cloud EKM keys,seeCMEK integrations andapply theShow only EKM compatible services filter.

External over the internet protection level

You can use Cloud EKM keys over the internet in all locations supportedby Cloud KMS exceptnam-eur-asia1 andglobal.

Caution: When you use Cloud EKM keys over the internet, there's a riskthat the key can become unavailable. For better availability, consider usingCloud HSM or Cloud EKM over a VPC network.

External over VPC protection level

You can use Cloud EKM keys over a VPC network for better availabilityof your external keys. This better availability means that there's less of achance of your Cloud EKM keys and the resources they protect becomingunavailable.

You can use Cloud EKM keys over a VPC network in most regionallocations supported by Cloud KMS.Cloud EKM over a VPC network is not available in multi-regionlocations.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.