Cloud Key Management Service overview

Cloud Key Management Service (Cloud KMS) lets you create and manage cryptographic keysfor use in compatible Google Cloud services and in your ownapplications. Using Cloud KMS, you can do the following:

Choose the right encryption for your needs

You can use the following table to identify which type of encryption meets yourneeds for each use case. The best solution for your needs might includea mix of encryption approaches.For example, you might use software keys for your least sensitive data andhardware or external keys for your most sensitive data.For additional information about the encryption options described in thissection, seeProtecting data in Google Cloud onthis page.For more information about theservice level agreement (SLA) that applies when using Cloud KMS,Cloud HSM, and Cloud EKM keys, seeService Level Agreement.

Encryption typeCostCompatible servicesFeatures
Google-owned and Google-managed encryption keys (Google Cloud default encryption)IncludedAll Google Cloud services that store customer data
  • No configuration required.
  • Automatically encrypts customer data saved in any Google Cloud service.
  • Most services automatically rotate keys.
  • Supports encryption using AES-256.
  • FIPS 140-2 Level 1 validated.
Customer-managed encryption keys - software
(Cloud KMS keys)		$0.06 per key version40+services
Customer-managed encryption keys - hardware
(Cloud HSM keys)		$1.00 to $2.50 per key version per month40+services
  • Optionally managed through Cloud KMS Autokey.
  • You control automatic key rotation schedule; IAM roles and permissions; enable, disable, or destroy key versions.
  • Supports symmetric and asymmetric keys forencryption and decryption.
  • Automatically rotates symmetric keys.
  • Supportsseveral common algorithms.
  • FIPS 140-2 Level 3 validated.
  • Keys are unique to a customer.
  • You can create and manage your own Single-tenant Cloud HSM instance to have more cryptographic isolation and greater administrative control of your HSM keys. Single-tenant Cloud HSM instances incur additional costs.
Customer-managed encryption keys - external
(Cloud EKM keys)		$3.00 per key version per month30+services
Client-side encryption using Cloud KMS keysCost of active key versions depends on the protection level of the key.Useclient libraries in your applications
Cloud HSM for Google WorkspaceFlat rate monthly fee for each instance, plus cost of active key versions and cryptographic operations.Use Multi-tenant Cloud HSM keys for client-side encryption in Google Workspace
  • You control automatic key rotation schedule; IAM roles and permissions; enable, disable, or destroy key versions.
  • Use symmetric keys for encryption and decryption.
Customer-supplied encryption keysMight increase costs associated with Compute Engine or Cloud Storage
  • You provide key materials when needed.
  • Key material resides in-memory - Google does not permanently store your keys on our servers.
Confidential ComputingAdditional cost for each confidential VM; might increase log usage and associated costs
  • Provides encryption-in-use for VMs handling sensitive data or workloads.
  • Keys can't be accessed by Google.

Protecting data in Google Cloud

Google-owned and Google-managed encryption keys (Google Cloud default encryption)

By default, data at rest in Google Cloud is protected by keys inKeystore, Google Cloud's internal key management service. Keys inKeystore are managed automatically by Google Cloud, with noconfiguration required on your part. Most services automatically rotate keys foryou. Keystore supports a primary key version and a limited number of older keyversions. The primary key version is used to encrypt new data encryption keys.Older key versions can still be used to decrypt existing data encryption keys.You can't view or manage these keys or review key usage logs. Data from multiplecustomers might use the same key encryption key.

This default encryption uses cryptographic modules that are validated to beFIPS 140-2 Level 1 compliant.

Note: Google Cloud default encryption is not a feature ofCloud Key Management Service.For more information about Google Cloud defaultencryption, seeDefault encryption at rest.

Customer-managed encryption keys (CMEKs)

Cloud KMS keys that are used to protect your resources inCMEK-integrated services are customer-managed encryption keys (CMEKs).You can own and control CMEKs, while delegating key creation and assignmenttasks to Cloud KMS Autokey. To learn more about automating provisioning forCMEKs, seeCloud Key Management Service with Autokey.

You can use your Cloud KMS keys incompatible services to help you meet the following goals:

  • Own your encryption keys.

  • Control and manage your encryption keys, including choice of location,protection level, creation, access control, rotation, use, and destruction.

  • Selectively delete data protected by your keys in the case of off-boarding orto remediate security events (crypto-shredding).

  • Create dedicated, single-tenant keys that establish a cryptographic boundaryaround your data.

  • Log administrative and data access to encryption keys.

  • Meet current or future regulation that requires any of these goals.

When you use Cloud KMS keys withCMEK-integrated services, you can useorganization policies to ensure that CMEKs are used as specified in thepolicies. For example, you can set an organization policy that ensures that yourcompatible Google Cloud resources use your Cloud KMSkeys for encryption. Organization policies can also specify which project thekey resources must reside in.

The features and level of protection provided depend on the protection level ofthe key:

  • Software keys - You can generate software keys in Cloud KMS anduse them in all Google Cloud locations. You can createsymmetric keys withautomatic rotation or asymmetric keyswith manual rotation. Customer-managed software keys useFIPS 140-2 Level1 validated software cryptography modules. You also have control overthe rotation period, Identity and Access Management (IAM) roles and permissions, andorganization policies that govern your keys. You can use your software keyswith manycompatible Google Cloudresources.

  • Imported software keys - You can import software keys that you createdelsewhere for use in Cloud KMS. You can import new key versions tomanually rotate imported keys. You can use IAM roles andpermissions and organization policies to govern usage of your importedkeys.

  • Hardware keys with Multi-tenant Cloud HSM - You can generate hardware keys ina cluster ofFIPS 140-2 Level 3 Hardware Security Modules (HSMs).You have control over the rotation period, IAM roles andpermissions, and organization policies that govern your keys. When youcreate HSM keys using Cloud HSM, Google Cloudmanages the HSM clusters so you don't have to. You can use your HSM keyswith manycompatible Google Cloudresources—the same services that supportsoftware keys. For the highest level of security compliance, use hardwarekeys.

  • Hardware keys with Single-tenant Cloud HSM - You can generate hardwarekeys in a cluster of dedicated partitions inFIPS 140-2 Level 3Hardware Security Modules (HSMs) that you control. You have control over therotation period, IAM roles and permissions, and organizationpolicies that govern your keys. When you create a Single-tenant Cloud HSMinstance, Google Cloud hosts the HSM clusters so you don'thave to, but you control access to the instance and maintain it with aquorum of designated administrators. Instance operations require two-factorauthentication using security keys that you own outside ofGoogle Cloud. You can use your single-tenant HSM keys with manycompatible Google Cloudresources—the same services that supportsoftware keys. For the highest level of security compliance withcryptographic isolation, use hardware keys.

  • External keys and Cloud EKM - You can use keys that reside inan external key manager (EKM). Cloud EKM lets you use keys held inasupported key manager to secure yourGoogle Cloud resources.You can connect to your EKMover the internet or over aVirtual Private Cloud (VPC).Some Google Cloud services that support Cloud KMSkeys don't support Cloud EKM keys.

To learn more about which Cloud KMS locations support which protectionlevels, seeCloud KMS locations.

Cloud KMS keys

You can use your Cloud KMS keys in custom applications using theCloud KMS client libraries orCloud KMS API. The client librariesand API let you encrypt and decrypt data, sign data, and validate signatures.

Multi-tenant Cloud HSM for Google Workspace

You can use your Multi-tenant Cloud HSM keys in Cloud HSM for Google Workspace to managethe keys used for client-side encryption (CSE) in Google Workspace. You canOnboard to Cloud HSM for Google Workspace.

Customer-supplied encryption keys (CSEKs)

Cloud Storage andCompute Engine can usecustomer-supplied encryption keys (CSEKs).With customer-supplied encryption keys, you store the key material and provideit to Cloud Storage or Compute Engine when needed.Google Cloud does not store your CSEKs in any way.

Note: CSEK support is not a feature of Cloud Key Management Service.For more information about CSEK, seeCloud Storage Customer-supplied encryption keys orCompute Engine Customer-supplied encryption keys.

Confidential Computing

You can use the Confidential Computing platform to encrypt your data-in-use.Confidential Computing ensures that your data stays private and encrypted evenwhile it's being processed.

Note: Confidential Computing is not a feature of Cloud KMS. For moreinformation about Confidential Computing, seeConfidential Computing.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.