Cloud KMS Autokey for projects is available in Public Preview. Autokey forprojects lets you enable Cloud KMS Autokey for delegated key management. Indelegated key management, keys created by Autokey are created in the sameproject as the resources they protect. This option is suitable for yourorganization if project administrators are in charge of key management for theprojects they manage.

You can still use Cloud KMS Autokey for centralized key management in a folder,where all keys that protect resources in that folder are created in a dedicatedkey project. You can also use centralized key management in a folder, withcertain projects within that folder configured to use delegated key managementand same-project keys instead of creating keys in the dedicated key project.

You can enable Autokey for projects on individual projects or on all projectswithin a folder. For more information, seeEnable Cloud KMS Autokey.

Cloud KMS is available in the following region:

• asia-southeast3

For more information, seeCloud KMS locations.

Single-tenant Cloud HSM is now generally available. WithSingle-tenant Cloud HSM, you can create and manage dedicated single-tenantinstances. Each instance is a cluster of partitions on HSMs in a singleCloud KMS region. Google manages the HSMs, but you have administrativecontrol over your instance.

Single-tenant Cloud HSM is available in the following locations:

• us-central1
• us-east4
• europe-west1
• europe-west4

Creating a managing an instance requires quorum approval with two-factorauthentication using keys that you create and secure outside ofGoogle Cloud. Single-tenant Cloud HSM instances incur additional costs.

For more information about Single-tenant Cloud HSM, seeSingle-tenant Cloud HSM. To learn how tocreate and maintain a Single-tenant Cloud HSM instance, seeCreate andmanage a Single-tenant Cloud HSMinstance. To see pricing details forSingle-tenant Cloud HSM, seePricing forSingle-tenant Cloud HSM.

Cloud KMS now supports key encapsulation mechanisms (KEMs) for sharing secrets in Preview. KEMs are designed to be resistant to post-quantum attacks. You can use the following KEM algorithms:

• ML_KEM_768
• ML_KEM_1024
• KEM_XWING

For more information about key encapsulation mechanisms, seeKey encapsulation mechanisms. To learn how to use key encapsulation mechanisms to share secrets, seeEncapsulate and decapsulate using KEMs.

Cloud HSM for Google Workspace now lets you use Cloud HSM keys for client-side encryption (CSE) to protect sensitive workloads in Google Workspace. For more information about Cloud HSM for Google Workspace, including how to get started, seeOnboard to Cloud HSM for Google Workspace.

To help you get the right Cloud KMS keys on-demand, for consistent alignment with recommended encryption practices, Cloud KMS Autokey now has a free tier. The free tier covers the following usage:

• 100 free active key versions monthly
• 10,000 free cryptographic operations monthly

The free tier only applies to keys created using Cloud KMS Autokey. Key administration operations including key rotation are always free. For more details, seeCloud Key Management Service pricing

Cloud KMS is available in the following region:

• europe-north2

For more information, seeCloud KMS locations.

Cloud KMS now supports the following post-quantum computing (PQC) algorithms for digital signatures in Public Preview:

• PQ_SIGN_ML_DSA_65: Module-lattice-based digital signature algorithm
• PQ_SIGN_SLH_DSA_SHA2_128S: Stateless hash-based digital signature algorithm

ToRetrieve a public key for a PQC key, you must use thegcloud CLI or the Cloud KMS REST API.

• For thegcloud CLI, use the--public-key-format nist-pqc flag.
• For the REST API, use thepublic_key_format=NIST_PQC header parameter.

For more information about PQC algorithms, seePQC signing algorithms. For more information about PQC digital signatures, seePost-quantum cryptography (PQC) digital signature.

Cloud KMS is available in the following region:

• northamerica-south1

For more information, seeCloud KMS locations.

You can now use custom constraints with Organization Policy to provide more granular control over specific fields for some Cloud KMS resources. For more information, seeCreate custom organization policy constraints for Cloud KMS.

Cloud KMS with Autokey is now in General Availability for Cloud Storage, Compute Engine, BigQuery, Secret Manager, Cloud SQL, and Spanner.

Autokey simplifies creating and usingcustomer-managed encryption keys (CMEKs) by automating provisioning and assignment. With Autokey, key rings, keys, and service accounts don't need to be planned and provisioned before they're needed. Instead, Autokey generates keys on demand as resources are created.

Using keys generated by Autokey can help you consistently align with industry standards and recommended practices for data security, including the HSM protection level, separation of duties, key rotation, location, and key specificity. Keys requested using Autokey function identically to other Cloud HSM keys with the same settings.For more information, seeAutokey overview.

As previously announced, Cloud KMS has changed the default duration of the scheduled for destruction period from 24 hours to 30 days.

As of February 1, 2024, newly created CryptoKeys use the new default duration of 30 days, unless a different duration is specified during key creation. For more information about key destruction, seeDestroy and restore key versions.

Owners of existing CryptoKeys that had used the default duration were given until May 1, 2024 to opt out from automatically updating those keys to use the new default duration. Existing CryptoKeys that were not opted out have been updated to use the new default duration of 30 days. No further action is required from you.

Cloud KMS with Autokey is now in Preview for Cloud Storage, Compute Engine, BigQuery, and Secret Manager.

Autokey simplifies creating and usingcustomer-managed encryption keys (CMEKs) by automating provisioning and assignment. With Autokey, key rings, keys, and service accounts don't need to be planned and provisioned before they're needed. Instead, Autokey generates keys on demand as resources are created.

Using keys generated by Autokey can help you consistently align with industry standards and recommended practices for data security, including the HSM protection level, separation of duties, key rotation, location, and key specificity. Keys requested using Autokey function identically to other Cloud HSM keys with the same settings.

For more information, seeAutokey overview.

Cloud KMS has two new organization policy constraints that you can use to control key version destruction. These constraints became available on November 1, 2023.

For more information, seeControl key version destruction.

Cloud KMS now supports asymmetric signing and validation using ECDSA on the Curve25519 in PureEdDSA mode, which takes raw data as input instead of hashed data.

For more information on this and other algorithms supported by Cloud KMS, seeKey purposes and algorithms.

Bare Metal Rack HSM is generally available for customers with specific business and technical requirements in limited regions.

Bare Metal Rack HSM is an infrastructure-as-a-service offering that lets you deploy large numbers of customer-owned hardware security modules (HSMs) in PCI-compliant facilities next to your Google Cloud workloads. This product helps to accelerate migration of your payment applications to Google Cloud.

For more information, including to compare Bare Metal Rack HSM with Bare Metal HSM, seeBare Metal Rack HSM.

Certificate bundles for verifying attestations for Cloud HSM keys are deprecated. You can no longer download certificate bundles as of March 20, 2024.

Certificate bundles have been replaced by certificate chains. To learn how to use certificate chains to verify attestations for Cloud HSM keys, seeVerifying the attestation manually.

Cloud KMS is available in the following region:

• africa-south1

For more information, seeCloud KMS locations.

Bare Metal HSM is generally available for customers with specific business and technical requirements in limited regions.

Bare Metal HSM is an infrastructure-as-a-service offering that lets you deploy customer-owned hardware security modules (HSMs) in PCI-compliant facilities next to your Google Cloud workloads. This product helps to accelerate migration of your payment applications to Google Cloud.

For more information, seeBare Metal HSM.

Cloud KMS is available in the following region:

• me-central2

For more information, seeCloud KMS locations.

Cloud KMS is available in the following region:

• europe-west10

For more information, seeCloud KMS locations.

The Key Usage dashboard in the Google Cloud console and the new KMS Inventory REST API are now generally available.

For more information about the Key Usage dashboard, seeView key usage.

For more information about the KMS Inventory REST API, seeKMS Inventory API.

For example curl commands using the KMS Inventory REST API, seeView key usage andView keys by project.

Cloud HSM resources are now available in the following regions:

• europe-west12
• me-central1

For information about which locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, seeCloud KMS locations.

Cloud KMS is available in the following region:

• me-central1

For more information, seeCloud KMS locations.

Cloud EKM now supportscoordinated external keys.

Coordinated external keys let you create and manage keys in a compatible external key management system from Cloud KMS over a VPC network. For more information, seeEKM key management from Cloud KMS.

Thales CipherTrust Cloud Key Manager is the first external key management partner system that is compatible with EKM key management from Cloud KMS.

Cloud KMS is available in the following region:

• europe-west12

For more information, seeCloud KMS locations.

Cloud KMS and Cloud EKM resources are available in thein (India) multi-regional location. Cloud HSM resources arenot available in this location.

For information about whichGoogle Cloud Locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, seeCloud KMS Locations.

The Key Usage dashboard in the Google Cloud console and the new KMS Inventory REST API are now in Preview.

For more information about the Key Usage dashboard, seeView key usage.

For more information about the KMS Inventory REST API, seeKMS Inventory API.

For example curl commands using the KMS Inventory REST API, seeView key usage andView keys by project.

Cloud HSM resources are now available in the following regions:

• europe-southwest1
• europe-west9
• me-west1

For information about which locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, seeCloud KMS locations.

Cloud KMS is available in the following region:

• me-west1

For more information, seeCloud KMS locations.

Customers enrolled in Key Access Justifications will now see justifications listed in Cloud Audit Logs for Cloud KMS.

Cloud EKM now supports Dataproc Metastore. For more information, seeCloud External Key Manager.

Cloud KMS is available in the following region:

us-south1

For more information, seeCloud KMS locations.

Cloud KMS is available in the following region:

• us-east5

For more information, seeCloud KMS locations.

Cloud KMS is available in the following region:

• europe-southwest1

For more information, seeCloud KMS locations.

Cloud KMS is available in the following region:

• europe-west9

For more information, seeCloud KMS locations.

Two new organization policy constraints are now available in Preview to help ensure CMEK usage across an organization:

• constraints/gcp.restrictNonCmekServices requires CMEK protection.
• constraints/gcp.restrictCmekCryptoKeyProjects limits which Cloud KMS keys are used for CMEK protection.

To learn more, seeCMEK organization policies.

Cloud EKM now supports Cloud Bigtable and Log Storage in Cloud Logging. For more information, seeCloud External Key Manager.

Using Cloud EKM with a Virtual Private Network is now generally available. This means you can access your external key manager with a private endpoint.

SeeUsing Cloud EKM with VPC to learn more.

Cloud HSM resources are now available in the following regions:

• asia1
• eur3
• eur4
• nam3
• nam4
• nam6
• nam9

For information about which locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, seeCloud KMS locations.

Virtru is now available as a supported Cloud EKM partner. SeeSupported key managers to learn more.

You can now use Cloud EKM with a Virtual Private Network (preview). This means you can access your external key manager with a private endpoint.

SeeUsing Cloud EKM with VPC to learn more.

Cloud EKM now supports Cloud Run, Dataproc, and Vertex AI. For more information, seeCloud External Key Manager.

Cloud HSM is now available in theMelbourne (australia-southeast2) region.

Asymmetric keys for Cloud EKM are now generally available (GA).

The Cloud EKM cryptographic requests quota has been increased from 10 QPS to 100 QPS. If you use quotas to determine how much you are billed, this change could increase the amount you spend on Cloud KMS. SeeCloud EKM quotas for more details.

Cloud KMS is now available in theSantiago (southamerica-west1) region.

You can now attest HSM keys using certificate chains via gcloud command-line tool, Cloud Console, or Cloud KMS API. SeeVerifying attestations to learn more.

Cloud KMS now provides a library that conforms to the PKCS #11 standard, which enables working with existing applications that use the PKCS #11 API. SeeLibrary for PKCS #11 to learn more.

Re-importing previously destroyed keys is now supported in Cloud KMS.

Cloud KMS now supports a configurablevariable soft deletion window for cryptographic keys.

MAC keys are now supported by Cloud KMS. SeeCreating and validating MAC digital signatures to learn more.

You can now retrieve random bytes from the random number generator in Cloud HSM. SeeGenerating random bytes to learn more.

Cloud EKM now supports Artifact Registry, Logs Router in Cloud Logging, and Cloud Spanner. For more information, seeCloud External Key Manager.

Several fields related toverifying end-to-end data integrity for cryptographic operations are generally available (GA).

TheCloud KMS and Cloud HSM SLA has been updated.

Cloud EKM now supports Dataflow Appliance and Pub/Sub. For more information, seeCloud External Key Manager.

Theeurope-central2 region in Warsaw is now available. SeeCloud KMS locations for more details.

Cloud EKM adds support for Dataflow shuffle and Secret Manager. For more information, seeCloud External Key Manager.

Cloud EKM now supports Cloud SQL and GKE. For more information, seeCloud External Key Manager.

Cloud HSM resources are available in theus-west4 andasia-southeast2 regions. Cloud KMS resources were already available in these regions.

For information about whichCloud Locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, see theCloud KMS regional locations.

Keys hosted byThales are now supported in Cloud EKM. To learn more, seeCloud EKM.

Cloud KMS and Cloud EKM resources are available in theasia-southeast2 region. Cloud HSM resources arenot available in this region.

For information about whichCloud Locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, see theCloud KMS regional locations.

Several fields related to data integrity have been added to the Cloud KMS API, along with guidelines for using them. To learn more about maintaining data integrity when performing cryptographic operations, seeVerifying end-to-end data integrity.

Hosted Private HSM is generally available.

Cloud KMS and Cloud EKM resources are available in theus-west4 region. Cloud HSM resources arenot available in this region.

Cloud HSM resources are available in theglobal multi-regional location.

For information about whichCloud Locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, see theCloud KMS regional locations.

Cloud External Key Manager (Cloud EKM) is generally available.

Importing keys into Cloud KMS software keys is generally available (GA).

Cloud EKM resources are now available in theasia-northeast3 andus-west3locations.

Cloud KMS resources can now be created in theus-west3 region.

Cloud HSM resources are now also available in theus-west3 region.

Cloud EKM resources are not available in theus-west3 region.

For information about whichCloud Locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, refer toCloud KMS locations.

You can now import key material into Cloud KMS software keys. For more information, seeKey import. Importing key material into Cloud HSM keys is already generally available.

Cloud KMS resources can now be created in theasia-northeast3 region.

Cloud HSM resources are now also available in theasia-northeast3 region.

Learn more aboutCloud Locations. For the list of all regions supported by Cloud KMS, Cloud HSM, and Cloud EKM, see theCloud KMS regional locations.

Cloud External Key Manager (Cloud EKM) (Beta) allows you to encrypt data stored in Google Cloud using keys stored in a supported partner external key management system. You can encrypt or decrypt data in BigQuery, Compute Engine persistent disks, or directly using the Cloud KMS API.

You can learn aboutchanges to the API since the Alpha release.

The Cryptographic Requests quota has been increased from 600 QPM to 60,000 QPM. If you use quotas to determine how much you are billed, this change could increase the amount you end up spending on your Cloud KMS.

If you require a smaller quota than 60,000 QPM, or you don't need a quota increase, go to theCloud Console Quotas page and set a new value for Cryptographic requests per minute. HSM specific quotas will not be increased.

Thegcloud beta kms import-jobs command group was released as part ofgcloud 253.0.0.

Introduction of import key functionality into the Cloud KMS beta release.

The following are additions to the API definition.

New resources

ImportJob has been added as a resource.

TheImportJob resource contains the following methods:

• ImportJobs.create
• ImportJobs.get
• ImportJobs.getIamPolicy
• ImportJobs.list
• ImportJobs.setIamPolicy
• ImportJobs.testIamPermissions

TheImportJob resource contains the following enums:

• ImportJobState
• ImportMethod

TheImportJob resource contains the following type:

• WrappingPublicKey

New methods

• CryptoKeyVersions.import

New fields

• CreateCryptoKeyRequest.skip_initial_version_creation
• CryptoKeyVersions.import_failure_reason
• CryptoKeyVersions.import_job
• CryptoKeyVersions.import_time

New enums

• CryptoKeyVersionState.PENDING_IMPORT
• CryptoKeyVersionState.IMPORT_FAILED

New permissions

• cloudkms.cryptoKeyVersions.useToImport
• cloudkms.importJobs.create
• cloudkms.importJobs.get
• cloudkms.importJobs.getIamPolicy
• cloudkms.importJobs.list
• cloudkms.importJobs.setIamPolicy

For more information about Cloud KMS permissions, seePermissions and roles.

Cloud HSM resources are now available in the following regional locations:

• asia-east2
• europe-west6
• us-west2

For the list of all supported regions, seeSupported regions.

Introduction of the Cloud KMS beta release to support filtering and sorting results from the followinglist operations.

• keyRings.list
• cryptoKeys.list
• cryptoKeyVersions.list

For more information, seeSorting and filtering list results.

Cloud HSM resources are now available in the following regional locations:

• asia-northeast1
• asia-northeast2

For the list of all supported regions, seeSupported regions.

Thegcloud kms command group was updated as part ofgcloud 250.0.0.

• Promoted the following commands to GA.
  • gcloud kms asymmetric-decrypt.
  • gcloud kms asymmetric-sign.
  • gcloud kms keys versions get-public-key.
• Promoted the following flags ingcloud kms keys command group to GA.
  • --attestation-file.
  • --default-algorithm.
  • --purpose.
  • --protection-level.

Cloud HSM resources are now available in the following regional locations:

• asia-south1
• europe-north1
• europe-west1
• europe-west4

For the list of all supported regions, seeSupported regions for Cloud HSM.

Cloud HSM resources are now available in theus multi-regional location. For the list of all supported regions, seeSupported regions for Cloud HSM.

Cloud KMS resources can now be created in theasia-northeast2 region. Learn more aboutCloud Locations.

Cloud HSM resources are now available in theasia-southeast1 regional location. For the list of all supported regions, seeSupported regions for Cloud HSM.

Cloud KMS resources can now be created in theeurope-west6 region. Learn more aboutCloud Locations.

CAVIUM_V2_COMPRESSED has been added as an enum value toAttestationFormat. To learn how to verify an attestation that is in theCAVIUM_V2_COMPRESSED format, seeVerifying Attestations.

Announced general availability ofasymmetric keys andCloud HSM in Cloud KMS.

Cloud HSM resources are now available in theeurope-west3 regional location. For the list of all supported regions, seeSupported regions for Cloud HSM.

Cloud HSM resources are now available in theeurope-west2 regional location. For the list of all supported regions, seeSupported regions for Cloud HSM.

Cloud KMS resources can now be created in theeur4 andnam4 dual-regions. Learn more aboutCloud Locations.

Cloud KMS resources can now be created in theasia-east2 region. Learn more aboutCloud Locations.

New algorithms have been added:

• RSA_SIGN_PSS_4096_SHA512
• RSA_SIGN_PKCS1_4096_SHA512
• RSA_DECRYPT_OAEP_4096_SHA512

For the list of all supported algorithms, seeKey purposes and algorithms.

Cloud HSM resources are now available in theus-central1 regional location. For the list of all supported regions, seeSupported regions for Cloud HSM.

Attestations that are downloaded via the Google Cloud Platform Console are no longer base64-encoded. This matches the raw format of the attestations downloaded via thegcloud command-line tool and the Cloud KMS API. The instructions forVerifying Attestations expect the attestation to be in raw format, not base64-encoded.

Introduction of asymmetric keys and Cloud HSM into the Cloud KMS beta release.

Additions to the API definition:

• New method for creating digital signatures:
  • CryptoKeys.asymmetricSign
• New method for retrieving an asymmetric key's public key:
  • CryptoKeyVersions.getPublicKey
• New method for decrypting data encoded with an asymmetric public key generated by Cloud KMS:
  • CryptoKeyVersions.asymmetricDecrypt
• New types:
  • CryptoKeyVersionAlgorithm
  • CryptoKeyVersionTemplate
  • CryptoKeyVersionView
  • ProtectionLevel
• New fields:
  • CryptoKey.versionTemplate
  • CryptoKeyVersion.algorithm
  • CryptoKeyVersion.attestation
  • CryptoKeyVersion.generateTime
  • CryptoKeyVersion.protectionLevel
  • LocationMetadata.hsmAvailable
• TheCryptoKey.list method now contains aversionView query parameter that lists the fields of the primary key version to include in the response.
• TheCryptoKeyVersion.list method now contains aview query parameter that lists the fields to include in the response.
• TheLocationMetadata resource returned by theLocations.get andLocations.list methods now contain anhsm_available field. Thehsm_available field is abool that indicates whether the location supports Hardware Security Modules (HSMs).

Cloud HSM resources are now available in theus-east1 andus-west1 regional locations.

Cloud KMS resources can now be created in theus-west2 region. Learn more aboutCloud Locations.

Cloud KMS resources can now be created in theeurope-north1 region. Learn more aboutCloud Locations.

Cloud KMS resources can now be created in the following regions:

• asia-south1
• australia-southeast1
• europe-west2
• europe-west3
• northamerica-northeast1
• southamerica-east1
• us-east4

Learn more aboutCloud Locations.

The URL of the Cloud KMS page in the Google Cloud Platform Console has been changed from https://console.cloud.google.com/iam-admin/kms to https://console.cloud.google.com/security/kms.

The name of theCloud KMS page in the Google Cloud Platform Console has been changed fromEncryption keys toCryptographic keys.

Cloud KMS resources can now be created in theasia-northeast1 region. Learn more aboutCloud Locations.

Cloud KMS resources can now be created in theasia,europe, andus multi-regional locations. Learn more aboutCloud KMS locations.

Announced general availability ofIAM custom roles for Cloud KMS.

Thegcloud kms locations list command now supports theeurope-west4 region.

The Google Cloud Platform console now supports theeurope-west4 region. You can create new key rings in this region using the console, the API and thegcloud command-line tool. Thegcloud kms locations list command will support this region approximately January 22, 2018. Learn more aboutCloud Locations.

Cloud KMS resources can now be created in theeurope-west4 region. You can use this region to create new key rings using the API and thegcloud command-line tool. This region will not be viewable in the Google Cloud Platform console or returned bygcloud kms locations list until approximately January 17, 2018. Learn more aboutCloud Locations.

Promotedkeys update fromgcloud beta kms togcloud kms as part ofgcloud 175.0.0.

TheEnvelope Encryption topic provides more information about key wrapping and envelope encryption.

Batch operations are no longer supported.

Labels can now be applied to CryptoKeys:

• TheCryptoKey type now contains thelabels field.
• To learn more about this feature, seeLabeling CryptoKeys.

gcloud changes:

• Thegcloud kms keys create command has a new parameter,--labels. Use this parameter to specify labels when you create a key.
• The output from thegcloud kms keys list command now contains aLABELS column.
• Thegcloud beta kms keys update command is new. This command supports updating an existing key.

These changes are effective ingcloud version 170.0.0.

Cloud KMS resources can now be created in theasia-southeast1 region. Learn more aboutCloud Locations.

Cloud KMS is now available in a larger group of countries.

Promotedencrypt anddecrypt commands fromgcloud beta kms togcloud kms as part ofgcloud 159.0.0.

API version v1beta1 has been turned off. Please use v1 API endpoint.

As part ofgcloud 158.0.0, when usinggcloud to update IAM policies, data access logs can be enabled for key rings and keys, in addition to projects which were already supported.

• gcloud kms keyrings set-iam-policy
• gcloud kms keys set-iam-policy

Addedencrypt anddecrypt commands togcloud beta kms as part ofgcloud 157.0.0.

• Added examples for usinggcloud beta kms encrypt andgcloud beta kms decrypt.

Data Access audit logs can now be self-enabled for Cloud KMS. For more information, seeCloud Audit Logging documentation.

• Updated documentation on logs types in Cloud KMS.

Cloud KMS resources can now be created in theus-west1 region. Learn more aboutCloud Locations.

Promotedgcloud beta kms commands togcloud kms as part ofgcloud 148.0.0.

Renamedcryptokey tokey as part ofgcloud 147.0.0.

Renamedgcloud kms cryptokeys asgcloud kms keys.Renamed the--cryptokey flag as--key.Deprecated thecryptokey variants.

Launch of Cloud KMS toGeneral Availability.

• Updated client libraries and code samples in C#, Go, Java, Node.js, PHP, Python, and Ruby.
• New Secret Management documentation that explains how to protect secrets using Cloud KMS.
• Added aService Level Agreement (SLA).

API version from v1beta1 to v1.

• The v1beta1 API is deprecated and will be turned down no sooner than June 7, 2017.
• To start using the v1 API, follow the process toinstall the client library for your preferred language. Other than the API version, your code shouldn't need any other changes.

Launch of Cloud KMS toBeta. Use Cloud KMS to create, use, rotate, automatically rotate, and destroy symmetric AES256 encryption keys. Cloud KMS isaccessible via

• REST API
• Google APIs Client Libraries in go, python, and java
• Cloud Console user interface