Google Cloud Key Management Service (KMS)

Google Cloud Key Management Service (KMS) is a cloud service for managing encryption keys for other Google cloud services that  enterprises can use to implement cryptographic functions.

Released in January 2017, the service enables users to generate, use, rotate and destroy Advanced Encryption Standard (AES)-256 encryption keys for protecting cloud data. Google Cloud KMS can also be used to manage keys used for encrypting other types of data for enterprises, such as API tokens and user credentials. Security teams using Google Cloud KMS can set encryption keys to automatically rotate at regular intervals.

Google Cloud KMS is part of the Google Cloud Platform (GCP) suite and enables customers to manage their encryption keys for data they store on GCP. Administrators can also use Google Cloud KMS to do bulk data encryption on plaintext before it is stored. The main industries Google targets with this service are those subject to regulations about how they store and secure sensitive data, like financial services and healthcare providers.

How Google Cloud KMS works

Cloud KMS stores AES-265 encryption keys in a five level hierarchy. The top level, called GCP Project, manages Identity and Access Management roles for accounts associated with a specific cloud project, which can be linked to an organization or a department within it, for instance. Organizations can store geographical locations of data centers that handle requests to Cloud KMS resources at the Project level. The Location level can store encryption keys for a group within the project in a particular location such as "east", "west" and so on, or it can be set to "global" so that all locations associated with the project can access the data.

Next comes  KeyRings, within which groups of CryptoKeys can be hosted. A KeyRing belongs to a Project and resides in a particular Location. KeyRings set the permissions for the CryptoKeys they hold, so they hold CryptoKeys with similar permission levels. A CryptoKey is a cryptographic key with a specific purpose. CryptoKeys can changes as the encryption changes, and that introduces CryptoKeyVersion, which is the final tier in the hierarchy.

Google offers a REST API as part of Google Cloud KMS, so developers can access KMS functions to list,  create, destroy and update encryption keys and assist enterprises that manage a large amount of keys and employees come and go and change roles within the organization. It can also encrypt and decrypt data using specific keys, and set and test IAM policies. There is a 24-hour delay on encryption key destruction and users have the option to restore previous key versions.

Google Cloud Key Management System
Varying levels of control or automation available in Google Cloud KMS

Integration with Google cloud services

Cloud KMS integrates with some of Google's other cloud services, such as Cloud Identity and Access Management, which handles encryption key authentication. Together, the services manage security permissions and policies that control key access and access to KeyRings. Cloud KMS also integrates with Cloud Audit Logging, which records administrative access and usage activity -- something that can be helpful when dealing with compliance standards and regulations.

Automated and manual key rotation options enable users to apply a preset schedule or manually select when the encryption keys rotate. This is done using either the API or the command-line interface.

Google Cloud KMS has the ability to support millions of encryption keys with an arbitrary number of key versions. It can be used as a distributed service or in a single geographical cloud data center.

Google's offering of an encryption key management service was introduced after Amazon Web Services and Microsoft Azure released their own versions.

This was last updated in August 2017

Continue Reading About Google Cloud Key Management Service (KMS)

Dig Deeper on Cloud security

Enterprise Desktop
Cloud Computing