alphaspirit - Fotolia


Use Google KMS to control encryption keys in the cloud

Google offers various encryption options for its public cloud, from default server-side to customer-supplied keys. Learn where its Key Management Service falls in that mix.

Cloud security is not a one-way street. While your provider has some security responsibilities, it's your job,...

as the customer, to protect your data, applications and virtual instances. Encryption plays a critical role, but key management can get complicated.

It isn't easy to migrate on-premises key management infrastructure to the public cloud. As a result, many organizations turn to a cloud provider's native services for encryption key management. To meet this need and continue to attract large enterprise customers, Google Cloud Platform (GCP) recently added its Google Key Management Service (KMS). Google KMS is a managed service that generates, uses, rotates and destroys Advanced Encryption Standard (AES)-256 encryption keys.

Google KMS features

GCP has several layers and types of encryption services. In general, the built-in encryption is transparent to customers, but it uses Google-managed keys that aren't exportable. Google KMS is specifically for those users who need an added layer of customer-managed encryption keys to protect otherwise unencrypted data on any GCP service. Since Google KMS is a pure cloud service, all processes -- such as key generation, management, storage and rotation -- are done entirely on GCP.

Google KMS provides the following key features:

  • Object hierarchy: KMS stores AES-256 keys in a five-level object hierarchy, where the highest level is a GCP Project for all KMS resources, followed by:
    • Locations: geographic data centers hosting KMS resources;
    • KeyRing: a group of CryptoKeys;
    • CryptoKey: the action of AES-256 keys; and
    • CryptoKeyVersion: a history of keys for a particular resource.
  • REST API: A REST API is available to list, get, create, destroy and update keys; to encrypt and decrypt data with specified keys; and to set and test identity and access management (IAM) policies and permissions. Key destruction is protected by a 24-hour delay timer to prevent data loss due to inadvertent key removal. It also allows users to restore previous key versions.
  • IAM integration: KMS integrates with Google Cloud IAM to manage security permissions and policies that control access to keys and KeyRings. It also uses Google Cloud Audit Logging to record usage activity and administrative access.
  • Automation and manual key rotation: Use a preset schedule or manual invocation via the API or the command-line interface.
  • Global availability and scale: Google KMS supports millions of keys with an arbitrary number of active key versions and is available either as a globally distributed service that's not tied to a particular location or in one of five regions. Google KMS, like other services on the platform, uses GCP's high-performance infrastructure.


Google KMS pricing is based on the number of key versions active in a given month. The rate is $0.06 per key version, prorated by the number of days a key was active. So, if an organization uses a key with one version for an entire month and a second version for only 10 days, it incurs a charge of $0.08: 0.06 + 0.06 * (10/30).

Google KMS also charges for key encryption and decryption operations at the rate of $0.03 per 10,000 operations, with free admin operations. Thus, if you had 100 keys, each with five versions, and performed 100,000 operations in a month, the charge would be:

  • 500 * $0.06 + (100,000/10,000) * $0.03 = $30.30

Recommendations and challenges

Admins can use Google KMS for bulk data encryption of plaintext prior to being stored in a database or object store. Unfortunately, since Google KMS is not yet integrated with Google's storage services, users must perform the encryption via the Google KMS APIs before they upload to a Google Cloud Storage bucket.

Google KMS can also encrypt other sensitive data, such as user credentials and API tokens. For more sophisticated use, admins can create hierarchical layers of encryption with key "envelopes" that combine a local data encryption key with a key encryption key for added protection. Since keys have permissions that are assigned and enforced by Google IAM, a layered approach can segregate responsibility and data access between groups of users to provide additional security.

Google Cloud KMS

Some organizations with extremely sensitive data will not find Google KMS adequate. These firms typically want to store and manage keys on private infrastructure. They might also want to encrypt data already in Google Cloud Storage independently of Google's internal encryption. For them, Google supports customer-supplied encryption keys that are kept on premises and encrypt cloud services via API calls.

Next Steps

Learn why you need IAM and explore service options

Work with your cloud provider to ensure security

Use IAM tools to protect your public cloud

Dig Deeper on Cloud security tools