Encryption Key Management
Cloud KMS is a cloud-hosted key management service that lets you manage encryption for your cloud services the same way you do on-premises. You can generate, use, rotate and destroy AES256 encryption keys. Cloud KMS is integrated with IAM and Cloud Audit Logging so that you can manage permissions on individual keys, and monitor how these are used. Use Cloud KMS to protect secrets and other sensitive data which you need to store in Google Cloud Platform.
Scalable, Automated, Fast
Keep millions of encryption keys, allowing you to determine the level of granularity at which to encrypt your data. Set keys to automatically rotate regularly, using a new primary version to encrypt data and limit the scope of data accessible with any single key version. Keep as many active key versions as you want. Rely on our low latency to ensure you can access your keys quickly.
Greater Management Over Key Use
Manage IAM permissions for user-level permissions on individual keys, and grant access to both individual users and service accounts. View admin activity and key use logs with Cloud Audit Logging, using Cloud KMS as a central point to filter access to your most sensitive data. Monitor logs to ensure proper use of your keys.
Easily Encrypt Secrets
Wrap secrets up to 64KiB in size, to allow you to protect secrets like user credentials and API tokens. Take plaintext secrets out of source code, deployment managers, containers, and metadata, and make these accessible to users as well as service accounts via decryption using the Cloud KMS API.
Implement Envelope Encryption
Implement a key hierarchy with a local data encryption key (DEK), protected by a key encryption key (KEK) in Cloud KMS. Manage keys used to encrypt your data at the application layer, stored in your storage systems, at Google, or anywhere else.
