Google Cloud KMS Cheat Sheet

• The Google Cloud Key Management Service (KMS) is a cloud-hosted key management service that enables you to manage encryption keys on the Google Cloud Platform.

Features

• Lets you manage your symmetric and asymmetric cryptographic keys the same way you manage them in an on-premises environment.
• You can decide to use the keys generated by Cloud KMS with other Google Cloud services. These keys are known as customer-managed encryption keys (CMEK).
• Can use external KMS to protect your data in Google Cloud and separate data from key.
• You can generate a new key version for your symmetric keys automatically at a fixed time interval when you set a rotation schedule for your keys.
• Encrypt Kubernetes secrets in GKE with keys you manage in Cloud KMS. Moreover, you can store API keys, passwords, certificates, and other sensitive information with the Secret Manager storage system.

• Autokey: Automate provisioning and assignment of customer-managed encryption keys (CMEK). Keys are always HSM-protected, rotated yearly, and co-located with resources. Respects separation of duties between key administrators and data users.
• Key Access Justifications (KAJ): Gain visibility into every request for an encryption key, including a justification for the request. Approve or deny decryption requests based on automated policies. Covered by Google’s integrity commitments.
• Cloud HSM: Host encryption keys in FIPS 140‑2 Level 3 validated hardware security modules (HSMs). Use the same API as Cloud KMS for HSM-protected keys.
• Cloud External Key Manager (EKM): Maintain separation between data at rest and encryption keys by using third‑party key management systems (Equinix, Fortanix, Ionic, Thales, Unbound) outside Google’s infrastructure.
• Key import (BYOK): Import your own cryptographic keys generated on‑premises or in another key management system. Supported for both software‑protected and HSM‑protected keys.
• Key version destruction: Keys spend a configurable period (default 24 hours) in a “scheduled for destruction” state before permanent deletion, preventing accidental data loss.
• Key rings: Group related keys for easier management. Permissions assigned to a key ring are inherited by all keys in the ring. Key rings and keys cannot be deleted.
• Separation of duties: Use predefined IAM roles to separate key administration from data access, enforcing least privilege.
• Regionality: Keys are stored in the region (single, dual, or multi‑region) you choose. Data residency is guaranteed for key material.
• Audit logging: All admin activity is recorded in Cloud Audit Logs. Optionally log data access (encrypt/decrypt) operations. Eligible customers can enable Access Transparency logs for actions taken by Google employees.
• Supported algorithms: AES‑256 (symmetric); RSA 2048, 3072, 4096 (asymmetric); EC P‑256, P‑384 (asymmetric). Available with software or HSM protection.

Pricing

Cloud KMS pricing is based on three main factors:

• Active key versions: Each key version that is enabled for use incurs a monthly charge. Software‑protected and HSM‑protected keys have different rates.
• Key operations: Cryptographic operations (encrypt, decrypt, sign, etc.) are charged per 10,000 operations.
• Protection level: Hardware‑protected keys (Cloud HSM) have higher per‑key and per‑operation costs than software‑protected keys. External keys (Cloud EKM) also have separate pricing.

There is no charge for key administrative operations (create, list, get, update, set IAM policies) or for creating and managing key rings.

For current pricing details, refer to the official Google Cloud KMS pricing page.

Google Cloud KMS Cheat Sheet References:

https://cloud.google.com/security-key-management
https://cloud.google.com/security/key-management-deep-dive