This page provides a list of Cloud de Confiance by S3NS services that offer integrations with Cloud KMS. These services generally fall under one of the following categories:
A Customer-managed encryption key (CMEK) integration lets you encrypt the data at rest in that service using a Cloud KMS key that you own and manage. Data protected with a CMEK key cannot be decrypted without access to that key.
A CMEK-compliant service either does not store data, or only stores data for a short period of time, such as during batch processing. Such data is encrypted using an ephemeral key that only exists in memory and is never written to disk. When the data is no longer needed, the ephemeral key is flushed from memory, and the data can't ever be accessed again. The output of a CMEK-compliant service might be stored in a service that is integrated with CMEK, such as Cloud Storage.
Your applications can use Cloud KMS in other ways. For example, you can directly encrypt application data before transmitting or storing it.
To learn more about how data in Cloud de Confiance is protected at rest and how customer-managed encryption keys (CMEK) work, see Customer-managed encryption keys (CMEK).
CMEK integrations
The following table lists services that integrate with Cloud KMS. Products that integrate with Cloud KMS when using external Cloud EKM keys are indicated under EKM supported.
| Service | Protected with CMEK | EKM supported | Topic |
|---|---|---|---|
| Artifact Registry | Data in repositories | Yes | Enabling customer-managed encryption keys |
| BigQuery | Data in BigQuery | Yes | Protecting data with Cloud KMS keys |
| Cloud Logging | Data in Logging storage | Yes | Manage the keys that protect Logging storage data |
| Cloud SQL | Data written to databases | Yes | Using customer-managed encryption keys |
| Cloud Storage | Data in storage buckets | Yes | Using customer-managed encryption keys |
| Compute Engine | Snapshots | Yes | Protecting resources with Cloud KMS keys |
| Compute Engine | Custom images | Yes | Protecting resources with Cloud KMS keys |
| Compute Engine | Machine images | Yes | Protecting resources with Cloud KMS keys |
| Pub/Sub | Data associated with topics | Yes | Configuring message encryption |
CMEK-compliant services
The following table lists services that do not use customer-managed encryption keys (CMEKs) because they do not store data long term. For more information on why these services are considered CMEK compliant, see CMEK compliance.
| Service | Topic |
|---|---|
| API Gateway | CMEK compliance in API Gateway |
| Cloud Build | CMEK compliance in Cloud Build |
| Cloud Trace | CMEK compliance in Cloud Trace |
| Container Registry | Using a storage bucket protected with CMEK |
| Cloud Vision | CMEK compliance in Vision API |
| Storage Transfer Service | Customer-managed encryption keys |
Other integrations with Cloud KMS
These pages discuss other ways to use Cloud KMS with other Cloud de Confiance services.
| Product | Topic |
|---|---|
| Any service | Encrypt application data before transmitting or storing it |
| Cloud Build | Encrypt resources before adding them to a build |
| Sensitive Data Protection | Create a wrapped key |