Some or all of the information on this page might not apply to Trusted Cloud by S3NS.

Cloud Key Management Service overview

Cloud Key Management Service (Cloud KMS) lets you create and manage cryptographic keys for use in compatible Trusted Cloud by S3NS services and in your own applications. Using Cloud KMS, you can do the following:

Generate software keys, import existing keys into Cloud KMS, or link external keys in your compatible external key management (EKM) system.
Use customer-managed encryption keys (CMEKs) in Trusted Cloud products with CMEK integration. CMEK integrations use your Cloud KMS keys to encrypt or "wrap" your data encryption keys (DEKs). Wrapping DEKs with key encryption keys (KEKs) is called envelope encryption.
Use Cloud KMS keys for encryption and decryption operations. For example, you can use the Cloud KMS API or client libraries to use your Cloud KMS keys for client-side encryption.
Use Cloud KMS keys to create or verify digital signatures or message authentication code (MAC) signatures.

Choose the right encryption for your needs

You can use the following table to identify which type of encryption meets your needs for each use case. The best solution for your needs might include a mix of encryption approaches. For example, you might use software keys for your least sensitive data and external keys for your most sensitive data. For additional information about the encryption options described in this section, see Protecting data in Trusted Cloud by S3NS on this page.

Encryption type	Compatible services	Features
Google Cloud-powered encryption keys (Trusted Cloud default encryption)	All Trusted Cloud services that store customer data	No configuration required. Automatically encrypts customer data saved in any Trusted Cloud by S3NS service. Most services automatically rotate keys. Supports encryption using AES-256. FIPS 140-2 Level 1 validated.
Customer-managed encryption keys - software (Cloud KMS keys)	40+ services	You control automatic key rotation schedule; IAM roles and permissions; enable, disable, or destroy key versions. Supports symmetric and asymmetric keys for encryption and decryption. Automatically rotates symmetric keys. Supports several common algorithms. FIPS 140-2 Level 1 validated. Keys are unique to a customer.
Customer-managed encryption keys - external (Cloud EKM keys)	30+ services	You control IAM roles and permissions; enable, disable, or destroy key versions. Keys are never sent to Google. Key material resides in a compatible external key management (EKM) provider. Compatible Trusted Cloud services connect to your EKM provider over a Virtual Private Cloud (VPC). Supports symmetric keys for encryption and decryption. Manually rotate your keys in coordination with Cloud EKM and your EKM provider. FIPS 140-2 Level 2 or FIPS 140-2 Level 3 validated, depending on the EKM. Keys are unique to a customer.
Client-side encryption using Cloud KMS keys	Use client libraries in your applications	You control automatic key rotation schedule; IAM roles and permissions; enable, disable, or destroy key versions. Supports symmetric and asymmetric keys for encryption, decryption, signing, and signature validation. Functionality varies by key protection level.
Cloud HSM for Google Workspace	Use Cloud HSM keys for client-side encryption in Google Workspace	You control automatic key rotation schedule; IAM roles and permissions; enable, disable, or destroy key versions. Use symmetric keys for encryption and decryption.
Customer-supplied encryption keys	Cloud Storage	You provide key materials when needed. Key material resides in-memory - Google does not permanently store your keys on our servers.

Note: Pricing varies by encryption type and protection level. For more information, consult the pricing details shared with you by Trusted Cloud.

Protecting data in Trusted Cloud by S3NS

Google Cloud-powered encryption keys (Trusted Cloud default encryption)

By default, data at rest in Trusted Cloud is protected by keys in Keystore, Trusted Cloud's internal key management service. Keys in Keystore are managed automatically by Trusted Cloud, with no configuration required on your part. Most services automatically rotate keys for you. Keystore supports a primary key version and a limited number of older key versions. The primary key version is used to encrypt new data encryption keys. Older key versions can still be used to decrypt existing data encryption keys. You can't view or manage these keys or review key usage logs. Data from multiple customers might use the same key encryption key.

This default encryption uses cryptographic modules that are validated to be FIPS 140-2 Level 1 compliant.

Customer-managed encryption keys (CMEKs)

Cloud KMS keys that are used to protect your resources in CMEK-integrated services are customer-managed encryption keys (CMEKs).

You can use your Cloud KMS keys in compatible services to help you meet the following goals:

Own your encryption keys.
Control and manage your encryption keys, including choice of location, protection level, creation, access control, rotation, use, and destruction.
Selectively delete data protected by your keys in the case of off-boarding or to remediate security events (crypto-shredding).
Create dedicated, single-tenant keys that establish a cryptographic boundary around your data.
Log administrative and data access to encryption keys.
Meet current or future regulation that requires any of these goals.

When you use Cloud KMS keys with CMEK-integrated services, you can use organization policies to ensure that CMEKs are used as specified in the policies. For example, you can set an organization policy that ensures that your compatible Trusted Cloud resources use your Cloud KMS keys for encryption. Organization policies can also specify which project the key resources must reside in.

The features and level of protection provided depend on the protection level of the key:

Software keys - You can generate software keys in Cloud KMS and use them in all Trusted Cloud locations. You can create symmetric keys with automatic rotation or asymmetric keys with manual rotation. Customer-managed software keys use FIPS 140-2 Level 1 validated software cryptography modules. You also have control over the rotation period, Identity and Access Management (IAM) roles and permissions, and organization policies that govern your keys. You can use your software keys with many compatible Trusted Cloud resources.
Imported software keys - You can import software keys that you created elsewhere for use in Cloud KMS. You can import new key versions to manually rotate imported keys. You can use IAM roles and permissions and organization policies to govern usage of your imported keys.
External keys and Cloud EKM - You can use keys that reside in an external key manager (EKM). Cloud EKM lets you use keys held in a supported key manager to secure your Trusted Cloud resources. You connect to your EKM over a Virtual Private Cloud (VPC). Some Trusted Cloud services that support Cloud KMS keys don't support Cloud EKM keys.

Cloud KMS keys

You can use your Cloud KMS keys in custom applications using the Cloud KMS client libraries or Cloud KMS API. The client libraries and API let you encrypt and decrypt data, sign data, and validate signatures.

Cloud HSM keys

You can use your Cloud HSM keys in Cloud HSM for Google Workspace to manage the keys used for client-side encryption (CSE) in Google Workspace. You can Onboard to Cloud HSM for Google Workspace.

Customer-supplied encryption keys (CSEKs)

Cloud Storage can use customer-supplied encryption keys (CSEKs). With customer-supplied encryption keys, you store the key material and provide it to Cloud Storage when needed. Trusted Cloud does not store your CSEKs in any way.