Some or all of the information on this page might not apply to Trusted Cloud by S3NS.

Protection levels

This page compares the different protection levels supported in Cloud KMS:

Software: Cloud KMS keys with the SOFTWARE protection level are used for cryptographic operations that are performed in software. Cloud KMS keys can be generated by Google or imported.


External over VPC: Cloud EKM keys with the EXTERNAL_VPC protection level are generated and stored in your external key management (EKM) system. Cloud EKM stores additional cryptographic material and a path to your unique key, which is used to access your key over a virtual private cloud (VPC) network.

Keys with all of these protection levels share the following features:

Use your keys for customer-managed encryption key (CMEK) integrated Trusted Cloud services.

Note: Some CMEK-integrated services do not support Cloud EKM keys. To learn which CMEK-integrated services support Cloud EKM keys, see CMEK integrations.
Use your keys with the Cloud KMS APIs or client libraries, without any specialized code based on the protection level of the key.
Control access to your keys using Identity and Access Management (IAM) roles.
Control whether each key version is Enabled or Disabled from Cloud KMS.
Key operations are captured in audit logs. Data access logging can be enabled.

Software protection level

Cloud KMS uses the BoringCrypto module (BCM) for all cryptographic operations for software keys. The BCM is FIPS 140-2 validated. Cloud KMS software keys use FIPS 140-2 Level 1–validated Cryptographic Primitives of the BCM.

Software keys are a good choice for use cases that do not have specific regulatory requirements for a higher FIPs 140-2 validation level.

External over VPC protection level

Cloud External Key Manager (Cloud EKM) keys are keys that you manage in a supported external key management (EKM) partner service and use in Trusted Cloud services and Cloud KMS APIs and client libraries. Cloud EKM keys can be software-backed or hardware-backed, depending on your EKM provider. You can use your Cloud EKM keys in CMEK-integrated services or using the Cloud KMS APIs and client libraries. Cloud KMS connects to your Cloud EKM over a VPC network.

When you use Cloud EKM keys, you can be sure that Trusted Cloud can't access your key material.

To see which CMEK-integrated services support Cloud EKM keys, see CMEK integrations and apply the Show only EKM compatible services filter.

You can use Cloud EKM keys over a VPC network in most regional locations supported by Cloud KMS.

What's next

Learn about compatible services that let you use your keys in Trusted Cloud.
Learn how to create key rings and create encryption keys.
Learn about importing keys.
Learn about external keys.
Learn about other considerations for using Cloud EKM.