Cloud KMS keys with the SOFTWARE protection level are used for
cryptographic operations that are performed in software. Cloud KMS
keys can be generated by Google or imported.
Cloud EKM keys with the EXTERNAL_VPC protection level are
generated and stored in your external key management (EKM) system.
Cloud EKM stores additional cryptographic material and a path to
your unique key, which is used to access your key over a virtual private
cloud (VPC) network.
Keys with all of these protection levels share the following features:
Use your keys for customer-managed encryption key (CMEK) integrated
Trusted Cloud services.
Use your keys with the Cloud KMS APIs or client libraries, without
any specialized code based on the protection level of the key.
Control access to your keys using Identity and Access Management (IAM) roles.
Control whether each key version is Enabled or Disabled from
Cloud KMS.
Key operations are captured in audit logs. Data access logging can be
enabled.
Software protection level
Cloud KMS uses the BoringCrypto module (BCM) for all cryptographic
operations for software keys. The BCM is FIPS 140-2
validated. Cloud KMS software keys use FIPS 140-2 Level 1–validated
Cryptographic Primitives of the BCM.
Software keys are a good choice for use cases that do not have
specific regulatory requirements for a higher FIPs 140-2 validation level.
External over VPC protection level
Cloud External Key Manager (Cloud EKM) keys are keys that you manage in a supported
external key management (EKM) partner service and use in
Trusted Cloud services and Cloud KMS APIs and client libraries.
Cloud EKM keys can be software-backed or hardware-backed, depending on
your EKM provider. You can use your Cloud EKM keys in CMEK-integrated
services or using the Cloud KMS APIs and client libraries.
Cloud KMS connects to your Cloud EKM over a VPC network.
When you use Cloud EKM keys, you can be sure that Trusted Cloud
can't access your key material.
To see which CMEK-integrated services support Cloud EKM keys, see CMEK
integrations and apply the
Show only EKM compatible services filter.
You can use Cloud EKM keys over a VPC network in most regional
locations supported by Cloud KMS.
What's next
Learn about compatible services that let
you use your keys in Trusted Cloud.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[],[],null,["# Protection levels\n\nThis page compares the different protection levels supported in\nCloud KMS:\n\n[Software](#software)\n: Cloud KMS keys with the `SOFTWARE` protection level are used for\n cryptographic operations that are performed in software. Cloud KMS\n keys can be generated by Google or imported.\n\n[Hardware](#hardware)\n: Cloud HSM keys with the `HSM` protection level are stored in a\n Google-owned Hardware Security Module (HSM). Cryptographic operations using\n these keys are performed in our HSMs. You can use Cloud HSM keys\n the same way you use Cloud KMS keys. Cloud HSM keys\n can be generated by Google or imported.\n\n[External over the internet](#external)\n: Cloud EKM keys with the `EXTERNAL` protection level are generated\n and stored in your external key management (EKM) system. Cloud EKM\n stores additional cryptographic material and a path to your unique key,\n which is used to access your key over the internet.\n\n[External over VPC](#external-vpc)\n: Cloud EKM keys with the `EXTERNAL_VPC` protection level are\n generated and stored in your external key management (EKM) system.\n Cloud EKM stores additional cryptographic material and a path to\n your unique key, which is used to access your key over a [virtual private\n cloud (VPC) network](/vpc/docs/vpc).\n\nKeys with all of these protection levels share the following features:\n\n- Use your keys for customer-managed encryption key (CMEK) integrated\n Google Cloud services.\n\n | **Note:** Some CMEK-integrated services do not support Cloud EKM keys. To learn which CMEK-integrated services support Cloud EKM keys, see [CMEK integrations](/kms/docs/compatible-services#cmek_integrations).\n- Use your keys with the Cloud KMS APIs or client libraries, without\n any specialized code based on the protection level of the key.\n\n- Control access to your keys using Identity and Access Management (IAM) roles.\n\n- Control whether each key version is **Enabled** or **Disabled** from\n Cloud KMS.\n\n- Key operations are captured in audit logs. Data access logging can be\n enabled.\n\nSoftware protection level\n-------------------------\n\nCloud KMS uses the [BoringCrypto module (BCM)](https://boringssl.googlesource.com/boringssl/+/main/crypto/fipsmodule/FIPS.md) for all cryptographic\noperations for software keys. The BCM is [FIPS 140-2](https://csrc.nist.gov/publications/detail/fips/140/2/final)\nvalidated. Cloud KMS software keys use FIPS 140-2 Level 1--validated\nCryptographic Primitives of the BCM.\nThe software protection level is the cheapest protection level. Software keys are a good choice for use cases that do not have specific regulatory requirements for a higher FIPs 140-2 validation level.\n\n\u003cbr /\u003e\n\nHardware protection level\n-------------------------\n\nCloud HSM helps you enforce regulatory compliance for your workloads in\nGoogle Cloud. With Cloud HSM, you can generate encryption keys\nand perform cryptographic operations in [FIPS 140-2 Level\n3](https://csrc.nist.gov/publications/detail/fips/140/2/final) validated HSMs. The service is fully managed, so\nyou can protect your most sensitive workloads without worrying about the\noperational overhead of managing an HSM cluster. Cloud HSM provides a\nlayer of abstraction on top of the HSM modules.\nThis abstraction lets you use your keys in CMEK integrations or the\nCloud KMS APIs or client libraries without HSM-specific code.\nHardware key versions are more expensive, but they provide substantial security benefits relative to software keys. Each Cloud HSM key has an [attestation statement](/docs/security/cloud-hsm-architecture#cryptographic_key_attestation) that contains certified information about your key. This attestation and its associated certificate chains can be used to verify the authenticity of the statement and attributes of the key and HSM.\n\n\u003cbr /\u003e\n\nExternal protection levels\n--------------------------\n\nCloud External Key Manager (Cloud EKM) keys are keys that you manage in a [supported\nexternal key management (EKM) partner](/kms/docs/ekm#supported_partners) service and use in\nGoogle Cloud services and Cloud KMS APIs and client libraries.\nCloud EKM keys can be software-backed or hardware-backed, depending on\nyour EKM provider. You can use your Cloud EKM keys in CMEK-integrated\nservices or using the Cloud KMS APIs and client libraries.\nCloud EKM protection levels are the most expensive. When you use Cloud EKM keys, you can be sure that Google Cloud can't access your key material.\n\n\u003cbr /\u003e\n\nTo see which CMEK-integrated services support Cloud EKM keys,\nsee [CMEK integrations](/kms/docs/compatible-services#cmek_integrations) and\napply the **Show only EKM compatible services** filter.\n\n### External over the internet protection level\n\nYou can use Cloud EKM keys over the internet in all locations supported\nby Cloud KMS except `nam-eur-asia1` and `global`.\n| **Caution:** When you use Cloud EKM keys over the internet, there's a risk that the key can become unavailable. For better availability, consider using Cloud HSM or Cloud EKM over a VPC network.\n\n### External over VPC protection level\n\nYou can use Cloud EKM keys over a VPC network for better availability\nof your external keys. This better availability means that there's less of a\nchance of your Cloud EKM keys and the resources they protect becoming\nunavailable.\n\nYou can use Cloud EKM keys over a VPC network in most regional\nlocations supported by Cloud KMS.\n\nCloud EKM over a VPC network is not available in multi-region\nlocations.\n\n\u003cbr /\u003e\n\nWhat's next\n-----------\n\n- Learn about [compatible services](/kms/docs/compatible-services) that let you use your keys in Google Cloud.\n- Learn how to [create key rings](/kms/docs/create-key-ring) and [create\n encryption keys](/kms/docs/creating-keys).\n- Learn about [importing keys](/kms/docs/key-import).\n- Learn about [external keys](/kms/docs/ekm).\n- Learn about other [considerations for using\n Cloud EKM](/kms/docs/ekm#considerations)."]]
