Cloud KMS in Trusted Cloud versus Google Cloud

Cloud Key Management Service (Cloud KMS) lets you create and manage cryptographic keys for use in compatible Trusted Cloud services and in your own applications. This page describes the differences between the Trusted Cloud and Google Cloud versions of Cloud KMS.

For more detailed information about Cloud KMS, see the Cloud KMS overview and the rest of the Cloud KMS documentation.

Key differences

There are some differences between the Trusted Cloud version of Cloud KMS and the Google Cloud version. Some notable differences include the following:

• Key tracking and key usage details are not supported in Trusted Cloud by S3NS.
• Hardware (Cloud HSM) keys are not supported in Trusted Cloud by S3NS.
• The EKM over internet protection level is not supported in Trusted Cloud by S3NS.

A more detailed list of differences is provided in the rest of this section. If you are already familiar with Google Cloud, we recommend that you review these differences carefully, particularly before designing an application to run on Trusted Cloud. We also recommend reviewing the general differences between Google Cloud and your universe in the Trusted Cloud by S3NS overview.

If you would like to use a particular Cloud KMS feature that isn't currently available in Trusted Cloud, contact Trusted Cloud support. To be notified when new features roll out in Trusted Cloud, subscribe to the release notes.

Hardware and OS

Hardware keys

The HSM protection level (Cloud HSM keys) is not available for Trusted Cloud.

Availability and disaster recovery

Regional locations	Only the u-france-east1 regional location is supported for Trusted Cloud.
Multi-regions	Multi-regions other than global are not supported for Trusted Cloud.
global location	The global location exists for Trusted Cloud but contains only a single region, u-france-east1. Resources stored in the global region satisfy the same residency requirements as those stored in u-france-east1. Choose the global location for your Cloud KMS resources if you want to use CMEK to protect resources in the global location. Otherwise, you should create your Cloud KMS resources in the u-france-east1 region.

Integrations

CMEK integrations

A subset of CMEK-integrated services are available for Trusted Cloud. To learn whether a service is available, see the list of supported services.

Network

EKM over internet

The EKM over internet (EXTERNAL) protection level is not available for Trusted Cloud.

Workflows and tools

Cloud KMS Autokey

Cloud KMS Autokey is not available for Trusted Cloud because it requires Cloud HSM keys.

Insights and observability

Key tracking and key usage tracking

Key tracking and key usage tracking, including the key tracking dashboard and Cloud KMS Inventory API, are not available for Trusted Cloud.

Other differences

generateRandomBytes

The generateRandomBytes method isn't available for Trusted Cloud.

Related guides

The following information might also affect how you use and design for Cloud KMS in Trusted Cloud by S3NS. These guides include general information about working in Trusted Cloud, including documentation, security and access control, billing, tooling, and service usage.

For details about other services and features in Trusted Cloud and their differences from their Google Cloud counterparts, see the product list.

• Trusted Cloud by S3NS overview

• Key differences between Trusted Cloud by S3NS and Google Cloud