Google Cloud

Cloud KMS / Cloud HSM / EKM Complete Guide: CMEK, Key Rotation, and FIPS on GCP

2026-05-24
NicheeLab Editorial Team

Cloud KMS is GCP's centralized key management service for the encryption keys that protect your data. Combined with Cloud HSM (FIPS 140-2 Level 3 certified hardware) and Cloud EKM (external HSM integration), it covers everything from regulated industries to zero-trust key management.

Three Key Management Models

ServiceKey StorageFIPSUse Case
Cloud KMS (Software)Google data centers (SW)140-2 Level 1Standard
Cloud HSMGoogle data centers (HW)140-2 Level 3Finance, healthcare, regulated workloads
Cloud EKMExternal HSM (Equinix / Thales / Fortanix)Depends on customer HSMPhysical key isolation, sovereignty requirements

CMEK / CSEK / Google Default

  • Google Default Encryption: Every GCP service is encrypted by default with Google-managed keys
  • CMEK (Customer-managed Encryption Key): The customer manages the keys in KMS and services consume them
  • CSEK (Customer-supplied Encryption Key): The customer supplies the key on every call (Cloud Storage and Compute only; operationally hard)

Key Hierarchy

  • KeyRing: Logical grouping of keys, scoped to a region
  • CryptoKey: Individual key, typically one per use case
  • CryptoKeyVersion: Versions of the key; a new version is created on every rotation

Key Operations

# KeyRing 作成
gcloud kms keyrings create my-keyring \
  --location=asia-northeast1

# CryptoKey 作成 (Symmetric)
gcloud kms keys create my-key \
  --keyring=my-keyring --location=asia-northeast1 \
  --purpose=encryption --rotation-period=90d \
  --next-rotation-time=2026-09-01T00:00:00Z

# 暗号化
gcloud kms encrypt --key=my-key --keyring=my-keyring \
  --location=asia-northeast1 \
  --plaintext-file=secret.txt --ciphertext-file=secret.enc

# CMEK で GCS バケット作成
gcloud storage buckets create gs://my-bucket \
  --default-encryption-key=projects/PROJECT/locations/asia-northeast1/keyRings/my-keyring/cryptoKeys/my-key

Key Rotation

  • Set rotation_period on the CryptoKey (e.g., 90 days)
  • A new CryptoKeyVersion automatically becomes the primary
  • Older versions can be Disabled or Destroyed, but keeping them around for decryption is recommended
  • There is a 24-hour grace period before final destruction (soft delete)

Key IAM Roles

  • roles/cloudkms.admin: Full administrative access
  • roles/cloudkms.cryptoKeyEncrypterDecrypter: Encrypt and decrypt
  • roles/cloudkms.cryptoKeyEncrypter: Encrypt only
  • roles/cloudkms.cryptoKeyDecrypter: Decrypt only
  • roles/cloudkms.publicKeyViewer: View public keys

Pricing Examples

ItemCloud KMSCloud HSM
Active key version$0.06/month$1-2/month
Symmetric operations$0.03/10,000$0.03/10,000
Asymmetric operations$0.06/10,000$1〜2/10,000
EKM$0.06/month plus external HSM fees

Comparison with Other Clouds

FeatureCloud KMSCloud HSMAWS KMSAzure Key Vault
Software keysYesYesYes
HSM keysYes (FIPS L3)Yes (CloudHSM, separate)Yes (Managed HSM)
External HSM integrationEKMExternal KSBring Your Own Key
Automatic rotationYesYesYesYes

Confidential Computing Integration

  • Confidential VM encrypts memory using AMD SEV or Intel TDX
  • Confidential GKE Nodes keep Pods encrypted while they run
  • Encryption at rest, in transit, and in use — all three at once
  • Critical for regulated industries: healthcare, finance, and the public sector

Best Practices

  • Separate KeyRings per environment (Prod / Dev)
  • Keep at least one previous key version Disabled (not destroyed) for decryption
  • Use VPC Service Controls to keep the KMS API inside a perimeter
  • Log every key operation via Audit Logs (enable Data Access Logs)
  • Verify the key version at application startup
  • For regulated workloads, use Cloud HSM or Cloud EKM

What is the difference between Cloud KMS and Cloud HSM?

Cloud KMS is software-based, while Cloud HSM uses FIPS 140-2 Level 3 certified hardware HSMs. Choose HSM when compliance mandates a hardware HSM; otherwise Cloud KMS is sufficient.

What is Cloud EKM?

External Key Manager. Keys are stored in a third-party HSM (Equinix SmartKey, Thales, Fortanix, etc.) and GCP calls out to them. This provides physical separation of key material.

What is the difference between CMEK and CSEK?

CMEK = Customer-managed Encryption Key (managed in KMS). CSEK = Customer-supplied Encryption Key (the customer supplies the key on every call). CSEK is hard to manage, so CMEK is the mainstream choice.

How does key rotation work?

KMS supports automatic rotation periods (e.g., 90 days). A new key version becomes primary and apps use the latest; older versions stay around to decrypt existing data.

Which services support CMEK?

Nearly all major GCP services: GCS, BigQuery, Compute Engine, Persistent Disk, Cloud SQL, Spanner, Bigtable, Pub/Sub, Dataflow, Vertex AI, and more. Google publishes a full CMEK support matrix.

How is pricing structured?

Active key versions per month plus the number of encrypt/decrypt operations. Cloud KMS is cheap ($0.06 per key version per month), while Cloud HSM is more expensive ($1-2 per key version per month).

How does it compare to AWS KMS and Azure Key Vault?

Functionally similar across the board. AWS KMS has more GovCloud and FIPS regions, Azure Key Vault has a strong Managed HSM offering, and Cloud HSM differentiates with FIPS 140-2 Level 3 hardware.

What is Confidential Computing?

Memory on VMs and GKE Nodes is also encrypted using AMD SEV or Intel TDX. Combined with KMS, Confidential VM delivers true encryption-in-use on top of encryption at rest and in transit.

Related Security Articles

GCP Professional Cloud Developer (PCD) 完全ガイド|Cloud Run・GKE・CI/CD・APM

Google Cloud Professional Cloud Developer の試験範囲、Cloud Run / GKE / Cloud Build / Cloud Trace、AWS DVA / Azure AZ-204 比較、学習ロードマップを徹底解説。

Confidential Computing 完全ガイド|使用中暗号化・Confidential VM/GKE/Space (GCP)

Google Cloud Confidential Computing の全機能解説。Confidential VM (AMD SEV-SNP / Intel TDX)、Confidential GKE Nodes、Confidential Space、Multi-party Computation、Attestation、BigQuery / Spanner 対応、料金、規制業界事例を 2026 年最新版で網羅。

GCP Professional Cloud Network Engineer (PCNE) 完全ガイド|VPC・Interconnect・Load Balancing

Google Cloud Professional Cloud Network Engineer の試験範囲、VPC / Cloud Interconnect / Cloud Load Balancing / Cloud Armor、AWS ANS・Azure AZ-700 比較を詳解。

GCP Professional Cloud Security Engineer (PCSE) 完全ガイド|IAM・KMS・BeyondCorp・SCC

Google Cloud Professional Cloud Security Engineer の試験範囲、IAM / Cloud KMS / VPC Service Controls / BeyondCorp / Security Command Center、AWS SCS・Azure SC-100 比較を詳解。

Google Cloud is a trademark of Google LLC. For the latest information, see the official Cloud KMS documentation.

Check what you learned with practice questions

Practice with certification-focused question sets

View GCP exam prep
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Google Cloud

Google Cloud Certification Roadmap (2026)

Choose your GCP certification path — Foundational, Associate...

Google Cloud

CDL Cloud Digital Leader: Complete Exam Guide (2026)

Pass the Cloud Digital Leader exam — cloud business value, G...

Google Cloud

GAIL Generative AI Leader: Complete Exam Guide (2026)

Pass the Generative AI Leader exam — Gemini, Vertex AI, Work...

Google Cloud

Vertex AI Fundamentals for GCP Certs (2026)

Vertex AI basics every cert candidate needs — Workbench, Pip...

Google Cloud

Associate Cloud Engineer (ACE): Complete Guide (2026)

Pass the Associate Cloud Engineer exam — Console, gcloud, pr...

Browse all Google Cloud articles (103)
© 2026 NicheeLab All rights reserved.