Cloud KMS FAQ  |  Cloud KMS Documentation  |  Google Cloud (2024)

Table of Contents
About Cloud KMS What is Cloud KMS? What can it do? Can I store secrets? Is there an SLA? How do I provide product feedback? How do I provide documentation feedback? If I need help, what are my options? Does Cloud KMS have any quotas? In what countries can I use Cloud KMS? Keys What kinds of key does Cloud KMS generate? Are keys stored in an HSM? To what standards do the keys comply? How is key material generated? Which library is used to generate key material? Are keys constrained to a geographic location? Can I auto-delete keys? Can I auto-rotate keys? Does key rotation re-encrypt data? If not, why? Why can't I delete keys or key rings? Can I export keys? Can I import keys? How long after I destroy a key version can I get it back? Can I change the 30-day period before a scheduled key is destroyed? When I make changes to a key, how quickly do the changes take effect? Why is my key in PENDING_GENERATION state? Authorization and authentication How do I authenticate to the Cloud KMS API? What IAM roles should I use? How quickly is an IAM permission removed? Miscellaneous What is additional authenticated data, and when would I use it? Are data access logs enabled by default? How do I enable data access logs? How do Cloud KMS keys relate to service account keys? How do Cloud KMS keys relate to API keys? Do you have additional details about the HSMs used by Cloud HSM?

About Cloud KMS

What is Cloud KMS? What can it do?

Cloud Key Management Service (Cloud KMS) is a cloud-hosted key management service that lets youmanage encryption for your cloud services the same way you do on-premises. Youcan generate, use, rotate, and destroy cryptographic keys.Cloud KMS is integrated with Identity and Access Management (IAM) and Cloud Audit Logs soyou can manage permissions on individual keys, and monitor how they are used.

Can I store secrets?

Cloud KMS stores keys and metadata about keys, and does nothave a general data storage API. Secret Manager isrecommended for storing and accessing sensitive data for use in Google Cloud.

Is there an SLA?

Yes, see Cloud KMS Service Level Agreement.

How do I provide product feedback?

Contact the engineering team at cloudkms-feedback@google.com.

How do I provide documentation feedback?

While viewing Cloud KMS documentation, click Send feedback nearthe top right of the page. This will open a feedback form.

If I need help, what are my options?

We invite our users to post their questions on Stack Overflow. Along withthe active Stack Overflow community, our team actively monitors Stack Overflowposts and answers questions with the tag google-cloud-kms.

We also offer various levels of support depending on your needs. For additionalsupport options, see our Google Cloud Support Packages.

Does Cloud KMS have any quotas?

Yes. For information about quotas, including viewing or requesting additionalquotas, see Cloud KMS quotas.

There is no limit on the number of keys, key rings, or key versions. Additionally,there is no limit on the number of keys per key ring and key versions per key.

In what countries can I use Cloud KMS?

You can use Cloud KMS in any country where Google Cloud servicesare supported.

See Also
How to Delete GPG Keys | phoenixNAP KBWhere are gpg passwords saved?Generating GPG KeysJFrog Help Center

Keys

What kinds of key does Cloud KMS generate?

See Key purposes and algorithms.

Are keys stored in an HSM?

Keys with protection level HSM are stored in a hardware security module(HSM).

Keys with protection level SOFTWARE are stored in software.

An HSM-backed key never persists outside of an HSM.

To what standards do the keys comply?

Keys generated in Cloud KMS and the cryptographic operationsperformed with those keys comply with Federal Information Processing Standard(FIPS) publication Security requirements for cryptographic modules140-2.

  • Keys generated with protection level SOFTWARE, and the cryptographicoperations performed with them, comply with FIPS 140-2 Level 1.

  • Keys generated with protection level HSM, and the cryptographic operationsperformed with them, comply with FIPS 140-2 Level 3.

  • For keys that are generated outside of Cloud KMS and thenimported, customers who have FIPS requirements are responsible for ensuring thattheir keys are generated in a FIPS-compliant fashion.

How is key material generated?

Cloud KMS software-protected keys are generated using Google’scommon cryptographic library using a random number generator (RNG) built byGoogle. HSM-protected keys are generated securely by the HSM, which wasvalidated to meet FIPS 140-2 Level 3.

Which library is used to generate key material?

Cloud KMS keys are generated using Google’s common cryptographiclibrary which implements cryptographic algorithms using BoringSSL. Formore information, see Google’s common cryptographic library.

See Also
How to Open Keyring Easily: Top Hacks Revealed!

Are keys constrained to a geographic location?

Keys belong to a region, but are not constrained to that region. For moreinformation, see Cloud KMS locations.

Can I auto-delete keys?

No.

Can I auto-rotate keys?

For keys used for symmetric encryption, yes. SeeAutomatic rotation: Setting the rotation period for a key.

For keys used for asymmetric encryption or asymmetric signing, no. To learn more,see Considerations for asymmetric key rotation.

Does key rotation re-encrypt data? If not, why?

Key rotation does not automatically re-encrypt data. When you decrypt data,Cloud KMS knows which key version to use for the decryption. Aslong as a key version is not disabled or destroyed, Cloud KMS candecrypt data protected with that key.

Why can't I delete keys or key rings?

To prevent resource name collisions, key ring and key resources CANNOT bedeleted. Key versions also cannot be deleted, but key version material can bedestroyed so that the resources can no longer be used. For more information,see Lifetime of objects. Billing is based on the number of activekey versions; if you destroy all active key version material, there is no chargefor the key rings, keys, and key versions which remain.

Can I export keys?

No. Keys are not exportable from Cloud KMS by design. Allencryption and decryption with these keys must be done withinCloud KMS. This helps prevent leaks and misuse, and enablesCloud KMS to emit an audit trail when keys are used.

Can I import keys?

Yes. You can import only into keys with protection level HSM or SOFTWARE.For more information, see Importing a key.

Separately from Cloud KMS, the following products supportCustomer-Supplied Encryption Key (CSEK) functionality.

ProductCSEK topic
Compute EngineEncrypting Disks with Customer-Supplied Encryption Keys
Cloud StorageUsing Customer-Supplied Encryption Keys

How long after I destroy a key version can I get it back?

After you schedule a key version for destruction, you have a default time periodof 30 days before the key version is actually destroyed. The time period beforea key version is destroyed is configurable.During that time, if needed you can restore the key version.

Can I change the 30-day period before a scheduled key is destroyed?

Yes, you can configure the duration oftime before the key is destroyed. Note that you can set the duration only at the time of key creation.

When I make changes to a key, how quickly do the changes take effect?

Some operations to Cloud KMS resources are strongly consistent,while others are eventually consistent and may take up to 3 hours to propagate.For more details, seeCloud KMS resource consistency.

Why is my key in PENDING_GENERATION state?

Due to the CPU cost of generating key material, creation of an asymmetricsigning or asymmetric encryption key version may take a few minutes. Keyversions that are protected by a hardware security module (HSM) also take sometime. When a newly created key version is ready, its state will automaticallychange to ENABLED.

Authorization and authentication

How do I authenticate to the Cloud KMS API?

How clients authenticate may vary a bit depending on the platform on which thecode is running. For details, see Accessing the API.

What IAM roles should I use?

To enforce the principle of least privilege, ensure that the user and serviceaccounts in your organization have only the permissions essential to performingtheir intended functions. For more information, see Separation of duties.

How quickly is an IAM permission removed?

Removal of a permission should be in effect in less than one hour.

Miscellaneous

What is additional authenticated data, and when would I use it?

Additional authenticated data (AAD) is any string that you pass toCloud KMS as part of an encrypt or decrypt request. It is used asan integrity check and can help protect your data from a confused deputyattack. For more information, see Additional authenticated data.

Are data access logs enabled by default? How do I enable data access logs?

Data access logs are not enabled by default. For more information, seeEnabling data access logs.

How do Cloud KMS keys relate to service account keys?

Service account keys are used for service-to-service authentication withinGoogle Cloud. Service account keys are unrelated to Cloud KMSkeys.

How do Cloud KMS keys relate to API keys?

An API key is a simple encrypted string that can be used when callingcertain APIs that don't need access to private user data. API keys trackAPI requests associated with your project for quota and billing. API keys areunrelated to Cloud KMS keys.

Do you have additional details about the HSMs used by Cloud HSM?

All HSM devices are manufactured by Marvell (formerly Cavium). TheFIPS certificate for the devices is on the NIST website.

Cloud KMS FAQ  |  Cloud KMS Documentation  |  Google Cloud (2024)
Top Articles
Explained: How to see hidden hashtags on Instagram
Can Employers Monitor Their Employees’ Online Activity?
Elleypoint
Danatar Gym
Craigslist Furniture Bedroom Set
Nc Maxpreps
Vanadium Conan Exiles
Lichtsignale | Spur H0 | Sortiment | Viessmann Modelltechnik GmbH
Atrium Shift Select
Fallout 4 Pipboy Upgrades
Nonuclub
Gwdonate Org
Current Time In Maryland
800-695-2780
Navy Female Prt Standards 30 34
How do I get into solitude sewers Restoring Order? - Gamers Wiki
Directions To Advance Auto
Earl David Worden Military Service
Persona 5 Royal Fusion Calculator (Fusion list with guide)
Project, Time & Expense Tracking Software for Business
Wemod Vampire Survivors
[PDF] NAVY RESERVE PERSONNEL MANUAL - Free Download PDF
Japanese Mushrooms: 10 Popular Varieties and Simple Recipes - Japan Travel Guide MATCHA
Riversweeps Admin Login
12 Facts About John J. McCloy: The 20th Century’s Most Powerful American?
Il Speedtest Rcn Net
Phantom Fireworks Of Delaware Watergap Photos
The Boogeyman (Film, 2023) - MovieMeter.nl
Where to eat: the 50 best restaurants in Freiburg im Breisgau
FSA Award Package
Fedex Walgreens Pickup Times
Play 1v1 LOL 66 EZ → UNBLOCKED on 66games.io
Graphic Look Inside Jeffrey Dresser
Rust Belt Revival Auctions
Lucky Larry's Latina's
Heavenly Delusion Gif
KITCHENAID Tilt-Head Stand Mixer Set 4.8L (Blue) + Balmuda The Pot (White) 5KSM175PSEIC | 31.33% Off | Central Online
Natashas Bedroom - Slave Commands
Saybyebugs At Walmart
Let's co-sleep on it: How I became the mom I swore I'd never be
Download Diablo 2 From Blizzard
sacramento for sale by owner "boats" - craigslist
Walgreens On Secor And Alexis
Brauche Hilfe bei AzBilliards - Billard-Aktuell.de
Greatpeople.me Login Schedule
Ratchet And Clank Tools Of Destruction Rpcs3 Freeze
Joy Taylor Nip Slip
Is TinyZone TV Safe?
Sleep Outfitters Springhurst
Rocket Bot Royale Unblocked Games 66
Nfsd Web Portal
Www Extramovies Com
Latest Posts
Black Swan Event
VNQ vs. VOO — ETF comparison tool
Article information

Author: Golda Nolan II

Last Updated:

Views: 6433

Rating: 4.8 / 5 (78 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Golda Nolan II

Birthday: 1998-05-14

Address: Suite 369 9754 Roberts Pines, West Benitaburgh, NM 69180-7958

Phone: +522993866487

Job: Sales Executive

Hobby: Worldbuilding, Shopping, Quilting, Cooking, Homebrewing, Leather crafting, Pet

Introduction: My name is Golda Nolan II, I am a thoughtful, clever, cute, jolly, brave, powerful, splendid person who loves writing and wants to share my knowledge and understanding with you.