Protection levels

This page compares the different protection levels supported in Cloud KMS:

Software: Cloud KMS keys with the SOFTWARE protection level are used for cryptographic operations that are performed in software. Cloud KMS keys can be generated by Google or imported.


External over the internet: Cloud EKM keys with the EXTERNAL protection level are generated and stored in your external key management (EKM) system. Cloud EKM stores additional cryptographic material and a path to your unique key, which is used to access your key over the internet.
External over VPC: Cloud EKM keys with the EXTERNAL_VPC protection level are generated and stored in your external key management (EKM) system. Cloud EKM stores additional cryptographic material and a path to your unique key, which is used to access your key over a virtual private cloud (VPC) network.

Keys with all of these protection levels share the following features:

Use your keys for customer-managed encryption key (CMEK) integrated Google Cloud services.

Note: Some CMEK-integrated services do not support Cloud EKM keys. To learn which CMEK-integrated services support Cloud EKM keys, see CMEK integrations.
Use your keys with the Cloud KMS APIs or client libraries, without any specialized code based on the protection level of the key.
Control access to your keys using Identity and Access Management (IAM) roles.
Control whether each key version is Enabled or Disabled from Cloud KMS.
Key operations are captured in audit logs. Data access logging can be enabled.

Software protection level

Cloud KMS uses the BoringCrypto module (BCM) for all cryptographic operations for software keys. The BCM is FIPS 140-2 validated. Cloud KMS software keys use FIPS 140-2 Level 1–validated Cryptographic Primitives of the BCM.

Software keys are a good choice for use cases that do not have specific regulatory requirements for a higher FIPs 140-2 validation level.

External protection levels

Cloud External Key Manager (Cloud EKM) keys are keys that you manage in a supported external key management (EKM) partner service and use in Google Cloud services and Cloud KMS APIs and client libraries. Cloud EKM keys can be software-backed or hardware-backed, depending on your EKM provider. You can use your Cloud EKM keys in CMEK-integrated services or using the Cloud KMS APIs and client libraries.

When you use Cloud EKM keys, you can be sure that Google Cloud can't access your key material.

To see which CMEK-integrated services support Cloud EKM keys, see CMEK integrations and apply the Show only EKM compatible services filter.

External over the internet protection level

You can use Cloud EKM keys over the internet in all locations supported by Cloud KMS except nam-eur-asia1 and global.

External over VPC protection level

You can use Cloud EKM keys over a VPC network for better availability of your external keys. This better availability means that there's less of a chance of your Cloud EKM keys and the resources they protect becoming unavailable.

You can use Cloud EKM keys over a VPC network in most regional locations supported by Cloud KMS. Cloud EKM over a VPC network is not available in multi-region locations.

What's next

Learn about compatible services that let you use your keys in Google Cloud.
Learn how to create key rings and create encryption keys.
Learn about importing keys.
Learn about external keys.
Learn about other considerations for using Cloud EKM.