Google is finally giving administrators the ability to manage their encryption keys in Google Cloud Platform (GCP) with its Cloud Key Management Service (KMS). Google is the last of the three major cloud providers to provide the key management service, as Amazon and Microsoft already have similar offerings.
The Cloud KMS, currently in beta, helps administrators manage the encryption keys for their organization without having to maintain an on-premise key management system or deploy hardware security modules. With Cloud KMS, administrators can manage all the organization’s encryption keys, not only the ones used to protect data in GCP.
Administrators can create, use, rotate, and destroy AES-256 symmetric encryption keys via the Cloud KMS API. Multiple versions of a key can be active at any time for decryption, but only one primary key version can be used for encrypting new data. The rotation schedule can be defined to automatically generate a new key version at fixed time intervals. There’s also a built-in 24-hour delay when trying to destroy keys to prevent accidental or malicious loss. Cloud KMS integrates with GCP’s Cloud Identity Access Management and Cloud Audit Logging services so that administrators can manage permissions for individual keys and monitor usage.