Google Cloud External Key Manager Resources
Google Cloud External Key Manager (EKM) is a cloud native service that provides access to an external key encryption key (KEK) for use as a wrapping key in Google Cloud Platform (GCP). CCKM's integration with Google Cloud EKM provides access to a UI where you can:
Manage endpoints for KEKs for keys added to the key ring through GCP EKM
The AES256 wrap/unwrap KEK allows users, developers, and organizations to maintain separation between encrypted data at rest and encryption keys.
Caution
This feature is a technical preview for evaluation purposes only. We cannot guarantee that EKM endpoint data will be retained when upgrading from the technical preview release to the full GA release.
The benefits of using CCKM's Google Cloud Endpoints include:
Secure generation, storage and protection of your KEK.
Privately maintained key provenance, managed access control, and centralized key management.
Full life cycle management of your encryption key.
Visibility for compliance.
GCP allows users to use Cloud External Key Management (EKM) in the Google Cloud Key Management Service (KMS). CCKM protects your data in the GCP while your encryption keys are stored in CipherTrust Manager outside of GCP. Users create a Key Encryption Key (KEK) in CCKM, create a Cloud EKM key in Google Cloud, using the KEK's URI to identify the externally-managed key in Google Cloud KMS, and use the keys to protect data in a CMEK integration service, or to encrypt data using a symmetric key. In this scenario, Google Cloud KMS does not store the external key material.
The following diagrams show how the Cloud KMS and CCKM fit into the key management model, using BigQuery and Compute Engine as example services.
Note
If you are deploying a new CipherTrust Manager instance exclusively or primarily to use the Google Cloud EKM service, we recommend deploying the instance geographically close to one of the Google Cloud KMS regions where you intend to set up the Google Cloud KMS Key Ring.
We have tested the following Google Customer-Managed Encryption Key (CMEK) integration services for Google Cloud EKM:
BigQuery
Compute Engine
All other Google CMEK integration services for Google Cloud EKM are not validated by Thales, but are expected to work and are supported. Consult Google EKM documentation for the full list of Google CMEK services.