Google External Key Manager Ubiquitous Data Encryption Resources
This feature is a technical preview for evaluation in non-production environments. A technical preview introduces new, incomplete functionality for customer feedback as we work on the feature. Details and functionality are subject to change. This includes API endpoints, UI elements, and CLI commands. We cannot guarantee that data created as part of a technical preview will be retained after the feature is finalized.
Google Cloud External Key Manager Ubiquitous data encryption (EKM UDE) is a cloud native service that provides access to an external key encryption key (KEK) for use as a wrapping key in Google Cloud Platform (GCP), for wrapping and unwrapping Data Encryption Keys (DEKs). The UDE version of EKM provides additional security, access control and auditability guarantees, namely:
the end-to-end encryption of DEKs between workloads and the external key manager
the leveraging of Confidential VMs to provide strong guarantees of the runtime privacy of customer data (data-in-use security)
the use of independently-verifiable attestations of the runtime environment, allowing the EKM to strongly differentiate between protected and unprotected environments
The CipherTrust Cloud Key Manager (CCKM) integration with Google Cloud EKM UDE provides access to a UI where you can:
Manage endpoints for KEKs for keys added to the key ring through GCP EKM UDE.
Configure confidential computing requirements for access to KEKs.
The AES256 wrap/unwrap KEK allows users, developers, and organizations to maintain separation between encrypted data at rest and encryption keys.
The benefits of using CipherTrust Cloud Key Manager Google Cloud Endpoints include:
Secure generation, storage and protection of your KEK(s).
Privately maintained key provenance, managed access control, and centralized key management.
Full life cycle management of your Key Encryption Key (KEK).
Visibility for compliance.
GCP allows users to use Cloud External Key Management (EKM) in the Google Cloud Key Management Service (KMS). CCKM protects your data in GCP while your encryption keys are stored in CipherTrust Manager outside of GCP. Users create a Key Encryption Key (KEK) in CCKM, create a Cloud EKM key in Google Cloud, using the KEK's URI to identify the externally-managed key in Google Cloud KMS, and use the keys to encrypt data using a symmetric key. Google Cloud KMS does not store the external key material. This EKM functionality can be divided into regular EKM and EKM UDE functionality.
Use Cases for Google Cloud EKM UDE Integration
These CipherTrust Cloud Key Manager keys can be used in four main use cases within GCP:
A DEK is generated within a GCP confidential VM, then is wrapped by the CCKM KEK. The KEK is configured such that unwrapping of the wrapped key is only possible by an attested, verified confidential VM.
A DEK is generated on-premise, in a regular (non-confidential computing) environment, then is wrapped by the CCKM KEK. The data is uploaded to Google Cloud Storage (GCS) and the KEK is configured such that unwrapping of the wrapped key (and hence the protected data) is only possible by an attested, verified confidential VM.
A DEK is generated within a GCP confidential VM, then is wrapped by the CCKM KEK. The KEK is configured such that wrapping of the wrapped key is only possible in an attested, verified confidential VM, but that unwrapping is possible in a regular (non-confidential computing) environment.
A DEK is generated on-premise in a regular environment, then is wrapped by CipherTrust-managed KEK. The data is moved to another regular environment (on cloud or on-premise). The KEK is configured such that unwrapping of the wrapped data is possible in a second regular environment.
These four cases, respectively, give the following guarantees:
In case 1, the guarantee that the protected DEK/data is only accessible by a confidential VM.
In case 2, the guarantee that data encrypted on-premise and migrated to the cloud will only be accessible by a confidential VM.
In case 3, the guarantee that data retrieved from the cloud and decrypted, was originated in a confidential VM.
In case 4, the guarantee is that the data is only decryptable when the KEK is accessible.
If you are deploying a new CipherTrust Manager instance exclusively or primarily to use the Google Cloud EKM service, we recommend deploying the instance geographically close to one of the Google Cloud KMS regions where you intend to set up the Google Cloud KMS Key Ring.
The following documents contain related or additional information: