Frequently Asked Questions
Data Protection on Demand
Q: What resilience is built into the DPoD platform?
A: Luna Cloud HSM Services are secured in a private data center with multi-vendor and neutral network connections to major Internet Service Providers (ISP), and network connections are provided using secure links with high-capacity bandwidth over fiber connections to ensure minimum latency of authentication requests turn-around. See Network Resilience in the Data Protection on Demand platform white paper for more information.
Q: How do I add the Key Broker for Google Cloud EKM service to my existing DPoD tenant?
A: The Key Broker for Google Cloud EKM service currently requires a unique tenant account. You can create a unique Key Broker for Google Cloud EKM tenant account through the Google marketplace. All Key Broker for Google Cloud EKM tenant accounts created through the Google marketplace exist under a Thales service provider. You can only have one Key Broker for Google Cloud EKM service per tenant account at this time.
Q: What credentials do I need to log in to the service
A: You require a DPoD subscriber tenant account created through the Google Cloud Platform marketplace to access the Key Broker for Google Cloud EKM service. This tenant is automatically generated and bound when you provision the Key Broker for Google Cloud EKM through the Google Cloud Marketplace.
Q: Can I log into the DPoD GUI using my Key Broker for Google Cloud EKM service subscription?
A: Creating a Key Broker for Google Cloud EKM automatically generates and binds the Key Broker for Google Cloud EKM to a DPoD subscriber tenant and registers the user as the primary tenant administrator. You can log in to access DPoD platform features such as User Management, Tenant Management and Reporting. The Key Broker for Google Cloud EKM may be accessed from the tenant by selecting the name of the Key Broker for Google Cloud EKM in the View Services Table.
Note
Key Broker for Google Cloud EKM service tenants do not benefit from DPoD platform features such as Subscriber Groups or Adding Services.
Q: Can I use the service over the DPoD API?
A: Users should not try to use the Key Broker for Google Cloud EKM service over the DPoD API.
Q: How can I retrieve the DPoD log in URL if I have misplaced it?
A: The registration email contains the log in URL. Check your inbox for the verification email.
Q: How do I create new service users?
A: Log in to your tenant URL using your service credentials and add a user as described in User Management. Services are bound to Subscriber Groups. Users must be members of the correct subscriber group to be able to access its services. If a user who is not a member of the Key Broker for Google Cloud EKM subscriber group attempts to log in to the Key Broker for Google Cloud EKM dashboard the user will receive an Internal server error.
Keys and policies
Q: Where are my master keys stored?
A: Your service master keys are stored inside of a Luna Cloud HSM Service provided by Data Protection on Demand. The service master key secures the Google Cloud EKM key ring. The Luna Cloud HSM Service stores the key inside of an HSM in a data center. The Luna Cloud HSM Service HSM has FIPS 140-2 L3 certification. In addition, the DPoD platform holds ISO 27001:2022 Certification, SOC2 Certification, and Cloud Security Alliance certification.
Q: How can I control the caching policy of key rings?
A: Key Broker for Google Cloud EKM keys are never cached by Google. You control the location and distribution of Key Broker for Google Cloud EKM managed keys.
Q: Can policies be applied to keys or just key rings?
A: Policies are applied to key rings. When the key ring is configured in Key Broker for Google Cloud EKM you enforce the EKM policy on the key ring. Any keys created on the key ring inherit the policy.
Q: How many keys can be stored in a key ring?
A: A single Key Broker for Google Cloud EKM service instance key ring can store and enforce policies on an unlimited number of keys. The Key Broker for Google Cloud EKM service can secure up to 100 key rings.
Q: What type of keys are handled by Google EKM and Key Broker for Google Cloud EKM?
A: Key Broker for Google Cloud EKM allows the user to generate and use AES256 keys as external keys in Google EKM.
Q: How are keys secured?
A: Key Broker for Google Cloud EKM keys are secured by an encrypted key ring and an enforcement EKM policy which restricts key usage to a service account.
Q: How are key rings secured?
A: Key Broker for Google Cloud EKM key rings are secured by a key generated and stored inside of Luna Cloud HSM Service. The Luna Cloud HSM Service has FIPS 140-2 L3 certification.
Q: How many key rings and keys can I create?
A: Currently there is no limitation on the maximum number of Key Rings or Keys.
Logging
Q: How can I retrieve log information?
A: There are no audit logs for operations on Key Broker for Google Cloud EKM. For Google Cloud Platform logs refer to the Google Cloud KMS Audit Logging information.
Subscriptions
Q: Can I subscribe to two Key Broker for Google Cloud EKM services using the same billing account?
A: You can subscribe to both the Key Broker for Google Cloud EKM NA and EU service using a single billing account. You cannot subscribe to more than one from the same region using the same billing account. If you would like a second subscription you need to subscribe from a different project and billing account
You should register for the service that is in the geographical region closest to the resources you are encrypting.
Q: Can I buy multiple Key Broker for Google Cloud EKM service subscriptions and administrate them using the same DPoD administrator account?
A: As part of the service subscription the user must register to a new DPoD tenant. You cannot use an existing tenant when subscribing to the solution.
Q: Can I connect multiple Google projects to the same Key Broker for Google Cloud EKM service?
A: The Key Broker for Google Cloud EKM service key URI can be used on any Cloud KMS service, as long as the corresponding Service Accounts, Service Project Numbers, Emails, or * wild cards have access as described in Policies.
Q: When does billing begin?
A: Billing, if not otherwise specified on the purchase order, begins as soon as the accounts and entitlements are activated following the first successful login. If you are renewing a previously cancelled subscription billing begins immediately.
Q: Am I billed through Thales or the Marketplace?
A: The marketplace is responsible for billing for the service.
Q: How does the subscription work?
A: Billing is prorated for the first month and then becomes a monthly subscription. If you subscribe for the service on the final day of the month, you will pay a single day.
Q: How can I change the Google marketplace billing account associated with my Key Broker for Google Cloud EKM service?
A: Raise a support request with Google to update your Google marketplace billing account. Thales is unable to support changes to the Google marketplace billing account.
Q: How do I cancel my billing?
A: Click Cancel auto-renewal in the marketplace to put the service into the cancellation state. The service will expire and billing will terminate at the very start of the next month.
Private offer subscriptions
Q: Can a private offer be used to extend an already expired Key Broker for Google Cloud EKM service subscription?
A: No. Once the subscription expires that instance of the service cannot be reactivated.
Q: Can I connect multiple Google projects to the same Key Broker for Google Cloud EKM service?
A: The Key Broker for Google Cloud EKM service key URI can be used on any Cloud KMS service, as long as the corresponding Service Accounts, Service Project Numbers, Emails, or * wild cards have access as described in Policies. Connection to multiple Google projects may be purchased via private offer. Contact Thales Customer Support for more information about private offers.
