Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

CipherTrust Key Management Services

CipherTrust Key Broker for Google Cloud EKM

search

CipherTrust Key Broker for Google Cloud EKM

CipherTrust Key Broker for Google Cloud EKM

CipherTrust Key Broker for Google Cloud EKM is a cloud native service that provides access to an external key encryption key (KEK) for use as a wrapping key in Google Cloud Platform (GCP). CipherTrust Key Broker for Google Cloud EKM provides access to a UI where you can configure and manage policy sets, manage key rings, and generate KEKs for keys added to the key ring through GCP EKM. The service key ring and AES256 wrap/unwrap KEK allow users, developers, and organizations to maintain separation between encrypted data at rest and encryption keys.

The benefits of using CipherTrust Key Broker for Google Cloud EKM include:

  • Secure generation, storage and protection of your KEK on a FIPS 140-2 L3 validated HSM.
  • Privately maintained key provenance, managed access control, and centralized key management.
  • Full life cycle management of your encryption key.
  • Visibility for compliance.

GCP allows users to use Cloud External Key Management (EKM) in the Google Cloud Key Management Service (KMS). CipherTrust Key Broker for Google Cloud EKM protects your data in the GCP while your encryption keys are stored in the key management service outside of the GCP. Users create encryption keys in CipherTrust Key Broker for Google Cloud EKM, create a Cloud EKM key, use a key URI to identify the externally-managed key in Google Cloud KMS, and use the keys to protect data in ComputeEngine or BigQuery, or to encrypt data using a symmetric key. In this scenario, Google Cloud KMS does not store the external key material.

The following diagrams show how the Cloud KMS and CipherTrust Key Broker for Google Cloud EKM fit into the key management model.