Key Broker for Google Cloud EKM
Key Broker for Google Cloud EKM is a cloud native service that provides access to an external key encryption key (KEK) for use as a wrapping key in Google Cloud Platform (GCP). Key Broker for Google Cloud EKM provides access to a UI where you can configure and manage policy sets, manage key rings, and generate KEKs for keys added to the key ring through GCP EKM. The service key ring and AES256 wrap/unwrap KEK allow users, developers, and organizations to maintain separation between encrypted data at rest and encryption keys.
The benefits of using Key Broker for Google Cloud EKM include:
- Secure generation, storage and protection of your KEK on a FIPS 140-2 L3 validated HSM.
- Privately maintained key provenance, managed access control, and centralized key management.
- Full life cycle management of your encryption key.
- Visibility for compliance.
GCP allows users to use Cloud External Key Management (EKM) in the Google Cloud Key Management Service (KMS). Key Broker for Google Cloud EKM protects your data in the GCP while your encryption keys are stored in the key management service outside of the GCP. Users create encryption keys in Key Broker for Google Cloud EKM, create a Cloud EKM key, use a key URI to identify the externally-managed key in Google Cloud KMS, and use the keys to protect data in ComputeEngine or BigQuery, or to encrypt data using a symmetric key. In this scenario, Google Cloud KMS does not store the external key material.
Creating a Key Broker for Google Cloud EKM automatically generates and binds the Key Broker for Google Cloud EKM to a DPoD subscriber tenant and registers the user as the primary tenant administrator. You can log in to the tenant url to access DPoD platform features such as User Management, Tenant Management and Reporting. The Key Broker for Google Cloud EKM may be accessed from the tenant by selecting the name of the Key Broker for Google Cloud EKM in the View Services Table.
Key Broker for Google Cloud EKM service tenants do not benefit from DPoD platform features such as Subscriber Groups or Adding Services.
The following diagrams show how the Cloud KMS and Key Broker for Google Cloud EKM fit into the key management model.