Skip to main content
Integrate with Google Cloud EKM to protect data within Google Cloud.

Terminology

The following list contains important terms and their definitions:
TermDefinition
External key manager (EKM)The key manager outside of Google Cloud that manages your keys (such as CryptoHub).
Cloud External Key Manager (Cloud EKM)A Google Cloud service for using your external keys that a supported EKM manages.
Cloud EKM through the internetA version of Cloud EKM where Google Cloud communicates with your external key manager over the Internet.
Cloud EKM through a VPCA version of Cloud EKM where Google Cloud communicates with your external key manager over a Virtual Private Cloud (VPC). For more information, see VPC network overview.
EKM key management from Cloud KMSWhen using Cloud KMS through a VPC with an external key management partner that supports the Cloud EKM control plane, you can use the Cloud KMS EKM management mode to simplify the process of maintaining external keys in your external key management partner and in Cloud EKM.
Crypto spaceA container for your resources within your external key management partner. Your crypto space is identified by a unique crypto space path. The format of the crypto space path varies by external key management partner - for example, v0/cryptospaces/YOURUNIQUEPATH.
Partner-managed EKMAn arrangement where your EKM is managed for you by a trusted partner (such as Futurex).
Key Access JustificationsWhen you use Cloud EKM with Key Access Justifications, each request to your external key management partner includes a field that identifies the reason for each request. You can configure your external key management partner to allow or deny requests based on the Key Access Justifications code provided. For more information about Key Access Justifications, see Key Access Justifications overview.

Google Cloud EKM features

Google Cloud EKM has the following features (described in the following sections):
  • Base Google EKM support
  • Justification
  • VPC support
  • Checksum support
  • Asymmetric signing
  • Key Management commands

Google Cloud EKM Service

You can find the Google Cloud EKM (External Key Manager) service on the Available Services page under the Cloud Key Management category. For more information on how to deploy a service, see the Managing services page for detailed instructions.

Base Google EKM support

With Google Cloud EKM, you can use keys that you manage within a supported external key management partner (such as CryptoHub) to protect data within Google Cloud. You can protect data at rest in supported CMEK integration services or by calling the Cloud Key Management Service API directly.

Justification

The justification feature requires users to provide a reason or justification for any critical operation they perform on the key management system. This feature enhances accountability and enables better auditing of actions taken within the system. By mandating justifications, you can easily trace back decisions, identify patterns of misuse, and ensure that only authorized and necessary operations are executed.

VPC support

Virtual Private Cloud (VPC) support enables you to integrate the CryptoHub seamlessly into your existing VPC infrastructure on Google Cloud. This feature ensures that the key management server operates within a secure, isolated environment, which reduces the potential attack surface and provides better protection for sensitive data. VPC support also simplifies network configurations and enables more granular control over access to the key management server.

Checksum support (validity checks on keys through a CMAC)

Checksum support, using a Cipher-based Message Authentication Code (CMAC), enables the CryptoHub to perform validity checks on cryptographic keys. When you generate, store, or transmit keys, a CMAC is calculated and attached to the key. The CMAC acts as a checksum so the recipient can verify the integrity of the key. This feature enhances the security of key management operations by ensuring that keys have not been tampered with or corrupted during storage or transmission. This feature is transparent to the user.

Asymmetric signing (RSA keys)

Asymmetric signing support for RSA keys enables the CryptoHub to generate and manage RSA key pairs, which you can use for digital signatures and public key encryption. With this feature, you can create, store, and manage RSA keys in the CryptoHub, while leveraging Google Cloud External Key Manager for operations that require the private key, such as signing or decrypting data. This expands the range of cryptographic operations that you can perform with the integrated solution and provides increased flexibility.

Key Management commands (in beta with Google)

The Key Management commands feature, currently in beta with Google, enables you to execute a wider range of key management operations directly from the Google Cloud External Key Manager interface. This includes actions such as key rotation, deletion, and metadata updates. With a more comprehensive set of key management commands, you can streamline your workflows and manage your cryptographic keys more efficiently within the integrated environment. These new features significantly enhance the capabilities of the CryptoHub and Google Cloud External Key Manager integration, providing improved security, accountability, and flexibility for cryptographic key management.

Key benefits of the integration

Integrating with CryptoHub offers the following benefits:
  • **Key provenance:**You control the location and distribution of your externally managed keys. Externally managed keys are never cached or stored within Google Cloud. Instead, Cloud EKM communicates directly with the CryptoHub for each request.
  • **Access control:**You manage access to your externally managed keys. Before you can use an externally managed key in Google Cloud, you must grant the Google Cloud project access to use the key. You can revoke this access at any time.
  • **Centralized key management:**You can manage your keys and access policies from a single user interface, whether the data they protect resides in the cloud or on your premises.
In all cases, the key resides on the CryptoHub and is never sent to Google. Refer to the Google EKM documentation for the full list of services that support CMEK with Cloud EKM.

How it works

Cloud EKM key versions consist of these parts: -External key material: The external key material of a Cloud EKM key is cryptographic material created and stored in your EKM. This material does not leave your EKM, and it is never shared with Google.
  • Key Reference: Each Cloud EKM key version contains either a key URI or a key path. This is a unique identifier for the external key material that Cloud EKM uses when requesting cryptographic operations using the key.
  • Internal key material: When a symmetric Cloud EKM key is created, Cloud KMS creates additional key material in Cloud KMS, which never leaves Cloud KMS. This key material is used as an extra layer of encryption when communicating with your EKM. This internal key material does not apply to asymmetric signing keys.
To use your Cloud EKM keys, Cloud EKM sends requests for cryptographic operations to your EKM. For example, to encrypt data with a symmetric encryption key, Cloud EKM first encrypts the data using the internal key material. The encrypted data is included in a request to the EKM. The EKM wraps the encrypted data in another layer of encryption using the external key material and then returns the resulting ciphertext. Data encrypted using a Cloud EKM key can’t be decrypted without both the external key material and the internal key material. If your organization has enabled Key Access Justifications, your external key management partner records the provided access justification and completes the request only for justification reason codes that are allowed by your Key Access Justifications policy on the external key management partner. Creating and managing Cloud EKM keys requires corresponding changes in both Cloud KMS and the EKM. These corresponding changes are handled differently formanually managed external keys and for coordinated external keys. All external keys accessed over the internet are manually managed. External keys accessed over a VPC network can be manually managed or coordinated, depending on the EKM management mode of the EKM via VPC connection. The Manual EKM management mode is used for manually managed keys. The Cloud KMS EKM management mode is used for coordinated external keys.
Both the Cloud EKM key version and the external key are required for each encryption and decryption request. If you lose access to either key, your data cannot be recovered. It is not possible to re-create an identical Cloud EKM key version by using the same external key URI or key path.
Refer to the Google EKM documentation for information about the considerations and restrictions when using Cloud EKM.

Manually managed external keys

This section provides a broad overview of how Cloud EKM works with a manually managed external key:
1
First, you create or use an existing key in the CryptoHub application interface. This key has a unique URI or key path.
2
Next, you grant your Google Cloud project access to use the key, on the CryptoHub.
3
In your Google Cloud project, you create a Cloud EKM key version by using the URI or key path for the externally managed key.
4
You must manually manage maintenance operations, such as key rotation, between CryptoHub and Cloud KMS. For example, complete key version rotation or key version destruction operations on both the CryptoHub and in Cloud KMS.
Within Google Cloud, the key appears alongside your other Cloud KMS and Cloud HSM keys, with one of the following protection levels: EXTERNAL or EXTERNAL_VPC.The Cloud EKM key and the external key management partner key work together to protect your data and never expose the external key to Google.

Coordinated external keys

This section provides an overview of how Cloud EKM works with a coordinated external key.
1
First, you set up an EKM through the VPC connection, setting the EKM management mode to Cloud KMS. During setup, you must authorize your EKM to access your VPC network and authorize your Google Cloud project service account to access your crypto space on the CryptoHub. The connection from Cloud KMS to CryptoHub uses the hostname of the CryptoHub and a crypto space path that identifies your resources within your EKM (i.e., CryptoHub).
2
Next, you create an external key in Cloud KMS. When you create a Cloud EKM key using an EKM via VPC connection with the Cloud KMS EKM management mode enabled, the following steps take place automatically:a. Cloud EKM sends a key creation request to your EKM.b. Your EKM creates the requested key material. This external key material remains in the EKM and is never sent to Google.c. Your EKM returns a key path to Cloud EKM.d. Cloud EKM creates your Cloud EKM key version using the key path provided by your EKM.
3
Maintenance operations on coordinated external keys can be initiated from Cloud KMS. For example, coordinated external keys used for symmetric encryption can be automatically rotated on a set schedule. The creation of new key versions is coordinated in your EKM by Cloud EKM. You can also trigger the creation or destruction of key versions in your EKM from Cloud KMS using the Google Cloud console, the gcloud CLI, the Cloud KMS API, or Cloud KMS client libraries.
Within Google Cloud, the key appears alongside your other Cloud KMS and Cloud HSM keys, with protection level EXTERNAL_VPC.The Cloud EKM key and the external key management partner key work together to protect your data and never expose the external key to Google.

EKM key management from Cloud KMS

Coordinated external keys are made possible by EKM through VPC connections that use EKM key management from Cloud KMS. Futurex’s CryptoHub product fully supports the Cloud EKM control plane, giving you the ability to use the EKM key management from Cloud KMS for your EKM through VPC connections to create coordinated external keys. With EKM key management from Cloud KMS enabled, Cloud EKM can request the following changes in your EKM:
  • Create a key: When you create an externally managed key in Cloud KMS using a compatible EKM via VPC connection, Cloud EKM sends your key creation request to your EKM. When successful, your EKM creates the new key and key material and returns the key path for Cloud EKM to access the key.
  • Rotate a key: When you rotate an externally-managed key in Cloud KMS using a compatible EKM through VPC connection, Cloud EKM sends your rotation request to your EKM. When successful, your EKM creates new key material and returns the key path for Cloud EKM to use to access the new key version.
  • Destroy a key: When you destroy a key version for an externally-managed key in Cloud KMS by using a compatible EKM through VPC connection, Cloud KMS schedules the key version for destruction in Cloud KMS. If the key version is not restored before the scheduled-for-destruction period ends, Cloud EKM destroys its part of the key’s cryptographic material and sends a destruction request to your EKM.
Data encrypted with this key version cannot be decrypted after the key version is destroyed in Cloud KMS, even if the EKM has not yet destroyed the key version. You can see whether the EKM has successfully destroyed the key version by viewing the key details in Cloud KMS. When keys in your EKM are managed from Cloud KMS, the key material still resides in your EKM. Google can’t make any key management requests to your EKM without explicit permission. Google can’t change permissions or Key Access Justifications policies in your external key management partner system. If you revoke the Google permissions in your EKM, key management operations attempted in Cloud KMS fail.

CryptoHub unique features

At Futurex, we regularly update our third-party integrations to enable additional features. The following section describes other configurations and options available on the Google Cloud EKM service.

Test wrap and unwrap keys

You can test wrap and unwrap keys with static data. The test displays the success or error state of the request and how many milliseconds it took for the request to complete. To access the test, you need a CryptoSpace and an active key. Open the Google Cloud EKM service, open the keys of a CryptoSpace, and finally select the [ Test Key ] button for the key.