Cloud key management

Google Cloud EKM (External Key Manager)

21min

This guide describes how to integrate Google Cloud EKM with KMES Series 3. This section covers important terminology, EKM features, key benefits of the integration, how the integration works, and an integration overview.

Terminology

The following list contains important terms and their definitions:

Term

Definition



External key manager (EKM)

The key manager outside of Google Cloud that manages your keys (such as KMES Series 3).



Cloud External Key Manager (Cloud EKM)

A Google Cloud service for using your external keys that a supported EKM manages.



Cloud EKM through the internet

A version of Cloud EKM where Google Cloud communicates with your external key manager over the Internet.



Cloud EKM through a VPC

A version of Cloud EKM where Google Cloud communicates with your external key manager over a Virtual Private Cloud (VPC).



Google Cloud EKM features

The following list describes EKM features:

Feature

Description



Base Google EKM support

With Google Cloud EKM, you can use keys you manage within a supported external key management partner (such as KMES Series 3) to protect data within Google Cloud. You can protect data at rest in supported Customer-managed Encryption Keys (CMEK) integration services or by calling the Cloud Key Management Service API directly.



Justification

The justification feature requires you to provide a reason or justification for any critical operation you perform on the key management system. This feature enhances accountability and enables better auditing of actions taken within the system. By mandating justifications, you can easily trace back decisions, identify patterns of misuse, and ensure that only authorized and necessary operations are executed.



VPC support

Virtual Private Cloud (VPC) support allows you to integrate the KMES Series 3 seamlessly into your existing VPC infrastructure on Google Cloud. This feature ensures that the key management server operates within a secure, isolated environment, which reduces the potential attack surface and provides better protection for sensitive data. VPC support also simplifies network configurations and enables more granular control over access to the key management server.



Checksum support (validity checks on keys via a CMAC)

Checksum support, using a Cipher-based Message Authentication Code (CMAC), enables the KMES Series 3 to perform validity checks on cryptographic keys. When you generate, store, or transmit keys, the system calculates a CMAC and attaches it to the key. The CMAC acts as a checksum that enables the recipient to verify the integrity of the key. This feature enhances the security of key management operations by ensuring that keys have not been tampered with or corrupted during storage or transmission. This feature is transparent to the user.



Asymmetric signing (RSA Keys)

Asymmetric signing support for RSA keys enables the KMES Series 3 to generate and manage RSA key pairs, which can be used for digital signatures and public key encryption. With this feature, users can create, store, and manage RSA keys in the KMES Series 3, while leveraging Google Cloud External Key Manager for operations that require the private key, such as signing or decrypting data. This expands the range of cryptographic operations that can be performed using the integrated solution and provides increased flexibility for users



Key Management commands (in beta with Google)

The Key Management commands feature, currently in beta with Google, enables users to execute a wider range of key management operations directly from the Google Cloud External Key Manager interface. This includes actions such as key rotation, deletion, and metadata updates. By providing a more comprehensive set of key management commands, these commands enable you to streamline your workflows and manage cryptographic keys more efficiently within the integrated environment. These new features significantly enhance the capabilities of the KMES Series 3 and Google Cloud External Key Manager integration, providing improved security, accountability, and flexibility in cryptographic key management.



Key benefits of the integration

The Google Cloud EKM / KMES Series 3 integration provides several benefits:

Benefit

Description



Key provenance

You control the location and distribution of your externally managed keys. Externally managed keys are never cached or stored within Google Cloud. Instead, Cloud EKM communicates directly with the KMES Series 3 for each request.



Access control

You manage access to your externally managed keys. Before you can use an externally managed key in Google Cloud, you must grant the Google Cloud project access to use the key. You can revoke this access at any time.



Centralized key management

You can manage your keys and access policies from a single user interface, whether the data they protect resides in the cloud or on your premises



In all cases, the key resides on the KMES Series 3 and is never sent to Google.

Refer to the Google EKM documentation for the full list of services that support CMEK with Cloud EKM.

How it works

This section provides a broad overview of how Cloud EKM works with an external key:

1

First, you create or use an existing key in the KMES Series 3 application interface. This key has a unique URI or key path.

2

Next, you grant your Google Cloud project access to use the key, on the KMES Series 3.

3

In your Google Cloud project, you create a Cloud EKM key, using the URI or key path for the externally managed key.

Within Google Cloud, the key appears with your other Cloud KMS and Cloud HSM keys, with protection level EXTERNAL or EXTERNAL_VPC. The Cloud EKM key and the external key management partner key work together to protect your data. The external key is never exposed to Google.

You must have both the Cloud EKM key version and the external key for each encryption and decryption request. If you lose access to either key, you cannot recover your data. Nor can you recreate an identical Cloud EKM key version by using the same external key URI or key path.

Refer to the Google EKM documentation for information about the considerations and restrictions when using Cloud EKM.

Integration overview

This guide covers the following tasks to integrate Google Cloud EKM with KMES Series 3:

  1. Set up Google Cloud External Key Manager (EKM) initially
  2. Set up TLS and authentication on the KMES Series 3
  3. Configure manually managed keys
  4. Configure Google Crypto Space managed keys
  5. Create an externally managed key in Google Cloud
  6. Test encryption and decryption with externally managed key

The following sections describe how to perform these tasks.