Code360 powered by Coding Ninjas X Code360 powered by Coding Ninjas X
Table of contents
What is Cloud EKM?☁️
Using Cloud EKM with VPC☁️
Cloud External Key Manager Service Level Agreement (SLA)📜
Using Cloud KMS with other products☁️
Access control with IAM🆔
Giving roles to resources
Removing a resource's access
Viewing a resource's permissions
Inheritance and hierarchy
Cloud KMS resources⛑️
Customer-managed encryption keys (CMEK)🔑
Frequently Asked Questions❓
What is a cloud external key manager?
What is cloud key management?
What is KMS in the cloud?
What is a key management server?
What is Kmip server?
Last Updated: Mar 27, 2024

Cloud External Key Manager

Author Shiva
0 upvote
Leveraging ChatGPT - GenAI as a Microsoft Data Expert
Prerita Agarwal
Data Specialist @
23 Jul, 2024 @ 01:30 PM


Cloud Key Management, A Service that Google Cloud offers numerous features. You can perform cryptographic operations and create, import, and maintain cryptographic keys using the Cloud Key Management Service, a centralized cloud service. By leveraging Customer-Managed Encryption Keys (CMEK) integrations within other Google Cloud services, Cloud HSM, or Cloud External Key Manager, or directly through Cloud Key Management Service, you can use these keys and carry out these actions.

introductory image

With Cloud Key Management Service, you have a root of trust that can be proved and monitored over your data, and you can manage cryptographic keys in the cloud in the same manner that you can on-premises.

What is Cloud EKM?☁️

With Cloud External Key Manager, you may secure Google Cloud data using keys you control through an approved external key management partner. You may secure data while it is in transit by directly accessing the Cloud Key Management Service API or using one of the available CMEK integration services.

cloud ekm image

Several advantages of Cloud External Key Manager include:

  • Key provenance: The distribution and location of your externally maintained keys are under your control. Keys carried outside of Google Cloud are never cached or kept there. Instead, each request is communicated directly to the external key management partner through Cloud EKM.
  • Access management: You control who has access to your externally managed keys. Before using an externally managed key to encrypt or decrypt data in Google Cloud, you must provide the project access to the key. This access is always revocable by you.
  • Centralized key management: Regardless of whether the data they protect is stored on your premises or in the cloud, you can manage your keys and access policies from a single location and user interface.
Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job

Using Cloud EKM with VPC☁️

This section explains how to establish and maintain external keys that can only be accessed through a Virtual Private Cloud (VPC) network using Cloud External Key Manager (Cloud EKM).

vpc image

Before starting, The following steps must be followed for you to use Cloud EKM keys to protect your data.

  1. Create a new project
  2. Enable Cloud KMS
  3. Make sure the gcloud CLI is the current version.
  4. Establish a VPC network.
    1. There are two possibilities when creating a VPC network: Auto network mode and Customized network mode.
  5. Set external key manager by creating a Service Directory service endpoint
  6. Permit Cloud EKM to access your VPC

Cloud External Key Manager Service Level Agreement (SLA)📜

During the term of the contract (where applicable, the "Agreement") under which Google has agreed to provide Customer with Google Cloud Platform, the Covered Service shall offer Customer a Monthly Uptime Percentage of at least 99.5%. (the "Service Level Objective" or "SLO"). If the Customer complies with its duties under this SLA and Google does not reach the SLO, the Customer will be qualified to earn the Financial Credits listed below. This SLA outlines the Customer's only recourse in the event that Google does not fulfill the SLO. The definitions given to capitalized terms used in this SLA but not elsewhere defined in this SLA are found in the Agreement. 

sla image

All references to "Customer" in this SLA shall refer to "Partner" or "Reseller" (as applicable) if the Agreement permits the resale or supply of Google Cloud Platform through a Google Cloud partner or reseller program. Any applicable Financial Credit(s) shall only apply to impacted Partner or Reseller order(s) under the Agreement.

Using Cloud KMS with other products☁️

A list of Google Cloud services with integrations with Cloud KMS is provided in this topic.

kms image

 These fall into one of the following groups:

  1. You can encrypt the data being stored by that service using a Cloud KMS key that you control and manage using a Customer-managed encryption key (CMEK) integration. Without having access to the CMEK key, data encrypted with that key cannot be decoded.
  2. When batch processing, for example, a CMEK-compliant service either doesn't retain data at all or keeps it there for a brief time. Such data is encrypted with a temporary key that never leaves a memory and is only ever stored in memory. The ephemeral key is flushed from memory after the data is no longer required, making it impossible to retrieve. A CMEK-integrated service, such as Cloud Storage, may be used to store the output of a CMEK-compliant service.
  3. Other approaches exist for your applications to utilize Cloud KMS. Before transmitting or storing application data, you can explicitly encrypt it.

Access control with IAM🆔

You provide Identity and Access Management (IAM) responsibilities to control who has access to Cloud KMS resources like keys and key chains. The capacity to carry out particular cryptographic actions, like rotating a key or encrypting data, might be granted or restricted.

iam image

Before starting, You must have the authorization to manage Cloud KMS resources in the Google Cloud project to execute these operations.

Giving roles to resources

The role that allows access to a Cloud KMS key is granted in the example below:

gcloud kms keys add-iam-policy-binding key \
    --keyring key-ring \
    --location location \
    --member principal-type:principal-email \
    --role roles/role

Removing a resource's access

In order to disable a principal's use of a Cloud KMS key:

gcloud kms keys remove-iam-policy-binding key \
    --keyring key-ring \
    --location location \
    --member principal-type:principal-email \
    --role roles/role-name

Viewing a resource's permissions

For a Cloud KMS key's IAM policy, see:

gcloud kms keys get-iam-policy key \
    --keyring key-ring \
    --location location


Now, Give the lowest object in the resource hierarchy the most restricted set of rights to adhere to the principle of least privilege.

Inheritance and hierarchy

On the project, keyring, key, import task, and other Cloud KMS resources, policy bindings can be configured.

A principal with a certain role or permission at a higher level in that hierarchy inherits the same permissions on the child resources since keys belong to key rings and key rings to projects. In other words, a user who holds the status of the owner of a project also holds ownership of all the key rings and keys associated with it. In the same way, if a user is given the “cloudkms.admin” role on a key ring, all the keys in that keyring are subject to the related permissions.

A user who has permission on a key but not on the parent key ring has no permissions on that key ring, despite what the inverse would suggest.

Cloud KMS resources⛑️

Each category of resources in Cloud KMS is covered in this section: 

kms resource image
  1. Keys: A Cloud KMS key is a named object that contains key and/or key version metadata. One key is linked to a specific location on one key ring only. You can allow or disallow access to keys using Identity and Access Management (IAM) permissions and roles. A key version cannot have an access control setup for it.
  2. Key versions: Every version of a key contains the key material needed for encryption or signing. An integer with a value of 1 is used to represent the version of a key. To decrypt data or verify a signature, you must use the same key version that was used to encrypt or sign it. How to find and use it is described in Retrieving a key's resource ID. When a key is deactivated or destroyed, all key versions are also disabled or destroyed. It is possible to selectively disable one key version without affecting the other key versions. For security reasons, no Google Cloud principal is allowed to inspect or export the unencrypted cryptographic key material represented by a key version. The key information is instead accessed on your behalf by Cloud KMS.
  3. Keyrings: A key ring allows you to control access control for groups of keys and arranges keys in a specific Google Cloud location. The name of a key ring must be distinct inside a certain location but need not be unique across all Google Cloud projects. A key ring cannot be removed once it has been created. Keyrings have no storage fees.
  4. EKM connections: A Cloud KMS resource called an EKM connection manages VPC connections to your on-premises EKMs in a particular Google Cloud location. You can connect to and use keys from an external key manager via a VPC network by using an EKM connection. An EKM connection cannot be deleted once it has been created. Storage charges are not incurred by EKM connections.
  5. Retrieving a resource's ID: Some API requests and the gcloud CLI may need you to refer to a key ring, key, or key version by its resource ID, which is a string that denotes the fully-qualified CryptoKeyVersion name. The structure of resource IDs resembles that of a filesystem path. A key's resource ID also contains information about its position and key ring.
  6. Organizing resources: When deciding how to arrange the resources in your Google Cloud project, take your company's business policies into account. Also, think about how you want to control access. One key, every key on a keyring, or every key in a project can have access granted to it.
  7. Resource life cycles: It is impossible to delete key rings, keys, or key variations. As a result, a key version's resource identifier is guaranteed to be distinct and will always point to its original key material unless it has been destroyed. You can keep an infinite number of key rings, functional or nonfunctional keys, and functional, nonfunctional, or destroyed key versions. Please go to Pricing and Quotas for further details.

Customer-managed encryption keys (CMEK)🔑

If you need more control over the encryption keys used to protect data at rest within a Google Cloud project, a number of Google Cloud services offer the option to safeguard data connected to those services using encryption keys managed by the client under Cloud KMS. 

lock image

The client is in charge of managing these encryption keys (CMEK). You control the CMEK key when using CMEK to encrypt data in Google Cloud services.

  1. CMEK integrations: It is referred to as having a CMEK integration when a service supports CMEK. For the protection of various forms of service-related data, some services, like GKE, include numerous CMEK connectors. The service is capable of both encryption and decryption as long as the service account has this function. The CMEK key cannot be used to access that data if the role is revoked, it is disabled, or it is destroyed.
  2. CMEK compliance: Some services indirectly or momentarily store data as a stepping stone in a drawn-out process. For this need, it is not practicable to independently encrypt each write. These services can nonetheless provide CMEK compliance even when they don't offer CMEK interfaces, oftentimes without any setup on your part. A CMEK-compliant service encrypts temporary data with an ephemeral key that exists only in memory and is never written to a disc. When the temporary data is no longer needed, the ephemeral key is flushed from memory, rendering it impossible to access the encrypted data even if the storage resource is still available.
  3. CMEK organization policies: To help assure CMEK utilization throughout an organization's resources, Google Cloud provides two organization policy limits. These restrictions give Organization Administrators the power to mandate CMEK use and restrict the Cloud KMS keys utilized for CMEK protection. To learn more, consult the CMEK organization policies.


Read about Batch Operating System here.

Frequently Asked Questions❓

What is a cloud external key manager?

Another ground-breaking function, the Cloud External Key Manager (EKM), enables customers of numerous services, including BigQuery, Compute Engine, Cloud SQL, and Google Kubernetes Engine, to encrypt data using encryption keys that are stored and controlled in a third-party key management system.

What is cloud key management?

As a Cloud External Key Manager, You can perform cryptographic operations and create, import, and maintain cryptographic keys using the Cloud Key Management Service, a centralized cloud service.

What is KMS in the cloud?

A key can be used to encrypt, decode, or sign data, such as secrets, using the Cloud KMS REST API. High availability worldwide. With Cloud KMS's availability across many worldwide locations and regions, you can put your service anywhere you want it for low latency and high availability.

What is a key management server?

To manage the whole lifecycle of cryptographic keys and safeguard them from theft or unauthorized use, key management servers (KMS) are employed. The development, use, storage, archival, and destruction of encryption keys are ultimately under the control of KMS systems and other key management technology.

What is Kmip server?

A client/server communication mechanism called Key Management Interoperability Protocol (KMIP) is used to store and maintain secrets, certificates, and key objects. The Organization for the Advancement of Structured Information Standards oversees the standard (OASIS).


This article covers everything you need about Cloud External Key Manager. Still have more questions; Here are some articles and courses for rescue:

Refer to our guided paths on Coding Ninjas Studio to learn more about DSA, Competitive Programming, JavaScript, System Design, etc. Enroll in our courses and refer to the mock test and problems available. Take a look at the interview experiences and interview bundle for placement preparations.

Do upvote our blog to help other ninjas grow.

Happy Learning!

closure image.

Live masterclass