What is Google Cloud External Key Manager (EKM)?
And why should I care? Everything in Google Cloud is encrypted in transit and at rest anyway...
I’ve been going through the study in preparation to sit the Google Cloud Professional Cloud Security Engineer exam and in it, I came across a service I had not heard about before. Cloud EKM. Wtf is Cloud EKM? The TL;DR is that it turns out, it’s an external key management service that allows you to use an external key provider that holds the key material for your encryption keys, should you choose to use your own keys.
Ok, but first, a bit of background.
Cloud EKM was originally launched in BETA on the 17th of December 2019, yep, that’s before COVID… just, and it went GA in April the following year.
The docs page for Cloud EKM says that:
With Cloud EKM, you can use keys that you manage within a supported external key management partner to protect data within Google Cloud. You can protect data at rest in supported CMEK integration services, or by calling the Cloud Key Management Service API directly.
It also states:
In all cases, the key resides on the external system, and is never sent to Google.
Neato.
How does it work?
When using encrypted material in the cloud, your apps and services would use KMS as normal, and KMS communicates with EKM to retrieve the key material from the external key manager. This means that creating or making changes to your keys requires changes in both KMS and EKM. Worth noting that not all services are supported by EKM, but you can see the full list here.
Here’s a diagram from the documentation of how the EKM is uses in connection with users and various Google Cloud services.
Things to keep in mind
Cloud EKM may be required to meet some particular organisational requirements or operational reasons. However, it’s not something I would recommend using if you don’t need to as there are much better options which are more fully featured. With that said if you DO need to use an external service, first make sure the service is supported, and if it is, keep in mind that there’s some operational overhead you’ll need to take on. For example:
Automatic rotation is not supported and requires changing things in two places to work.
Operations on keys with EKM is restricted to specific quotas. At launch I believe this was 10 queries per second (QPS), but I saw somewhere that this was increased to 100 qps.
Both the use of Asymmetric and Symmetric keys are subject to some restrictions and algorithms which can be found in the docs so I’d recommend checking there if you need to about what you might be restricted by.
If you’re intending to use EKM via a VPC, then double check the supported regional locations supported for KMS.
Conclusion
There you go. A short and sweet blog post, but none-the-less, useful if you didn’t know what Cloud EKM was, now you do! It’s one of those services that doesn’t get much attention since it solves specific enterprisey use-cases but a useful tool to know about nonetheless and keep in the toolbelt!