Cloud KMS now supports key encapsulation mechanisms (KEMs) for sharing secrets in Preview. KEMs are designed to be resistant to post-quantum attacks. You can use the following KEM algorithms:
ML_KEM_768ML_KEM_1024KEM_XWINGFor more information about key encapsulation mechanisms, see Key encapsulation mechanisms. To learn how to use key encapsulation mechanisms to share secrets, see Encapsulate and decapsulate using KEMs.
]]>Cloud HSM for Google Workspace now lets you use Cloud HSM keys for client-side encryption (CSE) to protect sensitive workloads in Google Workspace. For more information about Cloud HSM for Google Workspace, including how to get started, see Onboard to Cloud HSM for Google Workspace.
]]>To help you get the right Cloud KMS keys on-demand, for consistent alignment with recommended encryption practices, Cloud KMS Autokey now has a free tier. The free tier covers the following usage:
The free tier only applies to keys created using Cloud KMS Autokey. Key administration operations including key rotation are always free. For more details, see Cloud Key Management Service pricing
]]>Cloud KMS is available in the following region:
europe-north2For more information, see Cloud KMS locations.
]]>Cloud KMS now supports the following post-quantum computing (PQC) algorithms for digital signatures in Public Preview:
PQ_SIGN_ML_DSA_65: Module-lattice-based digital signature algorithmPQ_SIGN_SLH_DSA_SHA2_128S: Stateless hash-based digital signature algorithmTo Retrieve a public key for a PQC key, you must use the gcloud CLI or the Cloud KMS REST API.
gcloud CLI, use the --public-key-format nist-pqc flag.public_key_format=NIST_PQC header parameter.For more information about PQC algorithms, see PQC signing algorithms. For more information about PQC digital signatures, see Post-quantum cryptography (PQC) digital signature.
]]>Cloud KMS is available in the following region:
northamerica-south1For more information, see Cloud KMS locations.
]]>You can now use custom constraints with Organization Policy to provide more granular control over specific fields for some Cloud KMS resources. For more information, see Create custom organization policy constraints for Cloud KMS.
]]>Cloud KMS with Autokey is now in General Availability for Cloud Storage, Compute Engine, BigQuery, Secret Manager, Cloud SQL, and Spanner.
Autokey simplifies creating and using customer-managed encryption keys (CMEKs) by automating provisioning and assignment. With Autokey, key rings, keys, and service accounts don't need to be planned and provisioned before they're needed. Instead, Autokey generates keys on demand as resources are created.
Using keys generated by Autokey can help you consistently align with industry standards and recommended practices for data security, including the HSM protection level, separation of duties, key rotation, location, and key specificity. Keys requested using Autokey function identically to other Cloud HSM keys with the same settings. For more information, see Autokey overview.
]]>As previously announced, Cloud KMS has changed the default duration of the scheduled for destruction period from 24 hours to 30 days.
As of February 1, 2024, newly created CryptoKeys use the new default duration of 30 days, unless a different duration is specified during key creation. For more information about key destruction, see Destroy and restore key versions.
Owners of existing CryptoKeys that had used the default duration were given until May 1, 2024 to opt out from automatically updating those keys to use the new default duration. Existing CryptoKeys that were not opted out have been updated to use the new default duration of 30 days. No further action is required from you.
]]>Cloud KMS with Autokey is now in Preview for Cloud Storage, Compute Engine, BigQuery, and Secret Manager.
Autokey simplifies creating and using customer-managed encryption keys (CMEKs) by automating provisioning and assignment. With Autokey, key rings, keys, and service accounts don't need to be planned and provisioned before they're needed. Instead, Autokey generates keys on demand as resources are created.
Using keys generated by Autokey can help you consistently align with industry standards and recommended practices for data security, including the HSM protection level, separation of duties, key rotation, location, and key specificity. Keys requested using Autokey function identically to other Cloud HSM keys with the same settings.
For more information, see Autokey overview.
Cloud KMS has two new organization policy constraints that you can use to control key version destruction. These constraints became available on November 1, 2023.
For more information, see Control key version destruction.
]]>Cloud KMS now supports asymmetric signing and validation using ECDSA on the Curve25519 in PureEdDSA mode, which takes raw data as input instead of hashed data.
For more information on this and other algorithms supported by Cloud KMS, see Key purposes and algorithms.
]]>Bare Metal Rack HSM is generally available for customers with specific business and technical requirements in limited regions.
Bare Metal Rack HSM is an infrastructure-as-a-service offering that lets you deploy large numbers of customer-owned hardware security modules (HSMs) in PCI-compliant facilities next to your Google Cloud workloads. This product helps to accelerate migration of your payment applications to Google Cloud.
For more information, including to compare Bare Metal Rack HSM with Bare Metal HSM, see Bare Metal Rack HSM.
]]>Certificate bundles for verifying attestations for Cloud HSM keys are deprecated. You can no longer download certificate bundles as of March 20, 2024.
Certificate bundles have been replaced by certificate chains. To learn how to use certificate chains to verify attestations for Cloud HSM keys, see Verifying the attestation manually.
]]>Cloud KMS is available in the following region:
africa-south1For more information, see Cloud KMS locations.
]]>Bare Metal HSM is generally available for customers with specific business and technical requirements in limited regions.
Bare Metal HSM is an infrastructure-as-a-service offering that lets you deploy customer-owned hardware security modules (HSMs) in PCI-compliant facilities next to your Google Cloud workloads. This product helps to accelerate migration of your payment applications to Google Cloud.
For more information, see Bare Metal HSM.
]]>Cloud KMS is available in the following region:
me-central2For more information, see Cloud KMS locations.
]]>Cloud KMS is available in the following region:
europe-west10For more information, see Cloud KMS locations.
]]>The Key Usage dashboard in the Google Cloud console and the new KMS Inventory REST API are now generally available.
For more information about the Key Usage dashboard, see View key usage.
For more information about the KMS Inventory REST API, see KMS Inventory API.
For example curl commands using the KMS Inventory REST API, see View key usage and View keys by project.
]]>Cloud HSM resources are now available in the following regions:
europe-west12me-central1For information about which locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, see Cloud KMS locations.
]]>Cloud KMS is available in the following region:
me-central1For more information, see Cloud KMS locations.
]]>Cloud EKM now supports coordinated external keys.
Coordinated external keys let you create and manage keys in a compatible external key management system from Cloud KMS over a VPC network. For more information, see EKM key management from Cloud KMS.
Thales CipherTrust Cloud Key Manager is the first external key management partner system that is compatible with EKM key management from Cloud KMS.
]]>Cloud KMS is available in the following region:
europe-west12For more information, see Cloud KMS locations.
]]>Cloud KMS and Cloud EKM resources are available in the in (India) multi-regional location. Cloud HSM resources are not available in this location.
For information about which Google Cloud Locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, see Cloud KMS Locations.
]]>The Key Usage dashboard in the Google Cloud console and the new KMS Inventory REST API are now in Preview.
For more information about the Key Usage dashboard, see View key usage.
For more information about the KMS Inventory REST API, see KMS Inventory API.
For example curl commands using the KMS Inventory REST API, see View key usage and View keys by project.
]]>Cloud HSM resources are now available in the following regions:
europe-southwest1europe-west9me-west1For information about which locations are supported by Cloud KMS, Cloud HSM, and Cloud EKM, see Cloud KMS locations.
]]>Cloud KMS is available in the following region:
me-west1For more information, see Cloud KMS locations.
]]>Customers enrolled in Key Access Justifications will now see justifications listed in Cloud Audit Logs for Cloud KMS.
]]>Cloud EKM now supports Dataproc Metastore. For more information, see Cloud External Key Manager.
]]>Cloud KMS is available in the following region:
us-south1
For more information, see Cloud KMS locations.
]]>Cloud KMS is available in the following region:
us-east5For more information, see Cloud KMS locations.
]]>