Security
Cloud KMS & CMEK
Key management and customer-managed encryption
AWS equivalent
AWS KMS / CloudHSM
AWS → GCP: Key Differences
- ▸
Cloud KMS ≈ AWS KMS. Both are managed key management services.
- ▸
Cloud HSM ≈ CloudHSM. FIPS 140-2 Level 3 validated hardware.
- ▸
Cloud EKM: store keys in a third-party HSM outside GCP — unique to GCP for specific compliance.
Key Concepts to Know
- 1
Default encryption: ALL data in GCP is encrypted at rest by default using Google-managed keys. Free.
- 2
CMEK: use Cloud KMS keys instead. You can rotate, disable, or destroy keys.
- 3
CMEK supported by: GCS, BigQuery, Compute Engine disks, Cloud SQL, GKE, and more.
- 4
Secret Manager: store API keys, passwords, database credentials. Versioned, audited, IAM-controlled.
DCE Interview Tips
- ★
Three-tier answer: 1) Default encryption is already on. 2) CMEK if you want to control and revoke keys. 3) Cloud HSM or EKM if keys must never be in Google's custody.
- ★
'With CMEK, if we ever need to terminate our GCP contract, we destroy the keys and the data becomes permanently inaccessible — including to Google.'
Common Gotchas
- !
Destroying an encryption key destroys access to ALL data encrypted with it — irreversible.
- !
CMEK adds latency to API calls.
- !
Cloud KMS costs per key version per month + per cryptographic operation.