Skip to main content
DE / EN
Cloud / Google Cloud / Products / Cloud EKM - External Key Manager

Cloud EKM - External Key Manager

Cloud EKM enables the use of encryption keys from external key management systems in Google Cloud.

Security
Get Expert Support Documentation
Pricing Model Pay-per-use
Availability Global with EU regions
Data Sovereignty Keys outside Google
Reliability 99.9% SLA

What is Cloud External Key Manager?

Cloud External Key Manager (EKM) enables the use of encryption keys from external key management systems. The keys never leave your own infrastructure. Google Cloud accesses the external key manager at runtime.

Core Features

  • External key storage: Keys remain in your own HSM
  • Transparent encryption: Integration with CMEK-enabled GCP services
  • Key Access Justifications: Logs show why keys were accessed
  • Partner ecosystem: Certified integrations with leading HSM providers
  • VPC-SC integration: Additional protection through Service Perimeter

Common Use Cases

Regulatory Compliance

Industries like financial services or healthcare often require encryption keys to be stored outside the cloud provider.

Key Sovereignty

Companies retain complete control over keys. Revoking access makes cloud data immediately inaccessible.

Zero-Trust Security

EKM as part of a zero-trust architecture. Google has no access to unencrypted data without explicit key access.

Benefits

  • Complete control over encryption keys
  • Keys never in Google infrastructure
  • Audit trail for all key accesses
  • Meets strict compliance requirements

Note

Cloud EKM requires an external key manager from a certified partner. The additional latency from external calls should be considered for time-critical workloads.

Integration with innFactory

As a Google Cloud Partner, innFactory supports you with Cloud EKM: architecture, partner selection, integration, and compliance consulting.

Available Tiers & Options

Recommended

Standard

Strengths
  • Keys outside Google infrastructure
  • Regulatory compliance
  • Customer key control
Considerations
  • Additional latency
  • External HSM required

Typical Use Cases

External key management
Bring your own key
Key sovereignty
Compliance

Technical Specifications

API RESTful API and client libraries
Integration Native Google Cloud integration
Security External HSM integration

Frequently Asked Questions

What is Cloud External Key Manager?

Cloud EKM enables the use of encryption keys stored in external HSM systems for encrypting GCP data.

Which external key managers are supported?

Cloud EKM supports Thales CipherTrust Manager, Fortanix DSM, Equinix SmartKey, and other certified partners.

Why should I use Cloud EKM?

EKM is for scenarios where keys must be stored outside of Google. Typical reasons are regulatory requirements or key sovereignty.

What happens if the external key manager is unreachable?

Without access to the external key manager, encrypted data cannot be decrypted. High availability of the external HSM is critical.

How does EKM differ from Cloud HSM?

With Cloud HSM, keys are in Google-managed HSMs. With EKM, keys remain entirely outside Google in your own HSM.

Quick Links

Documentation Pricing Console

Google Cloud Partner

innFactory is a certified Google Cloud Partner. We provide expert consulting, implementation, and managed services.

Google Cloud Partner

Similar Products from Other Clouds

Other cloud providers offer comparable services in this category. As a multi-cloud partner, we help you choose the right solution.

AWS

Amazon Cognito: User Authentication

Amazon Cognito provides user authentication and identity management for web and mobile apps.

Pricing Pay per monthly active user
SLA 99.9% availability
Compare →
AWS

Amazon Detective - Security Analysis

Amazon Detective analyzes security data and assists with investigating security incidents in AWS environments.

Pricing Pay per GB ingested
SLA N/A
Compare →
AWS

Amazon GuardDuty - Threat Detection

Amazon GuardDuty detects threats in AWS accounts through continuous analysis of CloudTrail, VPC Flow Logs, and DNS.

Pricing Pay for events analyzed
SLA N/A
Compare →
AWS

Amazon Inspector - Vulnerability Scanning

Amazon Inspector automatically finds security vulnerabilities in EC2, Lambda and container images. Continuous …

Pricing Pay per instance assessment
SLA N/A
Compare →
AWS

Amazon Macie - Data Privacy Discovery

Amazon Macie automatically finds sensitive data like PII in S3 buckets using machine learning and pattern matching.

Pricing Pay per GB scanned
SLA N/A
Compare →
AWS

AWS Artifact - Compliance Documentation

AWS Artifact provides on-demand access to AWS compliance reports and security documentation.

Pricing No charge
SLA N/A
Compare →

28 comparable products found across other clouds.

Ready to start with Cloud EKM - External Key Manager?

Our certified Google Cloud experts help you with architecture, integration, and optimization.

Schedule Consultation