This chapter covers Cloud KMS and Customer-Managed Encryption Keys (CMEK), a critical security control for data at rest in Google Cloud. The ACE exam tests your ability to choose between Google-managed, CMEK, and CSEK (Customer-Supplied Encryption Keys), and to configure key rotation, IAM permissions, and key destruction safely. Expect 5–8% of exam questions to touch key management, often as part of a larger scenario about compliance or data protection.
Jump to a section
Imagine a bank with a massive vault. Customers can rent safety deposit boxes. Each box has a unique key (the Customer-Managed Key, or CMK). The bank’s security system (Cloud KMS) manages access to the vault, but it does not have a copy of the box keys. When a customer wants to store a document, they bring their own key, lock the box, and leave. The bank cannot open the box without the key. Later, the customer returns, presents their key, and the bank uses its vault-access system to let them open the box. The bank’s system logs every access attempt (audit logs), and can enforce rules like “only allow access from within the bank’s lobby during business hours” (IAM conditions). If the customer loses the key, the bank cannot help—the box becomes permanently inaccessible. This mirrors Cloud KMS: Google Cloud manages the infrastructure (the vault) but never has access to your key material if you use Customer-Managed Encryption Keys (CMEK). You control the key lifecycle (rotation, disable, destroy) and grant access via IAM. The key itself is stored in Cloud KMS, but only your service accounts or authorized users can call the KMS API to encrypt/decrypt data. The analogy breaks if you use Cloud-HSM (hardware security module) where Google holds a master key—but for CMEK, the customer retains ultimate control.
What is Cloud KMS and Why Does It Exist?
Cloud Key Management Service (Cloud KMS) is a Google Cloud service for managing cryptographic keys for your cloud services. It allows you to create, import, rotate, and destroy keys, and use them to encrypt/decrypt data at rest across Google Cloud products like Cloud Storage, BigQuery, Compute Engine (persistent disks), and Cloud SQL. The primary reason Cloud KMS exists is to give customers control over their encryption keys, enabling compliance with regulations (e.g., HIPAA, PCI-DSS, FedRAMP) that require the customer to manage keys, not the cloud provider.
Google Cloud offers three tiers of key management: - Google-managed encryption keys: Default. Google creates and manages keys. No customer control. - Customer-managed encryption keys (CMEK): You create and manage keys in Cloud KMS. Google uses your key to encrypt data, but you control lifecycle and access. - Customer-supplied encryption keys (CSEK): You bring your own key material (e.g., from an on-premises HSM) and pass it with each API call. Google never stores your key. Only supported for Cloud Storage and Compute Engine.
The ACE exam focuses heavily on CMEK because it is the most common enterprise configuration.
How Cloud KMS Works Internally
When you enable CMEK on a Google Cloud resource (e.g., a Cloud Storage bucket), the following happens:
Key creation: You create a key ring and a cryptographic key in Cloud KMS. The key ring is a logical grouping, and the key itself is a named object with a specific algorithm (e.g., AES-256, RSA 2048). The key material is generated inside Google's FIPS 140-2 Level 3 validated HSMs (or software-backed for lower security).
IAM permissions: You grant the Cloud Storage service account (or other resource's service account) the Cloud KMS CryptoKey Encrypter/Decrypter role. This allows the service to call the KMS API to encrypt/decrypt using your key.
Encryption on write: When data is written to a CMEK-protected resource, the resource's service account calls Cloud KMS with a request to generate a data encryption key (DEK). Cloud KMS returns a DEK encrypted with your key (the key encryption key, or KEK). The service uses the plaintext DEK to encrypt the data, then discards the DEK. Only the encrypted DEK is stored alongside the data.
Decryption on read: When reading data, the service sends the encrypted DEK to Cloud KMS, which decrypts it using your KEK (assuming proper IAM permissions). The service then uses the plaintext DEK to decrypt the data.
This envelope encryption ensures that your KEK never leaves Cloud KMS, and the service never has access to the KEK in plaintext.
Key Components, Values, Defaults, and Timers
- Key rings: Regional or multi-regional (e.g., global, us-central1). Key rings cannot be moved or renamed after creation.
- Key types:
- Symmetric: AES-256 (default). Used for most Google Cloud services.
- Asymmetric: RSA 2048/3072/4096 or EC P-256/P-384. Used for signing or encrypting outside of Google Cloud.
- Key rotation: Automatic rotation period can be set from 1 day to 100 years (default is 90 days). Manual rotation is immediate.
- Key states: Enabled, Disabled, Scheduled for destruction (with a 24-hour cancellation window), Destroyed.
- Key versions: Each rotation creates a new version. Old versions are retained until destroyed. The primary version is used for encryption; decryption uses the version that encrypted the data.
- Import: You can import your own key material using gcloud kms import-job and then gcloud kms keys versions import. The key material must be wrapped using a Google-provided import method.
- Audit logging: All KMS API calls are logged to Cloud Audit Logs. You can monitor for unauthorized access attempts.
Configuration and Verification Commands
Creating a key ring and key:
gcloud kms keyrings create my-keyring --location global
gcloud kms keys create my-key --location global --keyring my-keyring --purpose encryption --rotation-period 90d --next-rotation-time 2025-01-01T00:00:00ZGranting IAM to a service account:
gcloud kms keys add-iam-policy-binding my-key --location global --keyring my-keyring --member serviceAccount:service-<PROJECT_NUMBER>@gs-project-accounts.iam.gserviceaccount.com --role roles/cloudkms.cryptoKeyEncrypterDecrypterVerifying key state:
gcloud kms keys list --location global --keyring my-keyring
gcloud kms keys describe my-key --location global --keyring my-keyringEnabling CMEK on a Cloud Storage bucket:
gsutil mb -p my-project -c STANDARD -l US-EAST1 -b on gs://my-bucket
gsutil kms authorize -k projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key
gsutil kms encryption -k projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key gs://my-bucketInteraction with Related Technologies
Cloud HSM: A Cloud HSM cluster can be used as a backing for Cloud KMS keys. This provides FIPS 140-2 Level 3 validated hardware protection. Keys created with --protection-level hsm are stored in HSMs.
Cloud External Key Manager (EKM): Allows you to manage keys in an external key management system (e.g., on-premises HSM) and use them with Google Cloud. Cloud KMS acts as a proxy.
IAM Conditions: You can restrict KMS key usage based on attributes like time, IP address, or resource tags. For example, only allow decryption during business hours.
VPC Service Controls: Can restrict access to KMS keys from within a VPC service perimeter, preventing data exfiltration.
Cloud Audit Logs: All key management operations are logged. You can set up alerts for key destruction or unauthorized access.
Key Lifecycle Considerations
Key destruction: Deleting a key is irreversible. Data encrypted with that key becomes permanently inaccessible. Therefore, Google enforces a 24-hour delay (scheduled destruction) during which you can cancel.
Key rotation: Rotating a key does not re-encrypt existing data. The old key version remains available for decryption. New data uses the new primary version.
Multi-regional keys: Key rings can be multi-regional (e.g., us, eu), but the key material is replicated only within that region. For global keys, use location=global.
Exam Tips
Know the difference between CMEK and CSEK: CMEK keys are stored in Cloud KMS; CSEK keys are provided by the customer per API call and never stored.
Remember that CSEK is only supported for Cloud Storage and Compute Engine.
Understand that disabling a key blocks all encryption/decryption operations for resources using that key. This is a common exam scenario for incident response.
Be aware that key rings are regional; you cannot change the location after creation.
The default rotation period is 90 days.
Create a Key Ring
Use the gcloud command to create a key ring in a specific location. Example: `gcloud kms keyrings create my-keyring --location global`. The key ring is a container for keys. Location can be regional (e.g., us-central1) or global. Key rings cannot be renamed or moved. The ACE exam may ask about location restrictions.
Create a Crypto Key
Create a key within the key ring with a specific purpose (encryption, signing, etc.) and rotation period. Example: `gcloud kms keys create my-key --location global --keyring my-keyring --purpose encryption --rotation-period 90d`. The purpose determines the algorithm. Symmetric keys use AES-256. Asymmetric keys use RSA or EC. Default rotation is 90 days.
Grant IAM Permissions to Service Account
Grant the service account of the resource (e.g., Cloud Storage, Compute Engine) the role `roles/cloudkms.cryptoKeyEncrypterDecrypter` on the key. Example: `gcloud kms keys add-iam-policy-binding my-key --location global --keyring my-keyring --member serviceAccount:service-<PROJECT_NUMBER>@gs-project-accounts.iam.gserviceaccount.com --role roles/cloudkms.cryptoKeyEncrypterDecrypter`. Without this, the resource cannot use the key.
Enable CMEK on the Resource
Configure the resource to use the CMEK. For Cloud Storage, use `gsutil kms authorize` and `gsutil kms encryption`. For Compute Engine, specify the key when creating a persistent disk: `--kms-key projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key`. The resource will now use envelope encryption with your key.
Rotate the Key (Optional)
Manual rotation: `gcloud kms keys rotate my-key --location global --keyring my-keyring`. Automatic rotation happens based on the period set. Rotation creates a new key version. Old versions remain for decryption. The ACE exam tests that rotation does not re-encrypt existing data.
Scenario 1: Healthcare Compliance with HIPAA
A hospital migrating patient records to Cloud Storage must ensure that encryption keys are managed by their own security team. They use CMEK with a key ring in us-central1 to meet data residency requirements. The key is rotated every 30 days (shorter than the default 90). The hospital grants the Cloud Storage service account the Encrypter/Decrypter role. They also set up Cloud Audit Logs to monitor any decryption requests outside business hours. A common pitfall: they initially created the key ring in the wrong region and had to delete and recreate it, causing a delay. Performance is negligible because envelope encryption adds minimal overhead (sub-millisecond KMS API calls). If the key is accidentally disabled, all access to the bucket fails until re-enabled.
Scenario 2: Multi-Tenant SaaS Platform
A SaaS company uses BigQuery with CMEK to isolate customer data. Each customer gets a separate key in a key ring. The key is used to encrypt a BigQuery dataset. IAM conditions restrict decryption to only the customer's service account. This ensures that even Google engineers cannot access the data. The company uses automatic rotation (90 days) to comply with PCI-DSS. A common issue: when a customer leaves, they must schedule key destruction. They set a 30-day delay (the maximum allowed is 30 days? Actually, the delay is 24 hours for destruction, but they can use a retention policy on the key ring). They learned that destroying a key immediately makes data inaccessible, so they first copy the data to a new dataset with a new key.
Scenario 3: Financial Services with External HSM
A bank uses Cloud EKM to integrate with their on-premises HSM. They create an external key in Cloud KMS that points to their HSM. The bank retains full control over the key material. This satisfies regulations that require keys to never leave the bank's premises. However, they must ensure network connectivity between Google Cloud and their HSM. If the connection drops, all crypto operations fail. They have a redundant HSM setup to avoid downtime. The ACE exam may test that EKM is a separate product from CMEK and requires additional setup.
What the ACE Exam Tests (Objective 5.2)
The exam focuses on:
Differentiating between Google-managed, CMEK, and CSEK.
Understanding key lifecycle operations (create, rotate, disable, destroy).
Knowing which services support CMEK (most, but not all; e.g., Cloud SQL supports CMEK for newly created instances, but not for existing ones).
IAM roles for KMS: Encrypter/Decrypter, Viewer, Admin.
The 24-hour delay for key destruction.
The default rotation period (90 days).
That CSEK is only for Cloud Storage and Compute Engine.
Common Wrong Answers
'CSEK keys are stored in Cloud KMS.' Wrong. CSEK keys are provided by the customer per API call and never stored. The exam often describes a scenario where a customer wants to manage their own keys but does not want Google to store them; the correct answer is CSEK, not CMEK.
'Rotating a key re-encrypts existing data.' Wrong. Rotation creates a new version; old data remains encrypted with the old version. The exam may ask about the impact of rotation on existing data.
'Disabling a key only affects new data writes.' Wrong. Disabling a key prevents both encryption and decryption, so reads also fail. The exam tests this in a scenario where a key is disabled accidentally.
'Key rings can be moved between regions.' Wrong. Key rings are location-bound and cannot be moved. You must delete and recreate.
Specific Numbers and Terms
24-hour delay for key destruction.
90-day default rotation period.
AES-256 for symmetric keys.
FIPS 140-2 Level 3 for Cloud HSM.
Envelope encryption is the mechanism used.
Edge Cases
If you destroy a key, data is permanently inaccessible. No recovery.
If you import a key, you must provide the key material in a wrapped format.
Cloud KMS keys can be used to encrypt data outside Google Cloud (asymmetric keys).
Eliminating Wrong Answers
If the question mentions 'customer provides the key with each request', it's CSEK.
If the question mentions 'customer manages the key in Google Cloud', it's CMEK.
If the question mentions 'key stored in an external HSM', it's Cloud EKM.
If the question asks about 'default encryption', it's Google-managed.
CMEK gives you control over encryption keys in Cloud KMS; CSEK requires you to supply keys per API call and is only for Cloud Storage and Compute Engine.
Key rings are regional; cannot be moved after creation.
Default key rotation period is 90 days.
Key destruction has a 24-hour delay to allow cancellation.
Disabling a key blocks both encryption and decryption.
Rotating a key does not re-encrypt existing data.
Use IAM role 'roles/cloudkms.cryptoKeyEncrypterDecrypter' for services that need to use the key.
Cloud HSM provides FIPS 140-2 Level 3 protection for CMEK keys.
These come up on the exam all the time. Here's how to tell them apart.
Google-managed keys
Google creates and manages keys.
No customer control over key lifecycle.
No additional cost.
Default for all services.
Cannot meet compliance that requires customer control.
Customer-managed keys (CMEK)
Customer creates and manages keys in Cloud KMS.
Full control: rotate, disable, destroy.
Cost per key version and API operations.
Must grant IAM to service accounts.
Supports compliance requirements like HIPAA.
Customer-managed keys (CMEK)
Keys stored in Cloud KMS.
Google manages the infrastructure.
Key material never leaves Google Cloud.
Supported by most services.
Automatic rotation available.
Customer-supplied keys (CSEK)
Keys provided by customer per API call.
Google never stores the key.
Key material must be supplied with each request.
Only supported for Cloud Storage and Compute Engine.
No automatic rotation; customer manages key outside.
Mistake
CMEK keys are stored in the customer's on-premises HSM.
Correct
CMEK keys are stored in Cloud KMS, which may be backed by Google's HSMs (software or hardware). For on-premises key storage, use Cloud External Key Manager (EKM).
Mistake
Rotating a key automatically re-encrypts all existing data.
Correct
Rotation creates a new key version. Existing data remains encrypted with the old version. New data uses the new version. Old versions remain available for decryption until destroyed.
Mistake
Disabling a key only prevents new encryption, but existing data can still be read.
Correct
Disabling a key prevents both encryption and decryption. Any read operation that requires decryption will fail. This is a common exam trap.
Mistake
Key rings can be moved between locations after creation.
Correct
Key rings are location-bound. You cannot change the location after creation. You must delete the key ring and recreate it in the correct location.
Mistake
CSEK keys are supported for all Google Cloud services.
Correct
CSEK is only supported for Cloud Storage and Compute Engine. For other services like BigQuery or Cloud SQL, you must use CMEK or Google-managed keys.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
CMEK (Customer-Managed Encryption Keys) are keys you create and manage in Cloud KMS. Google stores the key material but you control lifecycle. CSEK (Customer-Supplied Encryption Keys) are keys you provide with each API call; Google never stores them. CSEK is only supported for Cloud Storage and Compute Engine. The exam tests this distinction in scenarios where a customer wants no Google access to keys.
Yes, Cloud SQL supports CMEK for newly created instances. You must specify the key at creation time. Existing instances cannot be retroactively encrypted with CMEK. The key must be in the same region as the Cloud SQL instance.
Disabling a key prevents all encryption and decryption operations for resources using that key. Any attempt to read or write data will fail. This is often used in incident response to stop data access. You can re-enable the key later.
Rotation creates a new key version that becomes the primary for encryption. Existing data remains encrypted with the old version; decryption still works using that version. Old versions are retained until destroyed. Use `gcloud kms keys rotate` for manual rotation.
Yes, you can import symmetric or asymmetric keys using import jobs. The key material must be wrapped using a Google-provided wrapping key. After import, you can use the key like any other CMEK key. This is useful for migrating existing keys.
Cloud KMS charges per key version per month (e.g., $0.06 per key version for symmetric keys) and per operation (e.g., $0.03 per 10,000 cryptographic operations). There is no charge for Google-managed keys. The exam may ask about cost implications.
Yes, you can set a rotation period (1 day to 100 years, default 90 days). Automatic rotation creates a new key version periodically. You can also rotate manually at any time.
You've just covered Cloud KMS and Customer-Managed Keys — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?