How does Google Cloud’s External Key Manager work?

How does Google Cloud’s External Key Manager work?

Google EKM extends the envelope encryption scheme to allow the Key Encryption Key (KEK) to be encrypted using an externally managed Key Encryption Key (EKEK).

First, the data is encrypted using a local Data Encryption Key (DEK) stored with the data. DEK is then encrypted using a Key Encryption Key (KEK) stored separately in Cloud Key Management System (KMS) or Cloud Hardware Security Module (HSM).

Services running on GCP, such as Big Query and GCE, currently can use an encryption Key hosted by Google Cloud KMS or Cloud HSM to secure their data at rest.

webinar cta