Before you go, check out these stories!

Hackernoon logoHow Does Google's Cryptographic Key Management Service Work? by@nancy-j.-chavira

How Does Google's Cryptographic Key Management Service Work?

Author profile picture

@nancy-j.-chaviraNancy J. Chavira

Google Cloud Key Management Service or otherwise known as Cloud KMS is a cloud service which manages the encryption keys for various Google services which companies can then use to add their own crypto functions. This is a very useful service, and one that companies have already been
utilizing for their businesses.

This service, the Google KMS was released in 2017, in January and it is
set to enable users the generation, use, rotation and destruction of
AES โ€“ 256 encryption keys, also known as Advanced Encryption
Standard which is there to protect the cloud data. Google cloud KMS
is also often used as a way to manage these keys and keys which are
used for encryption of other types of data for large companies. These
include the API tokens and then the credentials too.

โ€œSecurity teams often use Google Cloud KMS to set encryption keys to rotate at intervals so the security is a lot better and brute attacks cannot
breach through,โ€says Alex Brick, a tech blogger at and

Google Cloud KMS is also a part of the Google Cloud Platform or GCP suite
which enables customers to manage their keys for encryption for the
data that they store on Google Cloud Platform. Admins also often use
the Google Cloud KMS to encrypt data in bulks in plain text before
they store it. Main industries that Google is trying to target with
their service are those who are subject to regulations on data
storing and securing of the sensitive data. For example, these would
be financial providers and healthcare providers.

How Does Google Cloud Key Management Services Work?

Google Cloud Key Management Services work by storing AES-265 encryption keys. They store them in a hierarchy of five levels. The first level
of this hierarchy is called the GCP project which manages the Access
and Identity roles for the accounts which have a cloud association
with a specific project which can be then linked to a company or a
department of a company, for example.

Companies can store the locations of their data centers which handle the
requests that come from and to the Google Cloud Key Management
Services resources at the level of the Project. Then the Location
level can store keys for a group within the project. This would also
be related to their particular location, so the teams or groups can
be called east, west and so on. Of course, this can also be set to
Global which would then mean that all locations in the project,
meaning all groups can access the data provided in the cloud.

The next level is the KeyRings. KeyRings is a level at which groups of
Crypto Keys can be hosted and stored. A KeyRing can belong to the
project and thus be stored or resides in a specific Location. These
KeyRings also set the permission for the Crypto Keys that they have
in their posession, so they hold the Crypto Keys that have a similar
level of permissions.

โ€œA Crypto Key is a cryptographic key that serves a specific purpose and
it can change as the encryption changes which then creates the Crypto
Key Version which represents the final level of hierarchy in Google
Cloud Key Management Service,โ€ says Miranda Morris, a tech writer
at and

Google also offers a REST API which is a part of the Google Cloud KMS so
that the team of developers can access the functions of the Google
Cloud KMS and perform various actions like list, create, destroy and
update the keys. They also assist the companies in charge of managing
a large amount of keys and where employees frequently come and go,
changing the roles within the company.

It can also serve the purpose of encrypting data using the specific keys and
then set and perform testing of various IAM policies. There is a
delay which lasts about 24 hours when it comes to the encryption key
destruction. During that time and otherwise, users of these services
can restore the previous key versions.

Google Cloud KMS is a service that has the ability to support many
encryption keys, millions of encryption keys with a huge number of
key versions. It can also be used as a distributed service or as a
single cloud data center.

About the writer
Nancy is a web developer at and, and social media marketing keynote speaker. Her goals include engaging with her audience in a thoughtful way and helping
improvement through personal connections. When sheโ€™s not writing or
speaking, she likes to hike and try out new recipes.


Join Hacker Noon

Create your free account to unlock your custom reading experience.