Beyond Google’s Walls: Taking Control of Your Encryption Keys with Cloud EKM

In an era where data breaches make headlines weekly, encryption has become the bedrock of cloud security. But for many organizations — especially those in highly regulated industries — the question isn’t just “Is our data encrypted?” but rather “Who controls the encryption keys?”

Enter Google Cloud’s External Key Management (EKM): a powerful solution that lets you enjoy Google Cloud’s robust services while keeping your encryption keys firmly in your control. Let me walk you through this elegant balance of convenience and control, with detailed implementation steps.

Photo by Towfiqu barbhuiya on Unsplash

The Encryption Sovereignty Spectrum

When it comes to key management in Google Cloud, you’re looking at a spectrum of control:

• Cloud KMS (Software-based): Google generates and manages your keys entirely in software — simple but less control for you
• Cloud HSM: A step up in security — Google manages your keys, but in dedicated Hardware Security Modules
• Cloud EKM: The sovereignty option — your keys live in your external key management system, giving you complete custody

For organizations that must maintain strict control over cryptographic keys due to regulatory requirements (think financial institutions, healthcare providers, or government contractors), Cloud EKM provides that critical separation between your data and the keys that protect it.

The Cloud EKM Ecosystem

Google has partnered with industry-leading key management providers to make EKM implementation smooth:

• Fortanix (a popular choice)
• Futurex
• Thales
• Virtru

These integrations aren’t limited to niche services either. Over 40 Google Cloud services support EKM, including:

• BigQuery
• Cloud Storage
• Compute Engine
• Cloud SQL
• Vertex AI
• Google Kubernetes Engine
• Secret Manager
• Spanner
• Pub/Sub
• And many more!

Setting Up Cloud EKM: Two Approaches

There are two ways to connect Google Cloud to your external key management system, each with different security implications and setup complexity:

1. Cloud EKM via Internet

This approach is simpler but requires your key management system to be accessible over the internet.

Creating a Manually Managed Cloud EKM via Internet Key

Step 1: Create an empty external key:

gcloud kms keys create KEY_NAME \
--keyring KEY_RING \
--location LOCATION \
--purpose PURPOSE \
--protection-level external \
--skip-initial-version-creation \
--default-algorithm ALGORITHM

Step 2: Create a new key version referencing your external key:

gcloud kms keys versions create \
--key KEY_NAME \
--keyring KEY_RING \
--location LOCATION \
--external-key-uri EXTERNAL_KEY_URI

The EXTERNAL_KEY_URI is provided by your external key management system and serves as the bridge between Google Cloud and your external keys.

2. Cloud EKM via VPC

This approach offers stronger security by keeping all key management traffic within private networks. It’s more complex but provides better isolation. Let’s break down the process:

Step 1: Configure Your VPC

Before anything else, you need to prepare your VPC network:

• Enable Private Google Access: This is critical because your external key manager needs to verify OIDC tokens by retrieving OAuth2 public keys from googleapis.com.
• Configure Firewall Rules: Create both ingress and egress rules for the IP range 35.199.192.0/19, which is the range Cloud EKM uses for its requests.
• Ensure Return Routes: Your on-premises network must have a route for the 35.199.192.0/19 destination. Depending on your connectivity method:
• For Cloud VPN with static routing: Create a manual route in your on-premises network with destination 35.199.192.0/19 and next hop pointing to the Cloud VPN tunnel.
• For Cloud VPN with policy-based routing: Configure the Cloud VPN’s local traffic selector and the on-premises VPN gateway’s remote traffic selector to include 35.199.192.0/19.
• For Cloud VPN with dynamic routing or Cloud Interconnect: Configure a custom route advertisement for 35.199.192.0/19 on the BGP session of your Cloud Router.

Step 2: Create a Service Directory Service Endpoint

Next, you need to create a Service Directory service endpoint that points to your external key manager:

Create a namespace first:

gcloud service-directory namespaces create NAMESPACE \
--location REGION

Then create a service in the namespace:

gcloud service-directory services create SERVICE \
--namespace NAMESPACE \
--location REGION

Finally, create an endpoint with private network access:

gcloud service-directory endpoints create ENDPOINT_NAME \
--project=PROJECT_ID \
--location=REGION \
--namespace=NAMESPACE_NAME \
--service=SERVICE_ID \
--address=IP_ADDRESS \
--port=PORT_NUMBER \
--network=NETWORK_PATH

The NETWORK_PATH should follow this format: projects/PROJECT_NUMBER/locations/global/networks/NETWORK_NAME

Step 3: Create an EKM Connection

With your network infrastructure ready, now you can create the EKM connection. There are two types to choose from:

For Manually Managed External Keys:

gcloud beta kms ekm-connections create EKM_CONNECTION \
--location LOCATION \
--service-directory-service SERVICE_DIRECTORY_SERVICE \
--hostname HOSTNAME \
--server-certificates-files SERVER_CERTIFICATE_FILES \
--key-management-mode manual

For Coordinated External Keys:

gcloud beta kms ekm-connections create EKM_CONNECTION \
--location LOCATION \
--service-directory-service SERVICE_DIRECTORY_SERVICE \
--hostname HOSTNAME \
--server-certificates-files SERVER_CERTIFICATE_FILES \
--key-management-mode cloud-kms \
--crypto-space-path CRYPTO_SPACE_PATH

You can also set a default EKM connection for your project and location:

gcloud beta kms ekm-config update \
--location=LOCATION \
--default-ekm-connection=projects/PROJECT_ID/locations/LOCATION/ekmConnections/DEFAULT_EKM_CONNECTION

Step 4: Create Keys Using Your EKM Connection

Finally, you can create keys that use your external key management system:

Create a Coordinated External Key:

gcloud kms keys create KEY_NAME \
--keyring KEY_RING \
--location LOCATION \
--purpose PURPOSE \
--default-algorithm ALGORITHM \
--protection-level "external-vpc" \
--crypto-key-backend VPC_CONNECTION_RESOURCE_ID

Create a Manually Managed Cloud EKM via VPC Key:

gcloud kms keys create KEY_NAME \
--keyring KEY_RING \
--location LOCATION \
--purpose PURPOSE \
--default-algorithm ALGORITHM \
--protection-level "external-vpc" \
--skip-initial-version-creation \
--crypto-key-backend VPC_CONNECTION_RESOURCE_ID

Real-World Example: Financial Services Compliance

Imagine you’re a financial institution subject to strict data sovereignty requirements. You need to process transaction data in BigQuery for fraud detection, but regulations demand you maintain control of encryption keys.

With Cloud EKM via VPC, you can:

1. Keep your HSM in your own data center or preferred colocation facility
2. Connect it securely to Google Cloud through private networking
3. Process petabytes of transaction data in BigQuery
4. Maintain compliance by keeping keys under your direct control
5. Implement emergency access revocation procedures if ever needed

Your security team keeps using the same key management tools and processes they’re familiar with, while your data scientists get the full power of Google’s analytics platform.

Implementation Tips From the Trenches

Having worked with Cloud EKM implementations, here are some practical recommendations:

• Test key rotation thoroughly: Ensure your team understands how rotation affects running workloads
• Document your emergency revocation process: In a security incident, you need clear procedures
• Monitor key usage patterns: Unexpected spikes could indicate misuse or issues
• Consider high availability for your key managers: If your key system is down, Google can’t decrypt your data
• Validate certificates before they expire: Certificate expiration can cause sudden service disruptions
• Start with non-critical workloads: Build confidence before migrating sensitive data

Benefits of Cloud EKM

Cloud EKM offers several advantages beyond just regulatory compliance:

1. True Separation of Duties: Neither Google nor a single internal team can access both data and keys
2. Consistent Key Governance: Maintain your existing key management policies across environments
3. Familiar Security Tools: Continue using the HSM technology your security team already knows
4. Revocation Control: The ability to instantly revoke Google’s access to data by controlling key availability
5. Audit Simplification: Centralized key access logs in your existing security tools

The Road Ahead

As organizations continue to adopt cloud technologies while maintaining strict security and compliance requirements, solutions like Cloud EKM will become increasingly important. The integration between cloud providers and HSM vendors continues to improve, making implementation smoother and operations more reliable.

For many enterprises, Cloud EKM represents the perfect balance: Google’s powerful infrastructure combined with your security team’s trusted key management practices.

Read my other tech blogs

Rahul Kumar Singh - Medium

Connect with me on LinkedIn: Rahul Kumar Singh

Clap and share this blog to show your support.