Data Security: An Overview of GCP's Key Management Systems (KMS)

Data security refers to the measures and protocols that are used to protect data from unauthorized access, use, disclosure and/or destruction. Data security is important for businesses and organizations because it helps to ensure the confidentiality, integrity, and availability of their data, which is critical for the proper functioning of their operations and the protection of their sensitive information. 

Data Security and its Importance  

With businesses’ growing dependency on cloud computing and compelling reasons to adopt multiple cloud services e.g., work from home, high expenditure in owning on-premises infrastructure, increased security, and availability of data, it has become extremely important to secure data, whether data is at rest or in-flight. For cloud services like IaaS, PaaS and SaaS, consumers are responsible for security of their data stored and accessed in the cloud. Additionally, one would like to secure “data/secrets (sensitive information)” that is stored on-premises using services like KMS and Secret Manager. 

Data Security Approaches 

Protecting sensitive information is vital for companies and institutions that depend on data for their functioning. By implementing suitable security strategies and protocols, businesses can safeguard the confidentiality, integrity, and accessibility of their data, and prevent unauthorized access or abuse. Different methods of data security are available and the chosen measures may depend on the type of data and the likelihood of unauthorized access or misuse. Some common data security measures include: 

Encryption: Encrypting data helps to protect it by rendering it unreadable without the use of a special decryption key. Encryption can be used to protect data at rest (when it is stored on a device or server) or in transit (when it is being transmitted over a network). 

Access controls: Access controls are mechanisms that are used to regulate who has access to data. This can include user authentication (verifying the identity of users) and authorization (determining what actions users are allowed to perform, following principle of least control). 

Monitoring and detection: Monitoring and detection systems can be used to identify and respond to potential security threats. This can include monitoring for suspicious activity, such as unusual login attempts or data access patterns, and implementing automated response protocols to take appropriate action in the event of a security breach. 

Role of GCP’s Key Management System in Data Security 

Google Cloud Key Management Service (KMS) is a cloud-based key management service that allows customers to create, use, rotate, and destroy encryption keys used to protect their data in Google Cloud. KMS provides a convenient place to manage the encryption keys used across Google Cloud services, including Google Cloud Storage, Google Big Query, and Google Cloud DataProc. 

KMS uses a hierarchical model for managing keys, with a root key at the top level and various levels of subordinate keys beneath it. This allows customers to create a hierarchy of keys that reflects the organization of their data and the access controls they want to implement. KMS also provides a range of features to help customers manage their encryption keys, including the ability to rotate keys on a regular basis, to revoke access to data by destroying keys, and to audit key usage. KMS integrates with other Google Cloud services and tools, such as Cloud Identity and Access Management (IAM), to provide customers with a comprehensive solution for securing their data in the cloud. 

Symmetric Encryption Key 

Symmetric encryption is a type of encryption that uses the same key to encrypt and decrypt data. In other words, the same secret key is used to encrypt the data before it is sent, and then the same key is used to decrypt the data when it is received by the intended recipient. 

The key must be kept secret, as anyone with access to the key can decrypt the data. Storage, access, and management of this secret key will be done by Secret Manager. We shall discuss about it shortly. Data at rest is encrypted using symmetric encryption key. 

Advantages: Faster and more efficient than asymmetric encryption 

Disadvantages: Requires the keys to be shared securely and It is not used on data in-flight. 

Asymmetric Encryption Key 

Asymmetric encryption is a type of encryption that uses a pair of keys (a public key and a private key) to encrypt and decrypt data. The public key is used to encrypt the data, while the private key is used to decrypt it. This allows people to send encrypted messages to each other without having to exchange secret keys beforehand. Data in transit is encrypted using asymmetric encryption key. 

In practice, a person’s public key is made available to anyone who wants to send them an encrypted message. The sender can then use the public key to encrypt the message, and the message can only be decrypted by the recipient using their private key. Private key is kept secret, hence, only the intended recipient will be able to decrypt the message. 

Advantage: More secure than symmetric encryption because it does not require exchanging secret keys beforehand. 

Disadvantage: Slower and less efficient than symmetric encryption, as it requires more computation to encrypt and decrypt data 

Operations that can be performed on Keys in GCP Cloud Console

  1. View keys by project: Google Cloud Console can be used to view the keys created in your project resource. In the Google Cloud console, go to the Key Rings page. In the Google Cloud console, go to the Key Inventory page to view the keys created in the project.
  2. View key usage: In the Google Cloud console, go to the Key Inventory page. Key usage summary and details are shown for the selected key. Google Cloud Console, the gcloud command-line tool, or the Cloud KMS API to view key usage.
  3. Labelling keys: Cloud Key Management Service provides the option to add labels to your Cloud KMS keys. Labels are key-value pairs that you can use to group related Cloud KMS keys and store metadata about a Cloud KMS key. Labels are included in your bill, so you can see the distribution of costs across your labels. Label feature can be used to bill each tenant in the multiple tenant environment. Google Cloud Console, the gcloud command-line tool, or the Cloud KMS API can be used to label keys.
  4. Create and manage tags: A tag is a key-value pair that can be attach to a resource within GCP. You can use tags to conditionally allow or deny policies based on whether a resource has a specific tag. [Note: Tags and labels work independently of each other.] Google Cloud Console, the gcloud command-line tool can be used to create and manage tags.
  5. Enabling and disabling key versions: To enable or disable a key version, you can use the Google Cloud Console, the gcloud command-line tool, or the Cloud KMS API.
  6. Destroying and restoring key versions: Google Cloud Console, the gcloud command-line tool, or the Cloud KMS API can be used to destroy or restore an enabled or disabled key.
  7. Rotating keys: Google Cloud Console, the gcloud command-line tool, or the Cloud KMS API can be used to configure automatic rotation when creating a new key.
  8. Retrieving a public key: Google Cloud Console, the gcloud command-line tool, or the Cloud KMS API can be used to retrieve the public key portion of an asymmetric key version.
  9. Importing keys: Importing keys requires formatting keys. Supported key formats are Symmetric keys for encryption, Symmetric keys for signing (MAC keys) and Asymmetric keys for encryption or signing.
  10. Encrypting and decrypting data with a symmetric key: Encrypts text or binary content (plaintext) by using a Cloud Key Management Service key. Decrypt ciphertext that was encrypted with a Cloud KMS key. Create a key ring and a key before encrypting or decrypting data.
  11. Encrypting and decrypting data with an asymmetric key: One should have authorization for the key that will be used to encrypt and decrypt data. The gcloud command-line tool or the Cloud KMS API can be used to encrypt data using an asymmetric encryption key, retrieve the public key and use the public key to encrypt the data.
  12. Re-encrypting data: Data can be re-encrypted using a Cloud Key Management Service symmetric key that should meet following conditions:
    • Data is already encrypted using KMS,
    • The key version used for the encryption is not disabled.
    • Key has already been rotated.
  13. Verifying end-to-end data integrity: Each data on Google cloud is automatically encrypted whether it is in transit or at rest. It does not prevent client-side data corruption. However, it provides ways to detect client-side data corruption.
  14. Encrypting application data: Google Cloud KMS service is used to encrypt data before sending it to Google Cloud for storage. It required the creation of a storage bucket in the Google Project created for the purpose. The following setup needs to be done:
    • Create A Project in the Google Cloud
    • Create Users
    • Create a Storage Bucket
    • Create an Encryption Key
    • Encrypt the file containing the secret
    • Decrypt the file containing the secret
    • Perform clean-up
  15. Client-side encryption with Tink and Cloud KMS: Client-side encryption is an operation that is performed before sending data to Google Cloud. Tink is an open-source library that works in conjunction with KMS to encrypt data locally and upload to Google Cloud.
  16. Creating and validating digital signatures: Creates and validates digital signatures based on asymmetric keys.



To sum up, GCP’s Key Management Systems (KMS) offer a comprehensive and reliable approach to data security. With its ability to encrypt and manage encryption keys, KMS ensures the safety and security of sensitive information, preventing unauthorized access or misuse. For companies and institutions that utilize GCP, implementing KMS is a critical step in protecting their data and maintaining the confidentiality, integrity, and availability of their data. 

Data Security is essential to safeguard our privacy, protect our businesses, and build trust in the online world. Data security is not a choice, it is a necessity. 

Prafulla Ingle

VP, Security and Process Excellence