Stay organized with collections
Save and categorize content based on your preferences.
Supporting compliance with key management
This page provides information about supporting compliance with key management
using encryption for Assured Workloads.
Overview
Encryption key management is
fundamental to supporting regulatory compliance of Google Cloud resources.
Assured Workloads supports compliance through encryption in the
following ways.
CJIS, ITAR, and IL5: Mandated customer-managed keys and separation of duties:
CMEK: Assured Workloads mandates the use of customer-managed
encryption keys (CMEK) to support these control packages.
Key management project: Assured Workloads creates a key
management project to align with NIST 800-53 security controls, the
key management project
is separated from resource folders to establish
separation of duties between security
administrators and developers.
Key ring: Assured Workloads also creates a
key ring to store
your keys. The CMEK project restricts key ring creation to
compliant locations that you select. After you create the key ring,
you manage creating or importing encryption keys. Strong
encryption, key management, and separation of duties all support positive
security and compliance outcomes on Google Cloud.
Other control packages (including IL4): Google-owned and Google-managed encryption keys and other
encryption options:
Cloud Key Management Service (Cloud KMS):
Assured Workloads supports Cloud KMS.
Cloud KMS covers all Google Cloud products and services by
default providing FIPS 140-2 validated encryption-in-transit and
encryption-at-rest.
This section describes Assured Workloads encryption strategies.
Assured Workloads CMEK Creation
CMEK lets you have advanced controls over your data and key management by
enabling you to manage your complete key lifecycle, from creation to
deletion. This capability is critical to supporting cryptographic erase
requirements in the Cloud Computing SRG.
Services
CMEK-integrated services
CMEK covers the following services, which store customer data for CJIS.
For services that aren't integrated with CMEK, or for customers whose control
packages don't require CMEK, Assured Workloads customers have the
option to use Google-managed Cloud Key Management Service keys. This option is offered
in order to provide customers with additional options for key management to fit
your organizational needs. Today, CMEK integration is limited to the
in-scope services which
support CMEK capabilities. Google-managed KMS is an acceptable encryption method
as it covers all Google Cloud products and services by default providing
FIPS 140-2 validated encryption in
transit and at rest.
Administrators and developers typically support compliance and security best
practices through key management and
separation of duties. For example, while
developers might have access to the Assured Workloads resources folder,
administrators have access to the CMEK key management project.
Administrators
Administrators typically control access to the encryption project and
the key resources within it. The administrators are responsible for allocating
key resource IDs to developers to encrypt resources. This practice separates
the management of keys from the development process and provides the security
administrators with the ability to manage encryption keys centrally in the CMEK
project.
Security administrators can use the following encryption key strategies with
Assured Workloads:
During development, when you provision and configure in-scope Google Cloud
resources that require a CMEK encryption key, you request the resource ID of the
key from your administrator. If you don't use CMEK, we recommend that you use
Google-owned and Google-managed encryption keys to ensure data is encrypted.
The request method is determined by your organization as part of your documented
security processes and procedures.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eAssured Workloads mandates the use of customer-managed encryption keys (CMEK) for CJIS, ITAR, and IL5 compliance, creating a dedicated key management project and key ring to align with NIST 800-53 security controls and separation of duties.\u003c/p\u003e\n"],["\u003cp\u003eFor other control packages, including IL4, Assured Workloads supports Google-owned and Google-managed encryption keys, Cloud Key Management Service (Cloud KMS), Customer-managed encryption keys (CMEK), and Cloud External Key Manager (Cloud EKM).\u003c/p\u003e\n"],["\u003cp\u003eCMEK allows advanced control over data and key management, enabling management of the entire key lifecycle, which is critical for supporting cryptographic erase requirements, and covers services such as Cloud Storage, Persistent Disk, and BigQuery.\u003c/p\u003e\n"],["\u003cp\u003eSecurity administrators are responsible for managing encryption keys within the CMEK project, allocating resource IDs to developers, while developers use these keys to encrypt resources, ensuring a clear separation of duties.\u003c/p\u003e\n"],["\u003cp\u003eFor services not integrated with CMEK, or for customers whose control packages don't require it, Assured Workloads offers Google-managed Cloud Key Management Service (KMS) keys, which provide FIPS 140-2 validated encryption and cover all Google Cloud products and services.\u003c/p\u003e\n"]]],[],null,["# Supporting compliance with key management\n=========================================\n\nThis page provides information about supporting compliance with key management\nusing encryption for Assured Workloads.\n\nOverview\n--------\n\n[Encryption key management](/assured-workloads/docs/encryption-keys) is\nfundamental to supporting regulatory compliance of Google Cloud resources.\nAssured Workloads supports compliance through encryption in the\nfollowing ways.\n\n**CJIS, ITAR, and IL5:** Mandated customer-managed keys and separation of duties:\n\n- **CMEK**: Assured Workloads mandates the use of customer-managed encryption keys (CMEK) to support these control packages.\n- **Key management project** : Assured Workloads creates a key management project to align with NIST 800-53 security controls, the [key management project](/assured-workloads/docs/key-concepts#key_management) is separated from resource folders to establish [separation of duties](/kms/docs/separation-of-duties) between security administrators and developers.\n- **Key ring** : Assured Workloads also creates a\n [key ring](/kms/docs/resource-hierarchy#key_rings) to store\n your keys. The CMEK project restricts key ring creation to\n compliant locations that you select. After you create the key ring,\n you manage creating or importing encryption keys. Strong\n encryption, key management, and separation of duties all support positive\n security and compliance outcomes on Google Cloud.\n\n | **Note:** After Assured Workloads creates the key ring, you must [create your CMEK key](/assured-workloads/docs/create-and-obtain-cmek). Unless your control package mandates a certain encryption key strategy, you can use any Google key management service, including Cloud Key Management Service, Cloud External Key Manager, or CMEK. You can also use default [Google-owned and Google-managed encryption keys](/assured-workloads/docs/storage/docs/encryption/default-keys), which are FIPS validated.\n\n**Other control packages (including IL4):** Google-owned and Google-managed encryption keys and other\nencryption options:\n\n- [Google-owned and Google-managed encryption keys](/storage/docs/encryption/default-keys) provides on-by-default, FIPS 140-2 validated encryption in transit and at rest to all Google Cloud services.\n- [Cloud Key Management Service (Cloud KMS)](/kms/docs): Assured Workloads supports Cloud KMS. Cloud KMS covers all Google Cloud products and services by default providing FIPS 140-2 validated encryption-in-transit and encryption-at-rest.\n- [Customer-managed encryption keys (CMEK)](/kms/docs/cmek): Assured Workloads supports CMEK for control packages such as IL4, for which CMEK is optional.\n- [Cloud External Key Manager (Cloud EKM)](/kms/docs/ekm) Assured Workloads supports Cloud EKM.\n- [Key import](/kms/docs/importing-a-key)\n\nEncryption strategies\n---------------------\n\nThis section describes Assured Workloads encryption strategies.\n\n### Assured Workloads CMEK Creation\n\n| **Note:** Assured Workloads only provides configuration guidance for CMEK when you select the CJIS control package.\n\nCMEK lets you have advanced controls over your data and key management by\nenabling you to manage your complete key lifecycle, from creation to\ndeletion. This capability is critical to supporting cryptographic erase\nrequirements in the [Cloud Computing SRG](https://rmf.org/wp-content/uploads/2018/05/Cloud_Computing_SRG_v1r3.pdf).\n\nServices\n--------\n\n### CMEK-integrated services\n\nCMEK covers the following services, which store customer data for CJIS.\n\n- [Cloud Storage](/storage)\n- [Persistent Disk](/persistent-disk)\n- [BigQuery](/bigquery)\n\n| **Note:** After you setup CMEK, the resource ID of the key(s) you create in the CMEK project will need to be shared with developers working in the Assured Workloads resource folder(s). Today CMEK integration is limited to the in-scope services which support CMEK capabilities.\n\n#### Other services: Custom Key Management\n\nFor services that aren't integrated with CMEK, or for customers whose control\npackages don't require CMEK, Assured Workloads customers have the\noption to use Google-managed [Cloud Key Management Service](/kms) keys. This option is offered\nin order to provide customers with additional options for key management to fit\nyour organizational needs. Today, CMEK integration is limited to the\n[in-scope services](/kms/docs/using-other-products#cmek_integrations) which\nsupport CMEK capabilities. Google-managed KMS is an acceptable encryption method\nas it covers all Google Cloud products and services by default providing\n[FIPS 140-2 validated](/security/compliance/fips-140-2-validated) encryption in\ntransit and at rest.\n\nFor other products supported by Assured Workloads, see\n[Supported products by control package](/assured-workloads/docs/supported-products).\n\nKey management roles\n--------------------\n\nAdministrators and developers typically support compliance and security best\npractices through key management and\n[separation of duties](/kms/docs/separation-of-duties). For example, while\ndevelopers might have access to the Assured Workloads resources folder,\nadministrators have access to the CMEK key management project.\n\n### Administrators\n\nAdministrators typically control access to the encryption project and\nthe key resources within it. The administrators are responsible for allocating\nkey resource IDs to developers to encrypt resources. This practice separates\nthe management of keys from the development process and provides the security\nadministrators with the ability to manage encryption keys centrally in the CMEK\nproject.\n\nSecurity administrators can use the following encryption key strategies with\nAssured Workloads:\n\n- [Cloud KMS](/kms/docs)\n- [Customer-managed encryption keys (CMEK)](/kms/docs/cmek)\n- [Cloud External Key Manager (Cloud EKM)](/kms/docs/ekm)\n- [Key import](/kms/docs/importing-a-key)\n\n| **Note:** It is recommended that you create resources in the Assured Workloads resource project and not in the key management project.\n\n### Developers\n\nDuring development, when you provision and configure in-scope Google Cloud\nresources that require a CMEK encryption key, you request the resource ID of the\nkey from your administrator. If you don't use CMEK, we recommend that you use\nGoogle-owned and Google-managed encryption keys to ensure data is encrypted.\n\nThe request method is determined by your organization as part of your documented\nsecurity processes and procedures.\n\nWhat's next\n-----------\n\n- Learn how to [create an Assured Workloads folder](/assured-workloads/docs/create-folder).\n- Learn which [products are supported](/assured-workloads/docs/supported-products) for each control package."]]
