Cloud Key Management Service documentation
Cloud Key Management Service allows you to create, import, and manage cryptographic keys
and perform cryptographic operations in a single centralized cloud service.
You can use these keys and perform these operations by using
Cloud KMS directly, by using Cloud HSM or Cloud External Key Manager, or by
using Customer-Managed Encryption Keys (CMEK) integrations within other
Google Cloud services.
With Cloud KMS you are the ultimate custodian of your data, you
can manage cryptographic keys in the cloud in the same ways you do
on-premises, and you have a provable and monitorable root of trust over your
data.
Start your proof of concept with $300 in free credit
-
Get access to Gemini 2.0 Flash Thinking
-
Free monthly usage of popular products, including AI APIs and BigQuery
-
No automatic charges, no commitment
Keep exploring with 20+ always-free products
Access 20+ free products for common use cases, including AI APIs, VMs, data warehouses,
and more.
Training
Training and tutorials
Encrypt and decrypt data with KMS
This tutorial teaches you how to encrypt and decrypt data using symmetric Cloud KMS keys.
Training
Training and tutorials
Security in Google Cloud
Explore and deploy the components of a secure Google Cloud solution through hands on labs. Learn best practices for securing applications and data and mitigation techniques for attacks at many points in a Google Cloud-based infrastructure, including Distributed Denial-of-Service attacks, phishing attacks, and threats involving content classification and use.
Training
Training and tutorials
Getting started with KMS
In this lab you'll learn how to use some advanced features of Google Cloud Security and Privacy APIs, including: setting up a secure Cloud Storage bucket, managing keys and encrypted data, and viewing Cloud Storage audit logs.
Use case
Use cases
Tokenizing sensitive cardholder data for PCI DSS
Shows how to set up an access-controlled credit and debit card tokenization service on Cloud Functions. To set up the service, the article uses IAM, Cloud KMS, and Datastore.
PCI DSS
Functions
Datastore
Use case
Use cases
PCI Data Security Standard Compliance
Learn how to implement the Payment Card Industry Data Security Standard (PCI DSS) for your business on Google Cloud.
PCI DSS
Compliance
Security
Code sample
Code Samples
Python samples
Python code samples and snippets
Code sample
Code Samples
Node.js samples
A robust set of Node.js samples.
Code sample
Code Samples
Go samples
A list of Go samples
Code sample
Code Samples
.NET samples
Samples for .NET and KMS.
Code sample
Code Samples
PHP samples
PHP code samples for KMS
Code sample
Code Samples
Ruby samples
Ruby samples for KMS
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-29 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Cloud Key Management Service documentation\n==========================================\n\n[Read product documentation](/kms/docs/key-management-service)\nCloud Key Management Service allows you to create, import, and manage cryptographic keys\nand perform cryptographic operations in a single centralized cloud service.\nYou can use these keys and perform these operations by using\nCloud KMS directly, by using Cloud HSM or Cloud External Key Manager, or by\nusing Customer-Managed Encryption Keys (CMEK) integrations within other\nGoogle Cloud services.\n\n\nWith Cloud KMS you are the ultimate custodian of your data, you\ncan manage cryptographic keys in the cloud in the same ways you do\non-premises, and you have a provable and monitorable root of trust over your\ndata.\n[Get started for free](https://console.cloud.google.com/freetrial) \n\n#### Start your proof of concept with $300 in free credit\n\n- Get access to Gemini 2.0 Flash Thinking\n- Free monthly usage of popular products, including AI APIs and BigQuery\n- No automatic charges, no commitment \n[View free product offers](/free/docs/free-cloud-features#free-tier) \n\n#### Keep exploring with 20+ always-free products\n\n\nAccess 20+ free products for common use cases, including AI APIs, VMs, data warehouses,\nand more.\n\nDocumentation resources\n-----------------------\n\nFind quickstarts and guides, review key references, and get help with common issues. \nformat_list_numbered\n\n### Guides\n\n-\n\n [Quickstart: Create encryption keys with Cloud KMS](/kms/docs/create-encryption-keys)\n\n-\n\n [Encrypting and decrypting data with a symmetric key](/kms/docs/encrypt-decrypt)\n\n-\n\n [Encrypting and decrypting data with an asymmetric key](/kms/docs/encrypt-decrypt-rsa)\n\n-\n\n [Cloud HSM](/kms/docs/hsm)\n\n-\n\n [Creating symmetric keys](/kms/docs/creating-keys)\n\n-\n\n [Cloud External Key Manager](/kms/docs/ekm)\n\n-\n\n [Importing a key into Cloud KMS](/kms/docs/importing-a-key)\n\n-\n\n [Retrieving a public key](/kms/docs/retrieve-public-key)\n\n-\n\n [Destroying and restoring key versions](/kms/docs/destroy-restore)\n\nfind_in_page\n\n### Reference\n\n-\n\n [Permissions and roles](/kms/docs/reference/permissions-and-roles)\n\n-\n\n [Cloud KMS API client libraries](/kms/docs/reference/libraries)\n\n-\n\n [PKCS #11 library](/kms/docs/reference/pkcs11-library)\n\n-\n\n [REST API](/kms/docs/reference/rest)\n\n-\n\n [RPC API](/kms/docs/reference/rpc)\n\n-\n\n [Cloud EKM error reference](/kms/docs/reference/ekm_errors)\n\n-\n\n [Service APIs Overview](/kms/docs/reference/service-apis-overview)\n\ninfo\n\n### Resources\n\n-\n\n [Pricing](/kms/pricing)\n\n-\n\n [Quotas](/kms/quotas)\n\n-\n\n [Release notes](/kms/docs/release-notes)\n\nRelated resources\n-----------------\n\nTraining and tutorials \nUse cases \nCode samples \nExplore self-paced training, use cases, reference architectures, and code samples with examples of how to use and connect Google Cloud services. Training \nTraining and tutorials\n\n### Encrypt and decrypt data with KMS\n\n\nThis tutorial teaches you how to encrypt and decrypt data using symmetric Cloud KMS keys.\n\n\n[Learn more](https://codelabs.developers.google.com/codelabs/encrypt-and-decrypt-data-with-cloud-kms) \nTraining \nTraining and tutorials\n\n### Security in Google Cloud\n\n\nExplore and deploy the components of a secure Google Cloud solution through hands on labs. Learn best practices for securing applications and data and mitigation techniques for attacks at many points in a Google Cloud-based infrastructure, including Distributed Denial-of-Service attacks, phishing attacks, and threats involving content classification and use.\n\n\n[Learn more](/training/course/security-in-google-cloud-platform) \nTraining \nTraining and tutorials\n\n### Getting started with KMS\n\n\nIn this lab you'll learn how to use some advanced features of Google Cloud Security and Privacy APIs, including: setting up a secure Cloud Storage bucket, managing keys and encrypted data, and viewing Cloud Storage audit logs.\n\n\n[Learn more](https://www.cloudskillsboost.google/focuses/1713?parent=catalog) \nUse case \nUse cases\n\n### Tokenizing sensitive cardholder data for PCI DSS\n\n\nShows how to set up an access-controlled credit and debit card tokenization service on Cloud Functions. To set up the service, the article uses IAM, Cloud KMS, and Datastore.\n\nPCI DSS Functions Datastore\n\n\u003cbr /\u003e\n\n[Learn more](/solutions/tokenizing-sensitive-cardholder-data-for-pci-dss) \nUse case \nUse cases\n\n### PCI Data Security Standard Compliance\n\n\nLearn how to implement the Payment Card Industry Data Security Standard (PCI DSS) for your business on Google Cloud.\n\nPCI DSS Compliance Security\n\n\u003cbr /\u003e\n\n[Learn more](/solutions/pci-dss-compliance-in-gcp) \nCode sample \nCode Samples\n\n### Python samples\n\n\nPython code samples and snippets\n\n\n[Open GitHub\narrow_forward](https://github.com/GoogleCloudPlatform/python-docs-samples/tree/main/kms/snippets) \nCode sample \nCode Samples\n\n### Node.js samples\n\n\nA robust set of Node.js samples.\n\n\n[Open GitHub\narrow_forward](https://github.com/GoogleCloudPlatform/nodejs-docs-samples/tree/main/kms) \nCode sample \nCode Samples\n\n### Go samples\n\n\nA list of Go samples\n\n\n[Open GitHub\narrow_forward](https://github.com/GoogleCloudPlatform/golang-samples/tree/master/kms) \nCode sample \nCode Samples\n\n### .NET samples\n\n\nSamples for .NET and KMS.\n\n\n[Open GitHub\narrow_forward](https://github.com/GoogleCloudPlatform/dotnet-docs-samples/tree/master/kms/api/Kms.Samples) \nCode sample \nCode Samples\n\n### PHP samples\n\n\nPHP code samples for KMS\n\n\n[Open GitHub\narrow_forward](https://github.com/GoogleCloudPlatform/php-docs-samples/tree/main/kms) \nCode sample \nCode Samples\n\n### Ruby samples\n\n\nRuby samples for KMS\n\n\n[Open GitHub\narrow_forward](https://github.com/googleapis/google-cloud-ruby/tree/master/google-cloud-kms/samples)\n\nRelated videos\n--------------"]]
