[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-02。"],[],[],null,["# Cloud KMS with Autokey\n\nCloud KMS Autokey simplifies creating and using [customer-managed encryption\nkeys (CMEKs)](/kms/docs/cmek) by automating provisioning and assignment. With\nAutokey, key rings and keys are generated on-demand. Service accounts\nthat use the keys to encrypt and decrypt resources are created and granted\nIdentity and Access Management (IAM) roles when needed. Cloud KMS administrators\nretain full control and visibility to keys created by Autokey, without\nneeding to pre-plan and create each resource.\n\nUsing keys generated by Autokey can help you consistently align with\nindustry standards and recommended practices for data security, including the\nHSM protection level, separation of duties, key rotation, location, and key\nspecificity. Autokey creates keys that follow both general guidelines\nand guidelines specific to the resource type for Google Cloud services\nthat integrate with Cloud KMS Autokey. After they are created, keys\nrequested using Autokey function identically to other\nCloud HSM keys with the same settings.\n\nAutokey can also simplify usage of Terraform for key management,\nremoving the need to run infrastructure-as-code with elevated key-creation\nprivileges.\n\nTo use Autokey, you must have an organization resource that contains\na folder resource. For more information about organization and folder resources,\nsee [Resource hierarchy](/resource-manager/docs/cloud-platform-resource-hierarchy).\n\nCloud KMS Autokey is available in all Google Cloud locations where\nCloud HSM is available. For more information about Cloud KMS\nlocations, see [Cloud KMS locations](/kms/docs/locations). There is no\nadditional cost to use Cloud KMS Autokey. Keys created using\nAutokey are priced the same as any other Cloud HSM keys. For\nmore information about pricing, see [Cloud Key Management Service pricing](/kms/pricing).\n\nFor more information about Autokey, see\n[Autokey overview](/kms/docs/autokey-overview).\n\nChoose between Autokey and other encryption options\n---------------------------------------------------\n\nCloud KMS with Autokey is like an autopilot for\ncustomer-managed encryption keys: it does the work on your behalf, on demand.\nYou don't need to plan keys ahead of time or create keys that might never be\nneeded. Keys and key usage are consistent. You can define the folders where you\nwant Autokey to be used and control who can use it. You retain full\ncontrol of the keys created by Autokey. You can use manually-created\nCloud KMS keys alongside keys created using Autokey. You can\ndisable Autokey and continue to use the keys it created the same way\nyou'd use any other Cloud KMS key.\n\nCloud KMS Autokey is a good choice if you want consistent key usage across\nprojects, with a low operational overhead, and want to follow Google's\nrecommendations for keys.\n\nIf you need to use a protection level other than `HSM` or a custom rotation period,\nyou can use [CMEK](/kms/docs/cmek) without Autokey.\n\nCompatible services\n-------------------\n\nThe following table lists services that are compatible with\nCloud KMS Autokey:\n\nWhat's next\n-----------\n\n- To learn more about how Cloud KMS Autokey works, see [Autokey overview](/kms/docs/autokey-overview)."]]
