Cloud EKM simplifies cryptographic operations by relying on an external key manager. When you want to encrypt data with a symmetric encryption key, Cloud EKM initially encrypts it using its internal key material. This encrypted data is then sent to the external key manager through a request.
Here's how it works:
Data Encryption:
Cloud EKM encrypts your data internally using its own key material.
The encrypted data is sent to the external key manager (EKM) through a request.
External Key Encryption:
The EKM takes the encrypted data and adds an extra layer of encryption using its external key material.
The result is a ciphertext, which is then returned.
Dual-Key Requirement:
Data encrypted with a Cloud EKM key can only be decrypted with the external and internal key materials.
Additionally, if your organization uses Key Access Justifications, the external key management partner follows your policy. They record access justifications and complete requests only for allowed justification reason codes.
For those familiar with EHSM (external hardware security module), it's essentially a key management system based on physical premises, not internet-connected. Keys are stored and managed locally, ensuring access is limited to individuals physically on the premises. EHSM is similar to Cloud EKM, replacing the External Key Manager with an on-premises variant.
Caution: Both the Cloud EKM key version and the external key are required for each encryption and decryption request. If you lose access to either key, your data cannot be recovered. It is impossible to re-create an identical Cloud EKM key version using the same external key URI or key path.
