How Cloud HSM works

When you use a Cloud HSM key, your key stays securely within the Cloud HSM – Google can't cache or copy it. Cloud HSMs are special physical devices that generate, store, and manage encryption keys. They're designed to be tamper-proof, and even Google personnel can't access them.

Here's how it works:

1. Generating and Encrypting Data:

   • To encrypt data using a Cloud HSM key, Spacewell creates a key request.

   • This request goes to the Cloud HSM (managed by the client within Google), which generates the key and returns the encrypted key to Spacewell.

   • Spacewell can now use this encrypted key to encrypt your data.

2. Decrypting Data:

   • To decrypt data encrypted with a Cloud HSM key, Spacewell sends the encrypted key to the Cloud HSM.

   • The Cloud HSM decrypts the key and returns the plain text key to Spacewell.

   • Spacewell then uses this plain text key to decrypt your data.

Because the key never leaves the Cloud HSM, Google can't cache or copy it. This makes Cloud HSM keys especially secure for storing highly sensitive data, such as financial or healthcare information.

Open

A flow describing how Cloud HSM works