GCP - Key Management

• Cloud KMS: supports CMEK, customer owns the key
  • Cloud KMS with Autokey: You retain full control of the keys created by Autokey. You can use manually-created Cloud KMS keys alongside keys created using Autokey. https://cloud.google.com/kms/docs/kms-autokey
• Google default encryption: customer does not own the key

KMS vs HSM

Cloud KMS is a software-based service for managing keys, while HSMs are dedicated hardware devices. HSMs offer enhanced security and performance due to their specialized hardware design. Businesses often use a combination of both, leveraging Cloud KMS for key management and HSMs for sensitive key storage and operations.