Cloud HSM

Google Cloud HSM (Hardware Security Module) is a managed cloud HSM service that allows you to host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 certified hardware security modules. It is part of Cloud KMS and provides the highest level of key protection available on GCP.

Key Features:

1. FIPS 140-2 Level 3 - Keys protected by certified hardware with tamper-evident physical security.

2. Fully managed - Google manages HSM hardware, firmware, and availability. No on-premises hardware needed.

3. Cloud KMS integration - HSM keys are managed through the same Cloud KMS API and Console.

4. Key non-exportability - Private key material never leaves the HSM boundary.

5. Regulatory compliance - Meets requirements for PCI-DSS, HIPAA, FedRAMP, and other frameworks requiring HSM-backed keys.

The below example shows how to create an HSM-protected key using Cloud KMS with gcloud.

It gives the following output,

Key ring created: hsm-keyring
HSM Key created: hsm-encryption-key

gcloud kms keys describe hsm-encryption-key:
name: projects/my-project/locations/us-central1/keyRings/hsm-keyring/cryptoKeys/hsm-encryption-key
primary:
  protectionLevel: HSM
  algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
  state: ENABLED

Encryption successful. Output written to encrypted.bin

Cloud HSM vs Software Keys in Cloud KMS:

HSM keys (PROTECTION_LEVEL=HSM) - FIPS 140-2 Level 3, hardware-backed, tamper-evident. Required for highest security compliance. ~2-3x more expensive than software keys.

Software keys (PROTECTION_LEVEL=SOFTWARE) - FIPS 140-2 Level 1, software-backed. Sufficient for most use cases. Lower cost and higher throughput.