Within a project, Cloud Key Management Service resources can be created in one of many locations. These represent the geographical regions where a Cloud KMS resource is stored and can be accessed. A key's location impacts the performance of applications using the key.
Key material for Cloud KMS and Cloud HSM keys is confined to the selected region while at rest and in use.
Support for different protection levels varies by region:
SOFTWARE: Software keys can be created in all Cloud KMS locations.HSM: Multi-tenant Cloud HSM keys can be created in most Cloud KMS locations. To view locations where you can create multi-tenant Cloud HSM keys, select Supports multi-tenant HSM in the HSM support filter.HSM_SINGLE_TENANT: Single-tenant Cloud HSM keys can be created in select Cloud KMS locations. To view locations where you can create single-tenant Cloud HSM keys, select Supports single-tenant HSM in the HSM support filter.EXTERNAL: Cloud EKM keys where your EKM is accessed over the internet can be created in most Cloud KMS locations. To view locations where you can create Cloud EKM keys over the internet, select EKM by internet in the EKM support filter.EXTERNAL_VPC: Cloud EKM keys where your EKM is accessed over a VPC can be created in most Cloud KMS locations. To view locations where you can create Cloud EKM keys over a VPC, select EKM by VPC in the EKM support filter.
The following tables list locations available for use in Cloud KMS for different parts of the world. You can filter these locations by location type, Cloud HSM support, and Cloud EKM support:
Americas
| Location name | Location type | Location description | Cloud HSM available | Cloud EKM available |
|---|---|---|---|---|
ca |
Multi-region | Multiple regions in Canada | Multi-tenant only | Yes |
nam3 |
Multi-region | Northern Virginia and South Carolina | Multi-tenant only | Yes |
nam4 |
Multi-region | Iowa, South Carolina, and Oklahoma | Multi-tenant only | Yes |
nam6 |
Multi-region | Iowa and South Carolina | Multi-tenant only | Yes |
nam7 |
Multi-region | Iowa, Northern Virginia, and Oklahoma | Multi-tenant only | Yes |
nam8 |
Multi-region | Los Angeles, Oregon, and Salt Lake City | Multi-tenant only | Yes |
nam9 |
Multi-region | Northern Virginia and Iowa | Multi-tenant only | Yes |
nam10 |
Multi-region | Iowa, Salt Lake City, and Oklahoma | Multi-tenant only | Yes |
nam11 |
Multi-region | Iowa, South Carolina, and Oklahoma | Multi-tenant only | Yes |
nam12 |
Multi-region | Iowa, Northern Virginia, Oklahoma, and Oregon | Multi-tenant only | Yes |
northamerica-northeast1 |
Region | Montréal | Multi-tenant only | Yes |
northamerica-northeast2 |
Region | Toronto | Multi-tenant only | Yes |
northamerica-south1 |
Region | Mexico | Multi-tenant only | No |
southamerica-east1 |
Region | São Paulo | Multi-tenant only | Yes |
southamerica-west1 |
Region | Santiago | Multi-tenant only | Yes |
us |
Multi-region | Multiple regions in the United States | Multi-tenant only | Yes |
us-central1 |
Region | Iowa | Yes | Yes |
us-east1 |
Region | South Carolina | Multi-tenant only | Yes |
us-east4 |
Region | Northern Virginia | Yes | Yes |
us-east5 |
Region | Columbus | Multi-tenant only | Yes |
us-west1 |
Region | Oregon | Multi-tenant only | Yes |
us-west2 |
Region | Los Angeles | Multi-tenant only | Yes |
us-west3 |
Region | Salt Lake City | Multi-tenant only | Yes |
us-west4 |
Region | Las Vegas | Multi-tenant only | Yes |
us-south1 |
Region | Dallas | Multi-tenant only | Yes |
Asia-Pacific
| Location name | Location type | Location description | Cloud HSM available | Cloud EKM available |
|---|---|---|---|---|
asia |
Multi-region | Multiple regions in Asia | Multi-tenant only | Yes |
asia1 |
Multi-region | Tokyo, Osaka, and Seoul | Multi-tenant only | Yes |
asia-east1 |
Region | Taiwan | Multi-tenant only | Yes |
asia-east2 |
Region | Hong Kong | Multi-tenant only | Yes |
asia-northeast1 |
Region | Tokyo | Multi-tenant only | Yes |
asia-northeast2 |
Region | Osaka | Multi-tenant only | Yes |
asia-northeast3 |
Region | Seoul | Multi-tenant only | Yes |
asia-south1 |
Region | Mumbai | Multi-tenant only | Yes |
asia-south2 |
Region | Delhi | Multi-tenant only | Yes |
asia-southeast1 |
Region | Singapore | Multi-tenant only | Yes |
asia-southeast2 |
Region | Jakarta | Multi-tenant only | Yes |
au |
Multi-region | Multiple regions in Australia | Multi-tenant only | Yes |
australia-southeast1 |
Region | Sydney | Multi-tenant only | Yes |
australia-southeast2 |
Region | Melbourne | Multi-tenant only | Yes |
in |
Multi-region | Multiple regions in India | Multi-tenant only | Yes |
Europe, Middle East,
and Africa
| Location name | Location type | Location description | Cloud HSM available | Cloud EKM available |
|---|---|---|---|---|
africa-south1 |
Region | Johannesburg | Multi-tenant only | Yes |
de |
Multi-region | Multiple regions in Germany | Multi-tenant only | Yes |
eur3 |
Multi-region | Belgium and Netherlands | Multi-tenant only | Yes |
eur4 |
Multi-region | Finland, Netherlands, and Belgium | Multi-tenant only | Yes |
eur5 |
Multi-region | London, Netherlands, and Belgium | Multi-tenant only | Yes |
eur6 |
Multi-region | Netherlands, Frankfurt, and Zürich | Multi-tenant only | Yes |
eur7 |
Multi-region | London, Frankfurt, and Berlin | No | Yes |
eur8 |
Multi-region | Zürich, Frankfurt, and Berlin | No | Yes |
europe |
Multi-region | Multiple regions in the European Union1 | Multi-tenant only | Yes |
europe-central2 |
Region | Warsaw | Multi-tenant only | Yes |
europe-north1 |
Region | Finland | Multi-tenant only | Yes |
europe-north2 |
Region | Stockholm | Multi-tenant only | Yes |
europe-southwest1 |
Region | Madrid | Multi-tenant only | Yes |
europe-west1 |
Region | Belgium | Yes | Yes |
europe-west2 |
Region | London | Multi-tenant only | Yes |
europe-west3 |
Region | Frankfurt | Multi-tenant only | Yes |
europe-west4 |
Region | Netherlands | Yes | Yes |
europe-west6 |
Region | Zürich | Multi-tenant only | Yes |
europe-west8 |
Region | Milan | Multi-tenant only | Yes |
europe-west9 |
Region | Paris | Multi-tenant only | Yes |
europe-west10 |
Region | Berlin | Multi-tenant only | Yes |
europe-west12 |
Region | Turin | Multi-tenant only | Yes |
it |
Multi-region | Multiple regions in Italy | Multi-tenant only | Yes |
me-central1 |
Region | Doha | Multi-tenant only | Yes |
me-central2 |
Region | Dammam | Multi-tenant only | Yes |
me-west1 |
Region | Tel Aviv | Multi-tenant only | Yes |
europe multi-region are not
stored in the europe-west2 (London) or europe-west6
(Zürich) data centers.
Worldwide
| Location name | Location type | Location description | Cloud HSM available | Cloud EKM available |
|---|---|---|---|---|
global |
Multi-region | Global | Multi-tenant only | No |
nam-eur-asia1 |
Multi-region | North America, Europe, and Asia (Iowa, Oklahoma, Belgium, and Taiwan) |
Multi-tenant only | No |
Types of locations for Cloud KMS
You can create Cloud KMS, Cloud HSM, and Cloud EKM resources in different types of locations in Google Cloud, depending on your availability requirements. Locations are added regularly. For specific information about each location, see Locations.
You can learn more about choosing the best type of location.
The following location types are available to Cloud KMS:
- Regional locations: A regional location's data centers exist in a
specific geographical place. For example, a resource created in the
us-central1region is located in the central United States. - Multi-regional locations: A multi-regional location's data centers are
spread across a large geographical area. For example, a resource created
in the
europemulti-region persists in multiple data centers within the European Union. You can't choose which data centers within the multi-region will contain your data. - The global location: The
globallocation is a special multi-region. Its datacenters are spread throughout the world. You can't choose which data centers within the global multi-region will contain your data.
Choosing the best type of location
As a rule, design your application so that all of its components are geographically near each other and near your application's clients. The location of your keys is an important aspect of your application's design. After creation, a key cannot be moved or exported.
When using a multi-regional location, such as the europe multi-region,
resources persist in multiple datacenters spread across the multi-region.
Creating and updating keys in multi-regional locations, including the global
location, might be less efficient than using a single-region location. For more
information, see Reading from and writing to multi-region locations.
Use the global location if all of the following are true:
- Your application's components are distributed globally.
- You have infrequent reads or writes but use other cryptographic operations frequently.
- Your keys have no geographic residency requirements.
- You aren't using external keys.
For Customer-Managed
Encryption Keys (CMEK) integrations, you must use the same exact location as
other resources related to the integration. Some CMEK integrations don't support
the global location. For more information about CMEK integrations, see
Customer-managed encryption keys (CMEK).
Cloud EKM resources rely on connectivity between Google Cloud and an external key management service, outside of Google Cloud. For Cloud External Key Manager resources, select a location geographically as near as possible to the location where keys are stored on the external key management service.
Cloud HSM depends on availability of physical hardware in a location's datacenters. For Cloud HSM resources, select a location that supports Cloud HSM.
Cloud HSM resources have location-specific quotas. Cloud KMS quotas are global.
Multi-regional locations have separate quotas, independent of the
quotas for single-region locations. For example, to create Cloud HSM
resources in the eur5 multi-region, you must have HSM quota in eur5, even if
you already have quota in the single regions that participate in eur5, such as
europe-west2.
Reading from and writing to multi-region locations
Reading and writing resources or associated metadata in multi-regional
locations, including the global location, may be slower than reading or
writing from a single region.
- When you create or read key versions, consensus is always required among the datacenters storing the key material. Reads and writes to a single region are often more efficient than those to a multi-regional location.
- When you perform cryptographic operations, such as when encrypting or decrypting data, consensus is not required. For cryptographic operations, multi-regional locations perform similarly to single-region locations.
- When you store your keys in a location or locations geographically near the data they protect or validate, cryptographic operations are usually more efficient.
The trade-offs between performance and availability are unique to each
application. Multi-region locations, including global, are best suited for
read-heavy workloads.
Determining available regions
You can use the Google Cloud CLI or Cloud Key Management Service API to get a list of available regions.
gcloud
gcloud kms locations list
In the output from the command, the HSM_AVAILABLE column indicates whether
the location supports Cloud HSM. The EKM_AVAILABLE column indicates
whether the location supports Cloud External Key Manager. Note that EKM via VPC keys
are currently only available in regional locations.
API
Use the
Locations.get and
Locations.list
methods.
The responses from both of these methods include boolean fields related to a location's capabilities:
If a location supports multi-tenant Cloud HSM keys,
hsmAvailableistrue.If a location supports Cloud EKM keys,
ekmAvailableistrue.
What's next
- Learn more about Geography and regions in Google Cloud.
- See the full list of Cloud locations.