How Google External Key Manager and SmartKey Fortify Data Security

Shilpa Hallyal
Josh Padilla
How Google External Key Manager and SmartKey Fortify Data Security

There is good news for enterprises that depend on Google Cloud to securely maintain data: Google is giving enterprises an option with even greater level of data security and management simplicity. To date, Google has offered its own cloud-based encryption key management options: Cloud Key Management Service (KMS) and Cloud Hardware Security Module (HSM), a hosted HSM for Google Cloud. Now, Google has an External Key Manager offering, which lets enterprises use an externally managed encryption key solution to secure data on Platform Equinix® using Equinix Smartkey™, a SaaS-based, secure key management and cryptography service.

This option directly addresses the concerns of enterprises that want to maintain encryption keys outside of the Google infrastructure. It allows enterprises to solely and independently manage their encryption keys outside of Google Cloud through a centralized and auditable KMS. Data owners can now have their data secured in Google Cloud with the encryption keys being stored only in an enterprise-owned Equinix SmartKey account rather than in Google Cloud along with the data. When the data is no longer needed, the enterprise-owned keys in SmartKey can be deleted, enabling companies to keep full control of their data in Google Cloud. Currently, Google Compute Engine (GCE) and Big Query are the only two services that can take advantage of the Google External Key Manager offering.

Need Security and Resilience in the Cloud?

Learn the challenges and motivations facing cloud, hybrid and multicloud users as they consider how to deliver traditional levels of security and robustness, while maintaining the API-enabled virtues of flexibility and short lead-times of cloud-enabled IT.

Download the Report Now

Google External Key Manager with Equinix SmartKey

Equinix SmartKey is the ideal solution for enterprises that want to take advantage of Google External Key Manager to encrypt data stored on Google Cloud.

  • SmartKey is a globally available key management as a service for data on-premises and in the cloud, including Google Cloud.
  • Deployed on-demand, without the need for procuring hardware devices or software, SmartKey runs on FIPS 140-2 L3 validated hardware.
  • It securely generates, stores and uses cryptographic keys and certificates, as well as secrets like passwords, API keys, and tokens.
  • Outside of Google Compute Engine and Big Query, applications and containers in Google Cloud integrate with Equinix SmartKey using standard interfaces like PKCS#11, CNG, JCE, KMIP or the native SmartKey RESTful APIs.
Equinix SmartKey is the ideal solution for enterprises that want to take advantage of Google External Key Manager to encrypt data stored on Google Cloud.
Google External Key Manager now works with Equinix SmartKey™ on Platform Equinix®.

Why Equinix SmartKey with Google External Key Manager?

Higher level of security

By giving enterprises complete and exclusive control of their encryption keys, irrespective of the services in Google Cloud, and maintaining an audit trail of key access, Equinix SmartKey brings a higher level of data security and auditability.

SmartKey is based on Intel® SGX technology that guarantees integrity and confidentiality of security-sensitive computations. It partitions applications into secure enclaves that keep code and data confidential and inaccessible via unauthorized access and attacks on privileged software like kernel or hypervisor.

With SmartKey as the external key management solution with Google External Key Manager (EKM), an enterprise denies Google Cloud services the ability to decrypt their data without explicitly configured access. Only the enterprise has sole control of the encryption keys in SmartKey and therefore who encrypts and decrypts their data and who has access to it.

Centralized key management with global availability for performance

Deployed globally on Platform Equinix, Equinix SmartKey has the most secure, direct and fastest internet connectivity to Google Cloud, minimizing the latency between SmartKey and Google Cloud workloads. This enables Cloud EKM to reach your keys in SmartKey, avoiding errors due to latency. When creating a Cloud EKM key, choose an Equinix SmartKey location from one of the current metros listed below that is geographically close to your Google Cloud. Equinix SmartKey is available in the following regions: North America, Europe, United Kingdom, Asia-Pacific and Australia.


SmartKey offers industry-standard reliability with nodes deployed across multiple metros in a region. It also offers automatic key replication and rotation across metros within the region for redundancy and high availability. In the event a metro suffers an outage, SmartKey automatically redirects requests to the next closest metro service endpoint.

Configure SmartKey for Google External Key Manager in minutes

The following diagram shows how Cloud KMS fits into the external key management model with SmartKey.

A customer managed key needs to be created in Google Cloud KMS, which is linked to the actual key in SmartKey through a key URI you would obtain from SmartKey. All requests from the services linked to this customer managed key are then automatically sent to encryption key in SmartKey. Disabling or deleting this key in SmartKey will prevent Big Query and Google Compute Engine’s persistent disk from decrypting data encrypted with this key.

Building on a long-established relationship

Equinix is Google’s premier cloud interconnection partner and customers can access Google Cloud at 37 Equinix locations around the world. Secure, dedicated, high-speed connections between SmartKey hosted on Platform Equinix and located proximate to Google Cloud environments globally ensure minimum latency, maximum security and optimum performance when encrypting and decrypting data.

Equinix and Google enable enterprises to achieve a higher level of data security. Together, they simplify encryption key management through a single point of management and auditability, and support hybrid cloud strategy by localizing applications and services through interconnected ecosystems. Equinix SmartKey is the ideal way for cloud-first organizations to take advantage of Google External Key Manager capabilities with a highly secure and reliable solution.

As enterprises transfer more workloads to the cloud, securely maintaining encryption keys and making them available to applications and services regardless of cloud environment is critical to efficient operations and data security. Equinix SmartKey can be the single, centralized encryption platform that provides encryption services to on-premises, hybrid and cloud workloads with privacy and auditability required for sensitive data and regulated services moving to the public clouds. Cloud architects and data security professionals can learn more about the advantages of Equinix SmartKey by reading the Security and Resilience In Cloud, Hybrid and Multicloud Deployments report.

Equinix and Google enable enterprises to achieve a higher level of data security.
Shilpa Hallyal
Shilpa Hallyal Technical Marketing Engineer
Josh Padilla
Josh Padilla Sr Global Solutions Architect, Google Strategic Alliance