Google CloudGoogle Cloud KMSSecurity

google_kms_crypto_key cost estimation

Customer-managed encryption keys. Software keys $0.06/key-month + $0.03/10K operations. HSM keys $1-$2.50/key-month + $0.03/10K operations. External Key Manager (EKM) keys also supported.

Cloud KMS provides cryptographic key management. The google_kms_crypto_key resource creates a key within a key ring. Pricing depends on protection level (software vs HSM) and operation count.

Software keys: - $0.06/key-month - $0.03 per 10,000 cryptographic operations (encrypt, decrypt, sign, verify) - 99.95% SLA

HSM-protected keys (FIPS 140-2 Level 3): - $1/key-month for symmetric AES-256 - $2.50/key-month for asymmetric (RSA, ECDSA) - $0.03 per 10K operations (RSA-2048: $0.15 per 10K) - 99.95% SLA

External Key Manager (EKM) keys: - $0.06/key-month - Operations route to external KMS (Thales, Equinix, etc.) - Higher latency than software/HSM but full key custody

Key rotation: automatic rotation creates new key versions. Old versions remain available for decryption but bill until disabled. A key with 12 versions = 12 × $0.06 = $0.72/month just for software, plus operations.

Common cost surprises: - Each version of a key counts. Aggressive rotation (monthly) means 12+ versions. - Cross-region keys (multi-region locations) bill the same per key but provide better availability. - HSM keys cost 16x more than software for symmetric. Only justify for compliance.

For comparison: AWS KMS at $1/key-month for CMKs, $0.03/10K operations. Azure Key Vault at $0.03/10K operations (no per-key fee). GCP software keys at $0.06/key-month with cheaper operations.

c3x estimates KMS based on protection_level, algorithm, and (via c3x-usage.yml) expected operation volume.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "google_kms_key_ring" "main" {
  name     = "prod-keys"
  location = "us-central1"
}

resource "google_kms_crypto_key" "app" {
  name     = "app-encryption-key"
  key_ring = google_kms_key_ring.main.id

  rotation_period = "7776000s"  # 90 days

  version_template {
    algorithm        = "GOOGLE_SYMMETRIC_ENCRYPTION"
    protection_level = "SOFTWARE"
  }

  lifecycle {
    prevent_destroy = true
  }
}

Pricing dimensions

What you actually pay for when you provision google_kms_crypto_key.

DimensionUnitWhat's being charged
Software keyper key-monthStandard customer-managed encryption key with software protection.
$0.06/key-month
HSM key (symmetric)per key-monthHSM-backed key, FIPS 140-2 Level 3 compliant.
$1.00/key-month
HSM key (asymmetric)per key-monthHSM-backed RSA/ECDSA keys.
$2.50/key-month
Operationsper 10,000 operationsCryptographic operations (encrypt, decrypt, sign, verify).
$0.03 per 10K (RSA-2048 is $0.15)
Key versionsper version-monthEach enabled version of a key counts as a separate key for billing.
Same as base key rate per version

Optimization tips

Common ways to reduce google_kms_crypto_key cost without changing the workload.

Disable old key versions after grace period

$0.06+ per disabled version

Key versions accumulate on rotation. Each version costs the per-key rate. After data has been re-encrypted under new versions, disable old ones. Disabled versions don't bill but remain available for emergency re-enable.

Use software keys unless HSM is required

94% vs HSM

HSM keys are 16x more expensive than software for symmetric crypto. Only justify when compliance (FIPS 140-2, HIPAA, etc.) explicitly requires HSM. Most workloads run fine with software keys.

Consolidate keys per logical grouping

Don't create one key per encrypted object. One key per data category (PII, financial, logs) or one per service is sufficient. Reduces key proliferation.

Tune rotation period to actual compliance needs

Default rotation is often 90 days. If compliance allows 1 year, fewer versions accumulate. For non-regulated data, manual rotation only when needed is fine.

Use ephemeral data keys for high-volume

Variable based on operation volume

For high-volume encryption (millions of objects), use envelope encryption: generate a data key per object, encrypt with the KMS key once. Avoids per-object KMS API calls. Standard pattern for application-level encryption.

FAQ

How does Cloud KMS compare to AWS KMS or Azure Key Vault?

Cloud KMS is cheapest per key ($0.06 vs AWS's $1, Azure's no-key-fee). AWS bills more for keys but typically less per operation. Azure has no key fee but charges per operation. For workloads with many keys and low operations, Cloud KMS is cheapest. For few keys and high operations, Azure can win.

Why are HSM keys so expensive?

HSM-backed keys provide FIPS 140-2 Level 3 hardware-based protection. The HSMs are dedicated tamper-resistant hardware appliances. The pricing reflects the operational cost of running and certifying HSM infrastructure. Required for some regulated industries; overkill for most workloads.

Does Cloud KMS encrypt my data by default?

Yes, GCP encrypts all data at rest by default using Google-managed encryption keys (no charge, no configuration). Cloud KMS adds customer-managed keys (CMEK) on top, giving you control over the keys. Use CMEK when compliance requires customer control or when you need to revoke key access independently.

Can I use my own keys (BYOK)?

Yes, via Cloud HSM (HSM-backed) or External Key Manager (EKM). EKM keeps keys in your external KMS (Thales, Equinix SmartKey, Fortanix, etc.); operations route to that external system. Higher latency than Cloud KMS native, but full key custody.

Related resources

AWS
aws_kms_key

AWS KMS equivalent

Azure
azurerm_key_vault

Azure Key Vault equivalent

Google Cloud
google_secret_manager_secret

Often paired for secret storage

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including google_kms_crypto_key.

Get StartedStar on GitHub
← Browse all Google Cloud resources