Google CloudCloud Key Management ServiceSecurity & Identity

`google_kms_crypto_key_version` cost estimation

An individual cryptographic key version in Cloud KMS, billed per active version per month (software ~$0.06; HSM more), plus per cryptographic operation.

A google_kms_crypto_key_version is a single version of a key in Cloud KMS — keys are rotated by creating new versions, and you're billed per active key version. A software symmetric key version is ~$0.06/month; HSM-backed versions cost more (~$1+/version depending on level), and external/EKM versions more still. On top of version storage, cryptographic operations bill per 10,000 (a small fraction of a cent).

It's an inexpensive service, but two things make it accumulate: rotation and protection level. Each rotation creates a new active version that bills until destroyed — so frequent rotation with no version cleanup grows the count. And HSM/external protection levels cost an order of magnitude more per version than software, so choosing a higher protection level than you need multiplies the per-version cost.

The levers: match the protection level to the actual requirement (software for most, HSM only where compliance demands it), set a sensible rotation period (frequent rotation is good security but more billable versions), and destroy old versions you no longer need to decrypt past data with.

c3x prices the key version from its protection level, so the per-version cost — and the multiplier across rotations and HSM keys — is visible.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "google_kms_key_ring" "main" {
  name     = "app-keyring"
  location = "us-central1"
}

resource "google_kms_crypto_key" "data" {
  name            = "data-key"
  key_ring        = google_kms_key_ring.main.id
  rotation_period = "7776000s" # 90 days

  version_template {
    algorithm        = "GOOGLE_SYMMETRIC_ENCRYPTION"
    protection_level = "SOFTWARE"
  }
}

Pricing dimensions

What you actually pay for when you provision google_kms_crypto_key_version.

Dimension	Unit	What's being charged
Active key version	per version-month	Per active key version. Software ~$0.06; HSM and external protection levels cost more. Rotation creates new billable versions. $0.06/version-month (software symmetric)
Cryptographic operations	per 10K operations	Encrypt/decrypt/sign operations, billed per 10,000. A fraction of a cent. Usage-based.

Sample C3X output

One active software symmetric key version:

google_kms_crypto_key_version.v1
└─ Active key version (software)   1 version-month   $0.06
                                   Monthly           $0.06

Optimization tips

Common ways to reduce google_kms_crypto_key_version cost without changing the workload.

Match protection level to the requirement

Large per version vs HSM/external

Software versions are ~$0.06; HSM-backed cost an order of magnitude more, and external/EKM more still. Use software for most keys and HSM only where compliance specifically requires hardware-backed keys — the protection level multiplies per-version cost.

Set a sensible rotation period

Per excess active version

Each rotation creates a new active version that bills until destroyed. Rotation is good security, but very frequent rotation on many keys grows the version count and cost — balance the rotation period against the per-version fee.

Destroy old versions you no longer need

$0.06+/month per destroyed version

Disabled-but-not-destroyed versions still bill. Once you no longer need a version to decrypt past data, schedule it for destruction so it stops accruing the per-version fee.

FAQ

How is a Cloud KMS key version billed?

Per active key version per month — ~$0.06 for software symmetric, more for HSM-backed and external/EKM — plus per-operation charges (per 10,000 cryptographic operations, a fraction of a cent). Rotation creates new billable versions.

Why is my KMS cost higher than expected?

Usually protection level or version count. HSM/external versions cost an order of magnitude more than software, and frequent rotation across many keys (with old versions not destroyed) multiplies the per-version fee. Match the level to need and clean up old versions.

How does c3x estimate the cost?

From the version's protection level (software vs HSM/external), pricing the per-version-month fee. Operations are usage-driven; multiply by version count for the total across rotations.

Related resources

AWS

aws_kms_key

The AWS managed-key counterpart

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including google_kms_crypto_key_version.

Get Started Star on GitHub

← Browse all Google Cloud resources