這算是 Google Cloud Platform 在補產品線,讓那些有強制使用 HSM 的需求的應用 (通常是遇到一定要 FIPS 140-2 的規範) 可以搬上雲端:「Introducing Cloud HSM beta for hardware crypto key security」。
從圖片上可以看到 LiquidSecurity,應該是「LiquidSecurity® General Purpose HSM Adapters and Appliances」這個產品:
如同 AWS 的 CloudHSM 服務,GCP 的 Cloud HSM 也是提供 FIPS 140-2 Level 3:
Cloud HSM allows you to host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 certified HSMs (shown below).
演算法上,支援 AES、RSA 與 ECC (NIST 的 P-256 與 P-384):
In addition to symmetric key encryption using AES-256 keys, you can now create various types of asymmetric keys for decryption or signing operations, which means that you can now store your keys used for PKI or code signing in a Google Cloud managed keystore. Specifically, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 keys will be available for signing operations, while RSA 2048, RSA 3072, and RSA 4096 keys will also have the ability to decrypt blocks of data.
目前只支援 us-east1 與 us-west1,另外價錢也比軟體服務版本的 Cloud KMS 貴不少:
| Billable item | For keys with protection level SOFTWARE | For keys with protection level HSM |
|---|---|---|
| Active AES-256 and RSA 2048 key versions | $0.06 per month | $1.00 per month |
| Active RSA 3072, RSA 4096 or Elliptic Curve key versions | $0.06 per month | $2.50 per month for the first 2,000 $1.00 per month thereafter |
| Destroyed key versions | Free | Free |
| Key operations: Cryptographic | $0.03 per 10,000 operations | $0.03 per 10,000 operations for AES-256 and RSA 2048 keys $0.15 per 10,000 operations for RSA 3072, RSA 4096, and Elliptic Curve keys |
| Key operations: Admin | Free | Free |
不過一般情況應該不會得用 CloudHSM,先有個印象就好...
