KMS providers compared: GCP vs AWS vs Vault

For envelope encryption you need a KMS provider that:

• Has a hard separation between “encrypt” and “decrypt” permissions.
• Lets you rotate the underlying key without re-wrapping every blob.
• Is reliable enough that your runtime can call it once at boot and trust the result.

We evaluated three: GCP Cloud KMS, AWS KMS, HashiCorp Vault. We picked GCP. Here's what we found:

GCP Cloud KMS

Cleanest IAM model. Decrypt-only is a single role (roles/cloudkms.cryptoKeyDecrypter). Multi-region keys mean we get HA without paying for it. ~$0.06/month per software key. Console UI is fine. Auth via service account JSON is well-documented but the file is sensitive — we mount it read-only and chown it to the container UID.

AWS KMS

More features (HSM-backed keys, more granular policy). Pricier ($1/mo per key, plus per-call fees). The IAM model conflates “use a key” with “manage a key” in some defaults; you have to write key policies carefully. If you're already in AWS, the friction is lower; if not, the GCP path is shorter.

HashiCorp Vault

Self-hosted means more flexibility and zero per-call fees, but you're on the hook for HA + backup of the seal. We'd revisit this if we ever wanted to hold KMS in our own data center; for cloud, the operational tax wasn't worth it.

One thing all three get right: the key never leaves the KMS. You send ciphertext + your service account credential, you get plaintext back. The ciphertext sitting in our env file is useless without the corresponding KMS access.