The requirement to ensure the master encryption key material never leaves the on-premises hardware (HSM) and retaining the unilateral ability to revoke access are the defining features of Cloud External Key Manager (Cloud EKM).

Key Residency: Cloud EKM allows you to use encryption keys stored and managed in a supported external key management system, such as an on-premises HSM, for encrypting data in Google Cloud services like BigQuery and Cloud Storage. This ensures the key material remains in your accredited hardware.

Unilateral Control: Since Google Cloud must request the key from the external system for every encryption/decryption operation, revoking access (by disabling the key or revoking Google's access) in the external system immediately renders the data in Google Cloud inaccessible, granting the customer unilateral control.

Extracts:

"Cloud External Key Manager (Cloud EKM) is a cloud service that lets you encrypt data in Google Cloud with keys you manage outside of Google Cloud." (Source 6.1)

"The key material is stored on an external system, such as a Cloud EKM partner or an on-premises HSM, and never leaves that system." (Source 6.1)

"The customer can unilaterally revoke access to the key at the EKM system, making the encrypted data in Google Cloud inaccessible, which is a key requirement for highly regulated industries." (Source 6.2)