GCP KMS has 'External Key Manager' feature: Can this be used for encryption-at-rest?


I am using MongoDb Cloud/Atlas.

Last week I watched a MongoDb Webinar about security in MongoDb and the security developer from MongoDb said, that Google Cloud Platform(GCP) is one of three (next to Azure and Amazon) possible Key Management Services that can be used for encryption.

Furthermore he point out a special case: GCP has the “External Key Manager” feature which allows to pass through to an external one.
He said that only in connection to a question with client side field level encryption.

I know that GCP can also be an KMS for encryption-at-rest.
So I assume that the “External Key Manager”(EKM) feature could also be used there too but I am not sure.

Can anybody confirm GCP EKM can be used for encryption-at-rest too? Or does someone even do it that way?



PS: The background of my question is to set an external KMS which is >EU-based< probably accepting that it is passed through GCP. Any further help into that direction is very welcome.