Cloud KMS generates a key called the KEK (key encrypting key). This key DOES NOT encrypt your payload data. It just encrypts the key that is going to encrypt that data (also known as DEK or data encryption key).

Where is the wrapped DEK stored?

The wrapped DEK is stored along with the payload data.

Can you export keys?

No.

Yes.

Are keys constrained to a geographic location?

Keys belong to a region, but are not constrained to that region. For more information, see Cloud KMS locations.

No.

For keys used for symmetric encryption, yes. See Automatic rotation: Setting the rotation period for a key.

For keys used for asymmetric encryption or asymmetric signing, no. To learn more, see Considerations for asymmetric key rotation.

Key rotation does not automatically re-encrypt data. When you decrypt data, Cloud KMS knows which key version to use for the decryption. As long as a key version is not disabled or destroyed, Cloud KMS can decrypt data protected with that key.