diff --git a/google/resource_kms_crypto_key.go b/google/resource_kms_crypto_key.go
index 6ef0334f..95727c21 100644
--- a/google/resource_kms_crypto_key.go
+++ b/google/resource_kms_crypto_key.go
@@ -2,6 +2,7 @@ package google
 
 import (
 	"fmt"
+	"github.com/hashicorp/terraform/helper/validation"
 	"log"
 	"regexp"
 	"strconv"
@@ -39,6 +40,27 @@ func resourceKmsCryptoKey() *schema.Resource {
 				Optional:     true,
 				ValidateFunc: validateKmsCryptoKeyRotationPeriod,
 			},
+			"version_template": {
+				Type:     schema.TypeList,
+				MaxItems: 1,
+				Optional: true,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"algorithm": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"protection_level": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ForceNew:     true,
+							Default:      "SOFTWARE",
+							ValidateFunc: validation.StringInSlice([]string{"SOFTWARE", "HSM", ""}, false),
+						},
+					},
+				},
+			},
 			"self_link": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -84,7 +106,10 @@ func resourceKmsCryptoKeyCreate(d *schema.ResourceData, meta interface{}) error
 		Name:      d.Get("name").(string),
 	}
 
-	key := cloudkms.CryptoKey{Purpose: "ENCRYPT_DECRYPT"}
+	key := cloudkms.CryptoKey{
+		Purpose:         "ENCRYPT_DECRYPT",
+		VersionTemplate: expandVersionTemplate(d.Get("version_template").([]interface{})),
+	}
 
 	if d.Get("rotation_period") != "" {
 		rotationPeriod := d.Get("rotation_period").(string)
@@ -133,6 +158,10 @@ func resourceKmsCryptoKeyUpdate(d *schema.ResourceData, meta interface{}) error
 		key.RotationPeriod = rotationPeriod
 	}
 
+	if d.HasChange("version_template") {
+		key.VersionTemplate = expandVersionTemplate(d.Get("version_template").([]interface{}))
+	}
+
 	cryptoKey, err := config.clientKms.Projects.Locations.KeyRings.CryptoKeys.Patch(cryptoKeyId.cryptoKeyId(), &key).UpdateMask("rotation_period,next_rotation_time").Do()
 
 	if err != nil {
@@ -165,6 +194,10 @@ func resourceKmsCryptoKeyRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("rotation_period", cryptoKey.RotationPeriod)
 	d.Set("self_link", cryptoKey.Name)
 
+	if err = d.Set("version_template", flattenVersionTemplate(cryptoKey.VersionTemplate)); err != nil {
+		return fmt.Errorf("Error setting version_template in state: %s", err.Error())
+	}
+
 	d.SetId(cryptoKeyId.cryptoKeyId())
 
 	return nil
@@ -219,6 +252,33 @@ and all its CryptoKeyVersions will be destroyed, but it will still be present on
 	return nil
 }
 
+func expandVersionTemplate(configured []interface{}) *cloudkms.CryptoKeyVersionTemplate {
+	if configured == nil || len(configured) == 0 {
+		return nil
+	}
+
+	data := configured[0].(map[string]interface{})
+	return &cloudkms.CryptoKeyVersionTemplate{
+		Algorithm:       data["algorithm"].(string),
+		ProtectionLevel: data["protection_level"].(string),
+	}
+}
+
+func flattenVersionTemplate(versionTemplate *cloudkms.CryptoKeyVersionTemplate) []map[string]interface{} {
+	if versionTemplate == nil {
+		return nil
+	}
+
+	versionTemplateSchema := make([]map[string]interface{}, 0, 1)
+	data := map[string]interface{}{
+		"algorithm":        versionTemplate.Algorithm,
+		"protection_level": versionTemplate.ProtectionLevel,
+	}
+
+	versionTemplateSchema = append(versionTemplateSchema, data)
+	return versionTemplateSchema
+}
+
 func validateKmsCryptoKeyRotationPeriod(value interface{}, _ string) (ws []string, errors []error) {
 	period := value.(string)
 	pattern := regexp.MustCompile("^([0-9.]*\\d)s$")
diff --git a/google/resource_kms_crypto_key_test.go b/google/resource_kms_crypto_key_test.go
index dd23a03d..dbf8f796 100644
--- a/google/resource_kms_crypto_key_test.go
+++ b/google/resource_kms_crypto_key_test.go
@@ -270,6 +270,10 @@ resource "google_kms_crypto_key" "crypto_key" {
 	name            = "%s"
 	key_ring        = "${google_kms_key_ring.key_ring.self_link}"
 	rotation_period = "1000000s"
+	version_template {
+		algorithm =        "GOOGLE_SYMMETRIC_ENCRYPTION"
+		protection_level = "SOFTWARE"
+	}
 }
 	`, projectId, projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName)
 }
diff --git a/website/docs/r/google_kms_crypto_key.html.markdown b/website/docs/r/google_kms_crypto_key.html.markdown
index ac07e13b..42edd80e 100644
--- a/website/docs/r/google_kms_crypto_key.html.markdown
+++ b/website/docs/r/google_kms_crypto_key.html.markdown
@@ -59,6 +59,19 @@ The following arguments are supported:
     the primary. The first rotation will take place after the specified period. The rotation period has the format
     of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than
     a day (ie, 86400).
+    
+* `version_template` - (Optional) A template describing settings for new crypto key versions. Structure is documented below.
+
+---
+
+The `version_template` block supports:
+
+* `algorithm` - (Required)  The algorithm to use when creating a version based on this template.
+See the [algorithm reference](https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm)
+for possible inputs.
+
+* `protection_level` - (Optional) The protection level to use when creating a version based on this template.
+One of `SOFTWARE`, or `HSM`.
 
 ## Attributes Reference