Google Cloud Platform Blog: Bring Your Own Encryption Keys to Google Cloud Platform

Google Cloud Platform Blog

Product updates, customer stories, and tips and tricks on Google Cloud Platform

Bring Your Own Encryption Keys to Google Cloud Platform

Tuesday, July 28, 2015

Do you want the power and flexibility of public cloud, but are concerned about losing control over data security? We can help. Security is at the core of Google’s architecture - we’ve spent years developing one of the world’s most advanced and secure infrastructures. We’re committed to providing you great security, and giving you more control over how you manage security on Google Cloud Platform.
Today, we are adding Customer-Supplied Encryption Keys for Google Compute Engine in beta, which allow you to bring-your-own-keys to encrypt compute resources. Google Compute Engine already protects all customer data with industry-standard AES-256 bit encryption. Customer-Supplied Encryption Keys marries the hardened encryption framework built into Google’s infrastructure with encryption keys that are owned and controlled exclusively by you. You create and hold the keys, you determine when data is active or at rest, and absolutely no one inside or outside Google can access your at rest data without possession of your keys. Google does not retain your keys, and only holds them transiently in order to fulfill your request.
Customer-Supplied Encryption Keys are now available in beta in select countries. Starting today, you can access Customer-Supplied Encryption Keys through our API, our Developers Console, and our command-line interface, gcloud. This new functionality is currently rolling out to the Free Trial and will be available soon.
Customer-Supplied Encryption Keys provides you unprecedented control over encryption in the public cloud:

Secure: All of your compute assets are encrypted using the industry-leading AES-256 standard, and Google never retains your keys, meaning Google cannot decrypt your data at rest.

Comprehensive: Unlike many solutions, Customer-Supplied Encryption Keys cover all forms of data at rest for Compute Engine, including boot and data persistent disks.

Fast: Google Compute Engine is already encrypting all of your data at rest, and Customer-Supplied Encryption Keys gives you greater control, without additional overhead.

Included Free: We feel that encryption should be enabled by default for cloud services; we’re not going to charge you more for the option to bring your own keys.

"Google Compute Engine gives us the performance and scale to process high-volume transactions in the financial markets. With Customer-Supplied Encryption Keys, we can independently control data encryption for our clients without incurring additional expenses from integrating third-party encryption providers. This control is critical for us to realize the price/performance benefits of the cloud in a highly regulated industry." Neil Palmer, CTO of Sungard Consulting Services
Security is as much about control as it is about data protection. With Customer-Supplied Encryption Keys, we are giving you control over how your data is encrypted with Google Compute Engine. Keep in mind, though, if you lose your encryption keys, we won’t be able to help you recover your keys or your data - with great power comes great responsibility!
Retain control while taking advantage of the cloud. Try Customer-Supplied Encryption Keys and let us know how it’s going on the Google Compute Engine forum. We love hearing from you. - Posted by Leonard Law, Product Manager