In Google Cloud Platform news, Google announced the addition of Customer-Supplied Encryption Keys for Google Compute Engine in beta. This will enable you to bring your own keys to encrypt compute resources, the company says.
This is available in select countries, though Google doesn’t clearly specify which ones. You can access the keys through the API, Developers Console, or command-line interface, gcloud. It’s rolling out to to the free trial, and will be available soon.
“Google Compute Engine already protects all customer data with industry-standard AES-256 bit encryption,” says product manager Leonard Law in a blog post. “Customer-Supplied Encryption Keys marries the hardened encryption framework built into Google’s infrastructure with encryption keys that are owned and controlled exclusively by you. You create and hold the keys, you determine when data is active or at rest, and absolutely no one inside or outside Google can access your at rest data without possession of your keys. Google does not retain your keys, and only holds them transiently in order to fulfill your request.”
“All of your compute assets are encrypted using the industry-leading AES-256 standard, and Google never retains your keys, meaning Google cannot decrypt your data at rest,” says Law. “Unlike many solutions, Customer-Supplied Encryption Keys cover all forms of data at rest for Compute Engine, including data volumes, boot disks, and SSDs. Google Compute Engine is already encrypting all of your data at rest, and Customer-Supplied Encryption Keys gives you greater control, without additional overhead.”
Google says that since it thinks encryption should be enabled by default for cloud services, it’s not charging for the option to bring your own keys. Just remember, Google won’t be able to help you recover your keys or data if you lose your keys.
Image via Google