Google Releases Customer-Supplied Encryption Keys For Cloud

Google is now giving its Compute Engine customers full control of their security by letting them use their own encryption keys for data stored online.

Google’s Customer-Supplied Encryption Keys (CSEK) was released into beta last year, but this week Google has moved the service into general availability (GA), meaning all Compute Engine customers can use the security tool.

AES-256 bit encryption

Google Cloud Platform already automatically encrypts customer content that is stored at rest using AES-256 bit encryption mechanisms, but with CSEK, Compute Engine disks that are at rest are protected with a customer’s own encryption key, which cannot be accessed by anyone inside or outside of Google. In fact, Google claims that is doesn’t even retain the keys, but rather holds onto them ‘transiently’ to fulfil requests such as starting VMs or attaching disks.

“We designed Customer-Supplied Encryption Keys to be secure, fast and easy,” said Google’s Maya Kaczorowski and Eric Bahna.

CSEK is currently available in the United States, along with the UK, Canada, France and Germany. Google said it will expand the service to Australia, Norway, Mexico and Italy later in August.

This ‘bring your own key’ approach has already been adopted by a number of Google’s rivals, including Microsoft Azure and Amazon Web Services. The problem isn’t so much that customers don’t trust their cloud providers. In the post-Snowden world, governments and legal entities can request data at any given time, and by handing over control of keys to customers, providers can shrug off any responsibility over the encrypted data.

But, as Google warns, with great power comes great responsibility.

“Keep in mind, though, if you lose your encryption keys, we won’t be able to help you recover your keys or your data,” said Google.

Take our security quiz here!