Your opinion matters! Please fill in the InfoQ Readers’ Survey!

Google Introduces Cloud-Based Encryption Key Management Service

| by Sergio De Simone Follow 21 Followers on Jan 16, 2017. Estimated reading time: 1 minute |

Google has announced a new service for its Google Cloud Platform (GCP) that allows users to create, use, rotate, and destroy symmetric encryption keys. Although the new Cloud Key Management Service (KMS) is integrated with Google's Cloud Identity Access Management and Cloud Audit Logging, keys managed using KMS can also be used independently.

Previous to Google KMS, Google Cloud Platform users could either choose to let GCP automatically handle cryptographic keys for them, or provide their own keys for server-side encryption. Google's Key Management Service adds the option to manage cloud-based keys and to encrypt and decrypt data using them via an API. Google Cloud KMS also allows to rotate keys, either manually or based on a schedule. When keys are rotated, old ones remain active for decryption while only one primary key is used for encrypting new data.

According to Google, Cloud KMS is able to easily handle millions of encryption keys and provides low latency access to keys. It is worth noting that GCP encrypts data by breaking it into subfile chunks, which each chunk encrypted using its own individual data encryption key (DEK). DEKs, are stored near the data they encrypt and are protected using a key encryption key (KEK), which is what you manage using Cloud KMS.

Google Cloud KMS uses AES256 keys provided by Google's open source BoringSSL library. Google additionally notes that their algorithm works in Galois/Counter Mode, which aims to provide authenticated encryption at high data rates thanks to the use of pipelines or parallelization.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

What could possibly go wrong by Lord Fire

Store encryption keys in the cloud! What could possibly go wrong!

Google's KMS by Ken Mafli

I am glad that Google is taking this step. While it raises concerns because using this service means a person's keys are not in a dedicated KMS but stored in a multi-tenant solution; it still logically separates the keys from the encrypted data. Which, let's be honest, most companies are not doing right now. So I see this as a step in the right direction. And if Google is smart, it will allow, through KMIP, other dedicated key manager products to seamlessly integrate and companies can use them for greater data security.

That being said, I think one should check out Google's policies on Physical Security, User Access, and Logical Security before using their KMS. It is still the users responsibility to make sure the service they use complies with NIST standards. If you want more information on security standards, navigate to the encryption key management guide under the "The Domains to Secure Encryption Keys" section to learn more.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

2 Discuss