Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Google Introduces Cloud-Based Encryption Key Management Service

Google Introduces Cloud-Based Encryption Key Management Service

This item in japanese


Google has announced a new service for its Google Cloud Platform (GCP) that allows users to create, use, rotate, and destroy symmetric encryption keys. Although the new Cloud Key Management Service (KMS) is integrated with Google's Cloud Identity Access Management and Cloud Audit Logging, keys managed using KMS can also be used independently.

Previous to Google KMS, Google Cloud Platform users could either choose to let GCP automatically handle cryptographic keys for them, or provide their own keys for server-side encryption. Google's Key Management Service adds the option to manage cloud-based keys and to encrypt and decrypt data using them via an API. Google Cloud KMS also allows to rotate keys, either manually or based on a schedule. When keys are rotated, old ones remain active for decryption while only one primary key is used for encrypting new data.

According to Google, Cloud KMS is able to easily handle millions of encryption keys and provides low latency access to keys. It is worth noting that GCP encrypts data by breaking it into subfile chunks, which each chunk encrypted using its own individual data encryption key (DEK). DEKs, are stored near the data they encrypt and are protected using a key encryption key (KEK), which is what you manage using Cloud KMS.

Google Cloud KMS uses AES256 keys provided by Google's open source BoringSSL library. Google additionally notes that their algorithm works in Galois/Counter Mode, which aims to provide authenticated encryption at high data rates thanks to the use of pipelines or parallelization.

Rate this Article


Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • What could possibly go wrong

    by Lord Fire,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    Store encryption keys in the cloud! What could possibly go wrong!

  • Google's KMS

    by Ken Mafli,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    I am glad that Google is taking this step. While it raises concerns because using this service means a person's keys are not in a dedicated KMS but stored in a multi-tenant solution; it still logically separates the keys from the encrypted data. Which, let's be honest, most companies are not doing right now. So I see this as a step in the right direction. And if Google is smart, it will allow, through KMIP, other dedicated key manager products to seamlessly integrate and companies can use them for greater data security.

    That being said, I think one should check out Google's policies on Physical Security, User Access, and Logical Security before using their KMS. It is still the users responsibility to make sure the service they use complies with NIST standards. If you want more information on security standards, navigate to the encryption key management guide under the "The Domains to Secure Encryption Keys" section to learn more.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p