Deviating from the norm, Google has recently announced that its Compute Engine platform will now allow users to supply their own security keys, if they feel the need to. This is quite a big announcement as Google’s traditional methods of data encryption never allowed such a thing.
According to Google, the new approach will allow users more flexibility with regard to control over their data security. The feature is currently in the Beta phase with quite a few restrictions on board.
The first thing you should know is that this feature is currently only available in Canada, France, Germany, Japan, Taiwan, the United States and the United Kingdom. If your country is not listed, you could request Google to add it though.
Traditionally, Google’s services automatically encrypt data before it is written to disk. The key used is of the 256-bit Advanced Encryption Standard, and each key in itself is also encrypted with a regularly rotated set of master keys. But now users can generate their own encryption standards for their data.
Security is as much about control as it is about data protection,
Google product manager Leonard Law writes today.
With Customer-Supplied Encryption Keys, we are giving you control over how your data is encrypted with Google Compute Engine.
The new and free service will allow users to generate their own 256-bit keys allowing them more control over their data security, as stated earlier. Google’s Compute Engine will then use this key to protect the keys used to encrypt and decrypt the users’ data. The data can be accessed if and only if the correct key is provided by the person trying to access the data.
While there are limitations to this approach which include stuff like losing your data forever (to a dark abyss) if you ever lose your key (which Google clearly states in bold letters), the new feature will be quite useful for large organizations in heavily regulated industries like financial services and healthcare, according to a Google spokesperson.
The post announcing the new feature reads:
Google does not store your keys on its servers and cannot access your protected data unless you provide the key. This also means that if you were to forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.
As already stated, the feature is in Beta currently which means that there are a few restrictions and exceptions here and there. The technical restrictions as listed by Google are:
- You can only encrypt new persistent disks with your own key. You cannot encrypt existing persistent disks with your own key.
- You must use the Compute Engine Beta API.
- You cannot use your own keys with local SSDs, as local SSDs do not persist beyond the life of a virtual machine.
- You cannot stop an instance with a persistent disk that has been encrypted with your own key because it is not possible to provide a key when restarting a stopped instance.
According to Law, the service will cover all forms of data, ranging from data volumes, boot disks or SSDs.