Any organization that wants to move its data to public cloud infrastructure invariably asks about data security. While public cloud infrastructure providers have invested heavily in the security of their platforms and data encryption, some customers prefer to control how their data is encrypted. To that end, Google Cloud Platform is letting organizations provide their own encryption keys that could be used to encrypt data.
The feature, called Customer-Supplied Encryption Keys, was announced at the Google Cloud Platform blog. It's available in beta and applies to Google Compute Engine (GCE) data only. GCE protects all customer data with industry-standard AES 256-bit encryption, and it does so seamlessly for its users. With the new feature, users can provide the keys used to encrypt and decrypt their data. Those keys will only be used in a transient fashion during the request and will not be stored by Google.
This feature can be used via any of the standard mechanisms that Google Cloud Platform provides to interact with its services. This includes the Developers Console (Web), API and the command line interface (gcloud beta command). Users will have to provide the correct keys to use their protected resources.
The Customer-Supplied Encryption Keys feature is available in select countries only. Some technical restrictions do exist in beta, including a requirement to use the Compute Engine Beta API. The feature applies to new disks that users wish to encrypt with their keys and not existing disks. The feature also cannot be used with local SSDs. For more information, check out the restrictions section in the documentation.
Being able to use your own keys for security is an interesting idea and will likely find acceptance across organizations that have been cautious in moving their data to the cloud. Organizations are still likely to question whether Google will in fact use their private keys in a transient fashion only and not store them. Another note of caution is that the organization will have to be careful in managing its keys; a Google blog post makes it clear that if the keys are lost, Google cannot help with recovering the keys or the data.