Starting today, developers who use Google’s Compute Engine infrastructure as a service platform will be able to bring their own security keys to the service. Google argues that using these customer-supplied encryption keys, which are now in public beta, give its users more control over their data security.
By default, Google encrypts all of the data on its service with an AES-256 bit encryption key that is a) encrypted itself and b) rotated regularly. Using this new (and free) feature, users will be able to bring their own keys and get more flexibility in how they manage their data’s encryption state. This means they can choose when their data should be considered at rest or active, for example. Because Google doesn’t retain the keys, nobody inside the company can gain access to your data when it is at rest.
“Security is as much about control as it is about data protection,” Google product manager Leonard Law writes today. “With Customer-Supplied Encryption Keys, we are giving you control over how your data is encrypted with Google Compute Engine.”
Law also stresses that Google’s service covers all forms of data, no matter whether that’s data volumes, boot disks or SSDs.
For most people, handling their own security keys is probably overkill — and if you ever lose your encryption keys, you won’t be able to recover your data. As a Google spokesperson told us, the company expects that it will mostly be large organizations in heavily regulated industries like financial services and healthcare will make use of this feature.