Starting today, all the data developers write to unstructured storage on Google’s Cloud Platform will now be automatically encrypted on Google’s servers. Google already encrypted data that was written to its Persistent Disks and Scratch Disks on its Compute Engine, but as the company just announced, all of the data written to Google Cloud Storage will now also be encrypted using the 128-bit Advanced Encryption Standard.
“The per-object key itself is encrypted with a unique key associated with the object owner,” Google explains in today’s announcement, and “these keys are additionally encrypted by one of a regularly rotated set of master keys.” By default, Google will manage the keys to this data for its users, but you can also still encrypt the data yourself prior to writing it to Cloud Storage. For those who are really paranoid about their encryption, having Google manage and store their keys is probably not an option. Google, however, says that it uses “the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing.”
Google says the new server-side encryption is already active for all new data that is written to Cloud Storage, and older objects will be migrated and encrypted “in the coming months.”
It’s worth noting that AWS’s S3 cloud storage service has offered server-side encryption using the 256-bit Advanced Encryption Standard since abound 2011. For those who need to meet even stricter corporate, contractual and regulatory compliance requirements for data security, Amazon also recently introduced a dedicated (and pricey) Hardware Security Module for managing sensitive data and encryption keys in Amazon’s cloud.