Google Cloud to allow customer crypto keys

Google Compute Engine customers will now be able to use their own digital encryption keys to protect information stored on the cloud platform, after the IT giant marked the feature as generally available.

Although storage in Google's cloud is scrambled by default, the customer-supplied encryption keys (CSEK) feature provides customers full control over Compute Engine disk encryption.

CSEK means nobody other than the customer will be able to access the scrambled data on the disks, as Google does not hold a copy of the key, apart from a short transient moment to fulfill Compute Engine requests such attaching disks or spinning up virtual machines.

Conversely, if customers lose their CSEKs, there is no way for Google or anyone else to recover the data.

Google uses the CSEK to protect its own default keys for storage, with AES-256 encryption.

Keys must be provided to Google by customers in RFC 4648 base64 encoding as 256-bit strings. They can also be wrapped using an RSA public key certificate that Google provides.

Australian customers won't, however, get the CSEK feature. It is only available in Canada, Denmark, France, Germany, Japan, Taiwan, the UK and the US currently.

Other CSEK limitiations include only being able to encrypt new persistent disks with customer keys, rather than existing ones. Local solid-state storage devices (SSDs) cannot be used with CSEK, as they do not persist beyond the life of virtual machines. 

Google said local SSDs are already protected with ephemeral encryption keys that the company does not retain.