The Customer-Supplied Encryption Keys (CESK) option for Google’s Compute Engine has been released to general availability, the company announced Monday. Google will continue to encrypt customer content by default, but making CESK generally available allows customers to better control their data security.
Google Cloud Platform (GCP) automatically uses one or more encryption mechanisms, and at the storage level data in encrypted with AES256 or AES128, but in theory it may be possible to steal the keys or access data from within Google. The company also supplies the whitepaper Encryption at Rest in Google Cloud Platform to provide further information about encryption at rest on GCP.
“Customer-supplied encryption keys give us the fidelity and granular control to provide strong data-protection assurances to our customers,” said Neil Palmer, CTO of Advanced Technology at FIS Global in a Google blog post. “It’s a critical feature and Google’s approach is key to our end-to-end security posture.”
CESK for Compute Engine, which Google introduced to beta a year ago, allows companies to tell their clients that keys are not stored with third parties, but carries the risk of stranded data in the case of lost keys, as Google can neither recover keys nor access protected data without them.
CSEK is available now in the U.S., U.K., Canada, France, and Germany, and is expected to be extended to Australia, Italy, Mexico, Norway, and Sweden later this month.
A number of cloud providers currently allow customers to supply keys, including AWS, Azure, and Box. The approach allows service providers a way to avoid “technical assistance” requests from government agencies, which are a looming privacy and legal issue for the industry.
This post originally appeared at The Whir.