Google Cloud Designs Hardware Module for Encryption, Offers It as a Managed Service

Google Cloud Platform made three additions to its encryption offerings • It's added a managed cloud-hosted hardware security module service, support for asymmetric keys for use with decryption or signing operations, and Hashicorp Vault tokens are now saved in an encrypted state •The company is beefing up its cloud security features as it fights to win more enterprise deals and potentially to stay ahead of new security regulations in Europe

Christine Hall

August 22, 2018

3 Min Read
Google's Cloud HSM managed cloud-hosted hardware security module.
Google's Cloud HSM managed cloud-hosted hardware security module. [Source: Google]Google

Encryption is the word of the hour at Alphabet's Google Cloud Platform. This week the cloud service announced it has added Cloud HSM, a managed cloud-hosted hardware security module (HSM) service and asymmetric key support, as well as encryption-related improvements to Hashicorp Vault's integration with Cloud KMS.

For good reason, encryption is the backbone of any good security policy -- because no matter how much work is done to keep the black hats out of a system, the odds are still in favor of an eventual breach. When that day comes, it's nice to know that any exposed sensitive information is encrypted well enough to make it all but useless to the thieves.

GCP already had good encryption in place and says it's the only cloud provider that encrypts all customer data at rest. Its Cloud Key Management Service (KMS) provides encryption of blocks of data with a key under the user's control. By further beefing up its encryption, Google is doubtlessly hoping to convince enterprises into making a place for GCP in their cloud plans as it attempts to rise above fourth place in the public cloud market.

The move was also likely prompted by compliance issues, since mandates around encryption have multiplied by more that a bit since the EU adopted GDPR, with some regulations requiring some encryption operations to be hardware-based.

Related:How Google's Custom Security Chip Secures Servers at Boot

"[W]e’ve heard from many of you that you’d like even more options that help you protect your most sensitive information assets and meet compliance mandates," GCP's product manager, Il-Sung Lee, said in blog post. "Cloud HSM allows you to host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 certified HSMs. With this fully managed service, you can protect your most sensitive workloads without needing to worry about the operational overhead of managing an HSM cluster."

The new Cloud HSM service is tightly integrated with GCP's existing key management system, Cloud KMS, and users control it though its APIs. The integration also means that users can protect data in encryption key-enabled services such as BigQuery, Google Compute Engine, Google Cloud Storage, and DataProc, with a hardware-protected key.

"For those of you managing compliance requirements, Cloud HSM can help you meet regulatory mandates that require keys and crypto operations be performed within a hardware environment," he added. "In addition to using FIPS 140-2 certified devices, Cloud HSM will allow you to verifiably attest that your cryptographic keys were created within the hardware boundary."

Cloud HSM will also come with asymmetric key support, a feature that's also being added to Cloud KMS. This means that users of GCP will not only be able to take advantage of symmetric key encryption using AES-256 keys, but can now create asymmetric keys for decryption or signing operations and store those keys in a Google Cloud managed keystore.

"Specifically, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 keys will be available for signing operations, while RSA 2048, RSA 3072, and RSA 4096 keys will also have the ability to decrypt blocks of data," Lee said.

Both of these new features are officially in beta, although Google doesn't seem to be warning users to not put them to use in production environments.

GCP has also upped its support of Hashicorp Vault, which secures, stores, and controls access to tokens, passwords, certificates, API keys, and the like, with the addition of GCP Cloud KMS Vault Token Helper. While Vault's default token helper stores tokens as plaintext on disk, GCP's solution encrypts tokens using Cloud KMS or Cloud HSM keys and stores the encrypted values on disk.

Mitchell Hashimoto, Hashicorp's co-founder and CTO, told Data Center Knowledge that the improvement to Vault was developed by a former Hashicorp employee who worked on the Vault project and who now works on Vault at Google.

"He actually did it without reaching out to us, but it is great work," he said.

This also probably won't be the last improvement to how Vault works in Google's cloud.

"We're talking to Google quite a bit around Vault and how best to integrate it with their cloud platform," he added.

Read more about:

Google Alphabet

About the Author(s)

Christine Hall

Freelance author

Christine Hall has been a journalist since 1971. In 2001 she began writing a weekly consumer computer column and began covering IT full time in 2002, focusing on Linux and open source software. Since 2010 she's published and edited the website FOSS Force. Follow her on Twitter: @BrideOfLinux.

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like