Until now, anyone using the Google cloud platform, Google Compute Engine, was forced to use encryption keys generated by Google. Clearly this spooked a lot of people, and there have long been calls for users to be granted greater control of security.
Now this is happening — users are able to provide their own encryption keys. Customer-Supplied Encryption Key (CSEK) are used to provide a second layer of security, on top of the Google-generated keys that are used by default.
In its Cloud Platform documentation, Google provides information about how to create your own keys. As well as telling users how to go about doing this, the company issues a stark warning that it cannot help out if these keys are forgotten: “Google does not store your keys on its servers and cannot access your protected data unless you provide the key. This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.”
The company explains how the system works:
By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.
If you provide your own encryption keys, Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data. Only users who can provide the correct key can use resources protected by a customer-supplied encryption key.
The option to use one’s own encryption keys only applies to new persistent disks — there will be some disappointment that existing disks cannot be secured in the same way. But while there is room for disappointment, anyone concerned with security will see that this is very much a step in the right direction, and it sees Google catching up with other cloud services.