Encryption principals in GCP

Google Cloud KMS or Key Management Service is a cloud service to manage encryption keys for other Google Cloud services that enterprises can use to implement cryptographic functions. Google Cloud Key Management Service (KMS) is a cloud-based key management system that enables you to create, use, and manage cryptographic keys and perform cryptographic operations in a secure manner.

When data is stored in Google Cloud, it is encrypted at rest by default. So when users use Cloud Key Management Service (Cloud KMS) platform, they can gain greater control over how their data is encrypted at rest and how their encryption keys are managed. KMS provides a highly secure and scalable key management solution that meets the requirements of a wide range of applications and industries. It allows you to create and use encryption keys for your cloud services and applications and helps you ensure that your data is protected at rest and in transit.

For the source of keys, Cloud KMS provides the following options:

• The Cloud KMS software backend gives the flexibility to encrypt data with either a symmetric or asymmetric key that can be controlled.
• Cloud Hardware Security Modules (HSM)
• Customer managed-encryption keys (CMEK): Option to select keys generated by Cloud KMS with other Google Cloud services and configure key rotation period
• Cloud External Key Manager (EKM)
• Customer-supplied encryption keys (CSEK)

KMS Features

1. Key Management: KMS allows you to create, manage, and use encryption keys for your cloud services and applications.
2. Key Rotation: KMS provides key rotation policies that help you rotate your keys regularly to improve security.
3. Integration: KMS integrates with other Google Cloud Platform services, such as Cloud Storage, BigQuery, and Compute Engine.
4. Access Control: KMS provides granular access control, allowing you to control who can create, use, and manage encryption keys.

5. Audit Logging: KMS provides audit logging, allowing you to track key usage and ensure compliance with security policies.

Data Encryptions principal with KMS

1. DEK: Data Encryption Key- used to encrypt data.
2. KEK: Key Encryption Key — used to encrypt, or wrap, a data encryption key.
3. KMS Master Key: The key used to encrypt the KEK. This key is distributed in memory. The KMS Master Key is backed up on hardware devices and is responsible for encrypting users’ keys.
4. Root KMS: It is Google’s internal key management service.

1. CMEK ( Customer Managed Encryption Key): 2 options

Cloud KMS software backend

Most KEKs for encrypting data chunks are generated within Keystore, and the rest are generated inside the storage services.

All KEKs are generated using Google’s common cryptographic library, using a random number generator (RNG) built by Google. This RNG is based on NIST 800–90Ar1 CTR-DRBG and generates an AES-256 KEK.

The use of KEKs is managed by ACLs in Keystore for each key, with a per-key policy. Only authorized Google services and users are allowed to access a key. The use of each key is tracked at the level of the individual operation that requires that key — so every time that a user uses a key, the user is authenticated and logged. All data access by users is auditable as part of Google’s overall security and privacy policies.

Keystore is protected by a root key called the keystore master key, which wraps all of the KEKs in Keystore. This keystore master key is AES-256 and is itself stored in another key management service, called Root Keystore ; The keystore master key is stored in a peer-to-peer infrastructure, called root keystore master key distributor. The root keystore master key distributor only holds the keys in RAM on the same dedicated machines as Root Keystore, and it uses logging to verify proper use

Cloud Hardware Security Modules (HSM)

When you use Cloud HSM, your data is strictly isolated from other tenants and services in Google Cloud. The Cloud HSM data plane API, which is part of the Cloud Key Management Service API, lets you manage HSM-backed keys programmatically.

2. External Key Management (EKM)

Similar to a Cloud HSM backed key, but it gives you the ability to back your CMEK with a third party cloud-based HSM. This is really best for customers who do not trust Google Cloud.

It allows you to encrypt your data with CMEK just like before, but every time that key is used, it makes an API call to another cloud-based HSM to handle the encryption. The KEK is stored in HMS Third Party.

3. Customer Supplied Encryption Key (CSEK)

Private keys are not stored in GCP. Customer create wrapped key with customer private key and public GCP GCE/GCS Key. For each request, the customer provides the AES256 encryption key to access to the data.

Available for GCE or GCS (Cannot be used for other GCP managed services)