Understanding Data Encryption in Google Cloud

GCP Comics #4: Encryption to secure your data in cloud

Priyanka Vergadia
Google Cloud - Community


Encryption is a process that takes plaintext as input, and transforms it into an output (ciphertext) that reveals little or no information about the plaintext. A public encryption algorithm is used, but execution depends on a key, which is kept secret. To decrypt the ciphertext back to its original form, the key needs to be used.

When you use Google Cloud, the data is encrypted at rest and in transit to protect the data.

  • Encryption at rest — used to protect data that is stored on a disk (including solid-state drives) or backup media.
  • Encryption in transit — used to protect data that is traveling over the Internet, moving within Google’s infrastructure

In this issue of GCP Comics we are covering exactly that…Here you go!

Encryption at rest in Google Cloud

  • Google uses several layers of encryption to protect customer data at rest. All customer content stored at rest is encrypted, without any action required from the customer, using one or more encryption mechanisms. All data stored in Google Cloud is encrypted at the storage level using AES256, with the exception of a small number of Persistent Disks created before 2015 that use AES128.
  • Data for storage is split into chunks, and each chunk is encrypted with a unique data encryption key. These data encryption keys are stored with the data, encrypted with (“wrapped” by) key encryption keys that are exclusively stored and used inside Google’s central Key Management Service. Google’s Key Management Service is redundant and globally distributed.
  • Google uses a common cryptographic library, Tink, which incorporates our FIPS 140–2 validated module, BoringCrypto, to implement encryption consistently across almost all Google Cloud products. Consistent use of a common library means that only a small team of cryptographers needs to implement and maintain this tightly controlled and reviewed code.

Encryption in transit in Google Cloud

  • Google applies several security measures to help ensure the authenticity, integrity, and privacy of data in transit.
  • Data is encrypted and authenticated in transit at one or more network layers when it moves outside physical boundaries not controlled by Google or on behalf of Google. Data in transit inside a physical boundary controlled by or on behalf of Google is generally authenticated but not necessarily encrypted.
  • Depending on the connection that is being made, Google applies default protections to data in transit. For example, communications are secured between the user and the Google Front End (GFE) using TLS.
  • Google Cloud customers with additional requirements for encryption of data over WAN can choose to implement further protections for data as it moves from a user to an application, or virtual machine to virtual machine. These protections include IPSec tunnels, Gmail S/MIME, managed SSL certificates, and Istio.
  • Google works actively with the industry to help bring encryption in transit to everyone, everywhere and plans to remain the industry leader in encryption in transit.


Want more GCP Comics? Visit & follow me on Medium, and on Twitter to not miss the next issue!



Priyanka Vergadia
Google Cloud - Community

Developer Advocate @Google, Artist & Traveler! Twitter @pvergadia