HOW IS DATA ENCRYPTED IN CLOUD?

Understanding Data Encryption in Google Cloud

GCP Comics #4: Encryption to secure your data in cloud

Priyanka Vergadia
Oct 30 · 3 min read

Encryption is a process that takes plaintext as input, and transforms it into an output (ciphertext) that reveals little or no information about the plaintext. A public encryption algorithm is used, but execution depends on a key, which is kept secret. To decrypt the ciphertext back to its original form, the key needs to be used.

When you use Google Cloud, the data is encrypted at rest and in transit to protect the data.

  • Encryption at rest — used to protect data that is stored on a disk (including solid-state drives) or backup media.
  • Encryption in transit — used to protect data that is traveling over the Internet, moving within Google’s infrastructure

In this issue of GCP Comics we are covering exactly that…Here you go!

Encryption at rest in Google Cloud

  • Google uses several layers of encryption to protect customer data at rest. All customer content stored at rest is encrypted, without any action required from the customer, using one or more encryption mechanisms. All data stored in Google Cloud is encrypted at the storage level using AES256, with the exception of a small number of Persistent Disks created before 2015 that use AES128.
  • Data for storage is split into chunks, and each chunk is encrypted with a unique data encryption key. These data encryption keys are stored with the data, encrypted with (“wrapped” by) key encryption keys that are exclusively stored and used inside Google’s central Key Management Service. Google’s Key Management Service is redundant and globally distributed.
  • Google uses a common cryptographic library, Tink, which incorporates our FIPS 140–2 validated module, BoringCrypto, to implement encryption consistently across almost all Google Cloud products. Consistent use of a common library means that only a small team of cryptographers needs to implement and maintain this tightly controlled and reviewed code.

Encryption in transit in Google Cloud

  • Google applies several security measures to help ensure the authenticity, integrity, and privacy of data in transit.
  • Data is encrypted and authenticated in transit at one or more network layers when it moves outside physical boundaries not controlled by Google or on behalf of Google. Data in transit inside a physical boundary controlled by or on behalf of Google is generally authenticated but not necessarily encrypted.
  • Depending on the connection that is being made, Google applies default protections to data in transit. For example, communications are secured between the user and the Google Front End (GFE) using TLS.
  • Google Cloud customers with additional requirements for encryption of data over WAN can choose to implement further protections for data as it moves from a user to an application, or virtual machine to virtual machine. These protections include IPSec tunnels, Gmail S/MIME, managed SSL certificates, and Istio.
  • Google works actively with the industry to help bring encryption in transit to everyone, everywhere and plans to remain the industry leader in encryption in transit.

Resources

Want more GCP Comics? Visit gcpcomics.com & follow me on Medium, and on Twitter to not miss the next issue!

Google Cloud - Community

Google Cloud community articles and blogs

Priyanka Vergadia

Written by

Developer Advocate @Google, Artist & Traveler! Twitter @pvergadia

Google Cloud - Community

A collection of technical articles and blogs published or curated by Google Cloud Developer Advocates. The views expressed are those of the authors and don't necessarily reflect those of Google.

Priyanka Vergadia

Written by

Developer Advocate @Google, Artist & Traveler! Twitter @pvergadia

Google Cloud - Community

A collection of technical articles and blogs published or curated by Google Cloud Developer Advocates. The views expressed are those of the authors and don't necessarily reflect those of Google.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store