Google Cloud Platform (GCP) broaden the continuum of encryption options with the introduction of beta of “Cloud Key Management Service” in select countries, which makes it easy to keep your encryption keys safe—is an alternative to custom-built or ad-hoc key management systems, which are difficult to scale and maintain.
Directly integrated with Cloud Identity Access Management and Cloud Audit Logging for greater control over keys—with Cloud KMS, “you can manage symmetric encryption keys in a cloud-hosted solution, whether they’re used to protect data stored in GCP or another environment,” Google said.
By default, Cloud Storage manages server-side encryption keys on your behalf. Google notes, to manage cloud-based keys yourself, you must select “Cloud Key Management Service,” and for on-premise keys, select “Customer Supplied Encryption Keys” (for Google Cloud Storage and for Google Compute Engine).
You can create, use, rotate and destroy keys via Cloud KMS API, including as part of a secret management or envelope encryption solution.
At launch, “Cloud KMS uses Advanced Encryption Standard (AES), in Galois/Counter Mode (GCM), also internally used at Google to encrypt data in Google Cloud Storage.” “This AES GCM is implemented in the BoringSSL library that Google maintains, and continually checks for weaknesses using several tools, including tools similar to the recently open-sourced cryptographic test tool Project Wycheproof,” google explained.
The diagram below shows a use-case decision tree:
Update 01/13: A white paper that details how security is designed into Google’s Cloud infrastructure from the ground up published today describes the security of this infrastructure in progressive layers starting from the physical security of our data centers, continuing on to how the hardware and software that underlie the infrastructure are secured, and finally, describing the technical constraints and processes in place to support operational security.
Google Cloud’s global infrastructure provides security through the entire information processing lifecycle. This infrastructure is used by Google to build its internet services, including both consumer services such as Search, Gmail, and Photos, and our Google Cloud enterprise services.
Also, this infrastructure provides secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, secure and private communication with customers over the internet and safe operation by administrators.
Look at the paper, HERE.