Google on Wednesday introduced its Cloud Key Management Service in beta to help Google Cloud Platform customers deal with their encryption keys.
"Cloud KMS offers a cloud-based root of trust that you can monitor and audit," said product manager Maya Kaczorowski in a blog post. "As an alternative to custom-built or ad-hoc key management systems, which are difficult to scale and maintain, Cloud KMS makes it easy to keep your keys safe."
Following the disclosures about the scope of online surveillance by former NSA contractor Edward Snowden in 2013, encryption became more important for cloud service providers – particularly encryption that allows customers to control the keys.
Google began offering customer-supplied encryption keys (CSEK) in June 2015. But it hasn't exactly led the way with encryption for cloud customers. Amazon Web Services introduced CSEK for S3 in June 2014 and in November of that year introduced AWS Key Management Service. Microsoft Azure added CSEK via Key Vault in January 2015.
A Google spokesperson wasn't immediately available to discuss the service.
Garrett Bekker, an analyst with 451 research, said in a statement provided by Google that KMS "fills a gap by providing customers with the ability to manage their encryption keys in a multi-tenant cloud service, without the need to maintain an on-premise key management system or HSM [hardware security module]."
GCP customers can use Cloud KMS to create, use, rotate (at will or scheduled), and destroy AES-256 symmetric encryption keys. Cloud KMS provides a REST API that can use a key to encrypt or decrypt data.
Cloud KMS integrates with Cloud Identity Access Management and Cloud Audit Logging, two related GCP services.
Kaczorowski says that Cloud KMS relies on the Advanced Encryption Standard (AES) in Galois/Counter Mode [PDF], a method for high-speed encryption. Google constantly checks its implementation, residing in its BoringSSL library, using tools like Project Wycheproof, according to Kaczorowski.
While key management offers convenience, the tradeoff is security, since service providers can be compelled to turn keys over to authorities when presented with lawful demands. ®