Google Cloud Platform has armored its cloud in metal by offering customers beta access to hardware security modules (HSM) to handle encryption keys.
With a cloud-hosted HSM, GCP users can execute cryptographic operations on FIPS 140-2 Level 3 certified kit, which is one level short of the most stringent standard.
Google isn't really breaking new ground here – AWS and Microsoft Azure already support HSMs. But better late than never. (And for what it's worth, Google claims it's the only cloud vendor that encrypts all customer data at rest.)
Cloud HSM is a managed service, which alleviates the operational burden of overseeing your own HSM cluster, explained Google product manager Il-Sung Lee. It's mainly useful for organizations that have comply with specific security and data handling regulations.
"For those of you managing compliance requirements, Cloud HSM can help you meet regulatory mandates that require keys and crypto operations be performed within a hardware environment," said Lee in a blog post on Monday. "In addition to using FIPS 140-2 certified devices, Cloud HSM will allow you to verifiably attest that your cryptographic keys were created within the hardware boundary."
The hardware security modules work in conjunction with GCP's Cloud Key Management Service (KMS), which provides a way to generate, employ, rotate and destroy supported key types – AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384.
In addition, Google is introducing beta support for asymmetric encryption keys – where different keys are used for encryption and decryption, instead of a single, symmetric key for both operations – in both Cloud KMS and Cloud HSM.
Enterprises using Hashi Corp's Vault secrets manager can also turn to either Cloud KMS or Cloud HSM to encrypt their Vault tokens at rest.
Despite Google's enthusiasm for the service, there are still limitations. Cloud HSM is currently available only in
us-west1 regions. And using keys stored in Cloud HSM may involve greater latency than Cloud KMS software keys. ®