Whitepaper: Hold your own key with Google Cloud External Key Manager
Anton Chuvakin
Security Advisor, Office of the CISO
Il-Sung Lee
Senior Product Manager, Google Cloud
We want to help customers use Google Cloud while trusting us less. This is the philosophy behind a lot of our security work, as we’ve described before. It’s part of our vision for a trusted cloud, our plan to build technologies and strategies that earn greater trust.
To that end, we are releasing a new resource to help customers understand Google Cloud External Key Manager (Cloud EKM), our technology for Hold Your Own Key (HYOK). This whitepaper explains the origin of the idea, the functionality, architecture and use cases for EKM. It is written by Andrew Lance of Sidechain, and Anton Chuvakin of Google Cloud.
The whitepaper covers a few key areas:
Establishing greater trust in the cloud
This section covers the trust challenges resulting from increasing cloud computing usage. Some of the challenges are about who has access to those computers, particularly when cloud computing platforms are inherently multi-tenant.
Key security - giving customers the choice
This section focuses on several different levels of customer control for data encryption and key management. It also introduces the concepts in Cloud EKM technology.
What is Cloud EKM and how does it work?
This chapter describes how Cloud EKM handles key management, and explains how this process enhances data protection by empowering customers to define when cloud services can access encrypted data-at-rest.
Primary benefits of Cloud EKM
This section covers the provenance, centralization and control of keys.
Core use cases
This chapter explains how Cloud EKM protects highly sensitive data, retains control to address geopolitical and regional concerns, and supports hybrid and multi-cloud architectures.
Service integrations and technical considerations
These sections list the services covered by Cloud EKM. It explains how and why Google does not store your keys on its servers, and thus that if you lose this key, there is no way for Google to recover the key or to recover any data encrypted with the lost key. This is an important consideration for customers to keep in mind.
Integration solution providers
This chapter lists the partners that enable EKM technology.
Unlock new cloud workloads with Cloud EKM
This section explains why Google follows the model of creating more trust by actually allowing customers to trust cloud providers less, via Cloud EKM.
The following diagram illustrates how Cloud EKM works:
Here are some of our favorite quotes from the paper:
“Cloud External Key Manager (EKM) is another ground-breaking capability that enables customers to encrypt data in a variety of services including BigQuery, Compute Engine, Cloud SQL, and Google Kubernetes Engine with encryption keys that are stored and managed in a third-party key management system deployed outside Google’s infrastructure.”
“Cloud EKM, and a host of other GCP features and services, are giving control back to customers, and helping earn more customer trust because of it.” [Or, as we said in the blog, they can trust us more because we enable them to trust us less]
“Google cloud is working to earn trust not by hand-waving or demanding complete control over the processing of customers’ most sensitive data. It is doing it by allowing customers to retain control, empowering customers, and limiting its exposure to sensitive customer data while still providing stellar value through cloud services.”
“A rogue employee of the provider can never access encryption keys because the provider does not have the keys - they are stored at a client site.”
“Cloud EKM enables these customers to leverage their current key management infrastructure (provided one of the supported partners is used) to maintain key provenance while still putting protected workloads in the cloud. Google Cloud will never store this key, and isn’t responsible for creation or deletion since those tasks are maintained by the customer. ”
“It’s important to note that Google does not store your keys on its servers and cannot access your protected disks unless you provide the key to Cloud EKM. This also means that if you lose this key, or access is lost, there is absolutely no way for Google to recover the key or to recover any data encrypted with the lost key.”
Read the full whitepaper to learn more, and get started with EKM by selecting an external key management partner from our documentation.