Jump to Content
Storage & Data Transfer

Tales from the (en)crypt: What's new for Cloud Storage security

September 27, 2021
Henry Yuen

Product Manager

Try Google Cloud

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Free trial

Encryption is critical for securing sensitive data while it is stored and transits the cloud. Today, Cloud Storage encrypts data server-side with standard Google-managed encryption keys by default, and can also encrypt data with customer-managed encryption keys that are stored and managed by Cloud Key Management Service (Cloud KMS).

While customers have been able to secure their data on Cloud Storage with Cloud KMS keys for some time, we are always updating our encryption offerings to deliver better performance, lower costs and more capabilities that support critical business workloads. In this post, we’ll discuss some of our latest developments in this space—in particular, performance improvements for high-intensity workloads and support for customer-managed encryption keys (CMEK) for object composition

Why use Cloud KMS with Cloud Storage?

Cloud KMS enables you to centrally manage your keys in a fast and scalable way that helps to meet your security and compliance needs. Cloud KMS generates customer-managed encryption keys (CMEK) which act as an additional layer of protection on top of Google’s default encryption keys. You can set these keys on a Cloud Storage bucket as a default key, and can easily manage key rotation, replacement or disabling right within Cloud KMS.  

In addition to software-based CMEKs, Cloud Storage also supports hardware-based CMEKs hosted in hardware security modules that are FIPS 140-2 Level 3 validated as part of our Cloud HSM service. These enable you to protect your most sensitive workloads without needing to manage HSM cluster operations yourself. 

Improving KMS performance for high-intensity workloads

While Cloud HSM is often used to protect the most sensitive data for a customer, especially for those in healthcare and financial services industries, the default quota limits for cryptographic operations on Cloud HSM keys may cause performance bottlenecks for customers aiming to run high-intensity workloads when using Cloud Storage, such as analytics workloads on Hadoop.

We are making improvements to the Cloud KMS request behaviour on Cloud Storage that more effectively batches requests to Cloud KMS to reduce request bandwidth and drive down KMS billing. Identical Cloud KMS requests from Cloud Storage will be batched together for newly written objects and across all supported encryption modes in Cloud KMS, including software-backed customer-managed encryption keys. As a result of these changes, when you are using Cloud KMS you may notice faster encrypt, read and write operations for new data, deduplicated Cloud KMS audit logs and lower overall Cloud KMS charges. Customers running high-intensity workloads should see a significant reduction in throughput to KMS, leading to a reduction in KMS cryptographic operation billing costs for all types of KMS keys, as well as enabling customers to scale the throughput of their HSM-encrypted workloads.

Newly written objects encrypted with Cloud KMS will leverage these changes, whether they are encrypted using software-backed or HSM-backed CMEKs, and no configuration change is needed. If you are looking to use Cloud KMS with Cloud Storage, check out the Cloud KMS page to learn more, especially for setting up a hardware-backed HSM.

Supporting Cloud KMS for object composition

Object composition in Cloud Storage is widely used today for different types of applications, from stitching video segments together for a replay to uploading large datasets for analytics workloads. As more and more customers are leveraging Cloud Storage for these applications, we are expanding object composition capabilities to be flexible across different encryption modes.

Object composition is now supported for customer-managed encryption keys in addition to Google-managed encryption keys and customer-supplied encryption keys. This allows you to manage your own encryption keys while performing object composition for business-critical needs such as compiling sensitive financial datasets.

To compose objects that are encrypted with customer-managed encryption keys, specify the resource name of the Cloud KMS key for encrypting the composed object as a query parameter in the compose request. For the JSON API, construct the following HTTP request, while specifying the Cloud KMS key resource name for the query parameter kmsKeyName.


For the XML API, specify the Cloud KMS key resource name for the request header x-goog-encryption-kms-key-name. You can also specify a Cloud KMS key when using gsutil to perform object composition. Check out our documentation to try out object composition, or to start composing objects encrypted with customer-managed encryption keys.

Get started with better encryption

Being deliberate about encryption is critical for securing your sensitive data on Cloud Storage. Whether you are composing objects or running analytics workloads, leveraging the latest encryption offerings will deliver faster performance, better security and improved workload scalability. We’re always evolving our encryption products to meet your needs and help you achieve your business goals. To get started with encryption on Cloud Storage, check out our documentation to learn more.

Posted in