Data encryption

This section describes the different layers of encryption in storage. Google Distributed Cloud (GDC) air-gapped appliance software-defined storage encrypts all customer content stored at rest, without any action from you, using one or more encryption mechanisms. The following sections describe the mechanisms to encrypt customer data at rest in the GDC air-gapped appliance storage layer.

Encryption at rest

There are different layers of data at rest encryption that GDC air-gapped appliance provides. GDC air-gapped appliance includes software-defined storage that provides a data store, data replication, and rebalancing. The storage is encrypted using dm-crypt with the Linux Unified Key Setup (LUKS) extension. Encryption is enabled by default. There is also block and object encryption that provides double encryption for enhanced per-volume and per-object security.

Encryption in transit

Data in transit is encrypted using one of these encryption mechanisms:

  • Internal data: The secure mode is enabled by default in GDC air-gapped appliance so that all data passing over the network is encrypted.
  • External client/services communications: For external communication, the FIPS-compliant OpenSSL library provides TLS transport.