Envelope encryption


Storing and encrypting data at Google's scale requires using a central cryptographic key management service with multiple layers of keys for the encrypted data. An example of multiple layer of keys is envelope encryption, which is the process of encrypting a key with another key.

You can encrypt data at both the application layer, which is responsible for displaying data to users, and the storage layer, which provides the physical storage of data.

By default, at the storage layer, Google Cloud Platform (GCP) encrypts customer content stored at rest using envelope encryption, with Google's internal key management service as the central keystore. If you're storing and encrypting data yourself, you can use Cloud KMS as your central keystore at the application layer, which is the focus of this topic.

Cloud KMS stores keys in a key hierarchy designed for ease, with access to resources in the key hierarchy governed by Cloud IAM. The following shows the main levels of a Cloud KMS key hierarchy:


Find out more about the key hierarchy at object hierarchy.

Data encryption keys

The key used to encrypt data itself is called a data encryption key (DEK).

Here are best practices for managing DEKs:

  • Generate DEKs locally.
  • When stored, always ensure DEKs are encrypted at rest.
  • For easy access, store the DEK near the data that it encrypts.
  • Generate a new DEK every time you write the data. This means you don't need to rotate the DEKs.
  • Do not use the same DEK to encrypt data from two different users.
  • Use a strong algorithm such as 256-bit Advanced Encryption Standard (AES) in Galois Counter Mode (GCM).

Key encryption keys

The DEK is encrypted (also known as wrapped) by a key encryption key (KEK). The process of encrypting a key with another key is known as envelope encryption.

Here are best practices for managing KEKs:

  • Store KEKs centrally.

  • Set the granularity of the DEKs they encrypt based on their use case. For example, consider a workload that requires multiple DEKs to encrypt the workload's data chunks. You could use a single KEK to wrap all DEKs that are responsible for that workload's encryption.

  • Rotate keys regularly, and also after a suspected incident. To learn more, see key rotation.

Balancing DEKs and KEKs

Having a smaller number of KEKs than DEKs and using a central key management service makes storing and encrypting data at scale more manageable. A central key service also is a singular point to more easily audit and restrict data access.

Depending on your situation, and the volume of data you are encrypting, you may choose to use a similar model. A single KEK can be used to protect many DEKs; this model permits individual data objects to each have their own DEK without massively increasing the volume of keys stored in a central key management service.

Cloud Key Management Service was designed to manage KEKs, and thus the maximum data input size for Encrypt and Decrypt functions is 64 KiB. However, for data that you know will not approach that limit, you could use Cloud KMS to encrypt and decrypt data directly.

How to encrypt data using envelope encryption

The process of encrypting data is to generate a DEK locally, encrypt data with the DEK, use a KEK to wrap the DEK, and then store the encrypted data and the wrapped DEK.

Encryption flow

To encrypt data using envelope encryption:

  1. Generate a DEK locally. You could do this with an open source library such as OpenSSL, specifying a cipher type and a password from which to generate the key. You can also specify a salt and digest to use, if desired.

  2. Use this DEK locally to encrypt your data.

    As an example, you could use OpenSSL as shown in the encrypting the message example. For best practice, use 256-bit Advanced Encryption Standard (AES-256) cipher in Galois Counter Mode (GCM).

  3. Generate a new key in Cloud KMS, or use an existing key, which will act as the KEK. Use this key to encrypt (wrap) the DEK.

  4. Store the encrypted data and the wrapped DEK.

How to decrypt data using envelope encryption

The process of decrypting data is to retrieve the encrypted data and the wrapped DEK, retrieve the KEK that wrapped the DEK, use the KEK to unwrap the DEK, and then use the unwrapped DEK to decrypt the data.

Decryption flow

To decrypt data using envelope encryption:

  1. Retrieve the encrypted data and the wrapped DEK.

  2. Use the key stored in Cloud KMS to unwrap the encrypted DEK.

  3. Use the plaintext DEK to decrypt the encrypted data. If using OpenSSL as earlier, see the decrypting the message example.

Integration with Google Cloud services

Several GCP products are integrated with Cloud KMS to support Customer-Managed Encryption Key (CMEK) functionality. CMEK with Cloud KMS adds an extra layer of protection for your data, provides you with control of your encryption keys, and leverages the key management benefits of Cloud KMS.

The following GCP products provide CMEK capability using Cloud KMS.

Product CMEK topic
BigQuery Protecting data with Cloud KMS keys
Cloud Build Using encrypted resources
Cloud Dataproc Customer-managed encryption keys
Cloud Storage Using customer-managed encryption keys
Compute Engine Protecting resources with Cloud KMS keys

Other options for Google Cloud services

For data stored in GCP products that do not support CMEK, you can implement your own application-layer encryption. This requires implementing your own envelope encryption as described above, so that you store data encrypted locally in GCP. This is also how you could use Cloud KMS to encrypt data you store in other cloud service providers or on premises.

In addition to supporting CMEK, the following products support Customer-Supplied Encryption Key (CSEK) functionality.

Product CSEK topic
Cloud Storage Customer-supplied encryption keys
Compute Engine Encrypt disks with customer-supplied encryption keys

CSEK allows you to supply an AES-256 key which replaces the KEK used to protect the DEKs encrypting your data, in the envelope encryption model described above. As keys cannot currently be imported or exported from Cloud KMS, you would not be using a key from Cloud KMS as the customer- supplied encryption key, but rather you would protect that key with a key from Cloud KMS (one more layer!). You could, as above, generate a local DEK that you use for CSEK, and wrap that DEK with a KEK from Cloud KMS.

Was this page helpful? Let us know how we did:

Send feedback about...