The National Institute of Standards and Technology (NIST) developed
the Federal Information Processing Standard (FIPS) Publication 140-2 as
a security standard that sets forth requirements for
cryptographic modules, including hardware, software, and/or
firmware, for U.S. federal agencies. FIPS 140-2 Validated
certification was established to aid in the protection of
digitally stored unclassified, yet sensitive, information.
Google Cloud Platform uses a FIPS 140-2 validated
called BoringCrypto (certificate 3318) in
our production environment. This means that both data in
transit to the customer and between data centers, and data
at rest are encrypted using FIPS 140-2 validated encryption.
The module that
achieved FIPS 140-2 validation is
part of our BoringSSL library.
In order to operate using only FIPS-validated
- Google automatically encrypts traffic between VMs that
travels between Google data centers using FIPS 140-2
- Google’s Local SSD storage product is automatically
encrypted with NIST approved ciphers, but Google's current
implementation for this product doesn’t have a FIPS 140-2
validation certificate. If you require FIPS-validated
encryption on Local SSD storage, you must provide your own
encryption with a FIPS-validated cryptographic module.
- When your clients connect to Google infrastructure,
their TLS clients must be configured to require use of
secure FIPS-compliant algorithms; if the TLS client and
GCP's TLS services agree on an encryption method that is
incompatible with FIPS, a non-validated encryption
implementation will be used.
- Applications you build and operate on GCP might include
their own cryptographic implementations; in order for the
data they process to be secured with a FIPS-validated
cryptographic module, you must integrate such an
All Google Cloud regions and zones currently support FIPS
140-2 validated encryption.