FIPS 140-2 Validated
The National Institute of Standards and Technology (NIST) developed the Federal Information Processing Standard (FIPS) Publication 140-2 as a security standard that sets forth requirements for cryptographic modules, including hardware, software, and/or firmware, for U.S. federal agencies. FIPS 140-2 Validated certification was established to aid in the protection of digitally stored unclassified, yet sensitive, information.
Google Cloud uses a FIPS 140-2 validated encryption module called BoringCrypto (certificate 3318) in our production environment. This means that both data in transit to the customer and between data centers, and data at rest are encrypted using FIPS 140-2 validated encryption. The module that achieved FIPS 140-2 validation is part of our BoringSSL library.
In order to operate using only FIPS-validated implementations:
- Google automatically encrypts traffic between VMs that travels between Google data centers using FIPS 140-2 validated encryption.
- Google’s Local SSD storage product is automatically encrypted with NIST approved ciphers, but Google's current implementation for this product doesn’t have a FIPS 140-2 validation certificate. If you require FIPS-validated encryption on Local SSD storage, you must provide your own encryption with a FIPS-validated cryptographic module.
- When your clients connect to Google infrastructure, their TLS clients must be configured to require use of secure FIPS-compliant algorithms; if the TLS client and Google Cloud's TLS services agree on an encryption method that is incompatible with FIPS, a non-validated encryption implementation will be used.
- Applications you build and operate on Google Cloud might include their own cryptographic implementations; in order for the data they process to be secured with a FIPS-validated cryptographic module, you must integrate such an implementation yourself.
All Google Cloud regions and zones currently support FIPS 140-2 validated encryption.