Google Cloud Platform uses a FIPS 140-2 validated module called BoringCrypto (certificate 2964) in our production environment. This means that data in transit to the customer and between data centers as well as data at rest is encrypted using FIPS 140-2 validated cryptography. The module that achieved FIPS 140-2 validation is part of our BoringSSL library. All regions and zones currently support FIPS 140-2 mode.
In order to operate using only FIPS-validated implementations:
- Local SSD is automatically encrypted with NIST approved ciphers, but Google's current
implementation for this product does not have a FIPS 140-2 validation certificate. If you
require FIPS-validated encryption on Local SSD storage, you must do your own encryption
with a FIPS-validated cryptographic module.
- Google automatically encrypts traffic between VMs that travels between Google data
centers using NIST approved encryption algorithms, but this implementation does not have a
FIPS validation certificate. If you require this traffic to be encrypted with a
FIPS-validated implementation, you must provide your own.
- When your clients connect to Google infrastructure, their TLS clients must be configured
to allow and require use of secure FIPS-compliant algorithms: if the TLS client and GCP's
TLS services agree on an encryption method incompatible with FIPS, a non-validated
encryption implementation will be used.
- Applications you build and operate on GCP may include their own cryptographic
implementations; in order for the data they process to be secured with a FIPS validated
cryptographic module, you must integrate such an implementation yourself.