Blog Post

Google adds server-side encryption to cloud storage

Google, citing customer demand, has added server-side encryption to its growing cloud storage product, according to the Google Cloud Platform blog on Thursday. Data is automatically encrypted before it writes to disk and is likewise automatically decrypted when accessed by an authorized user, Google said.

Here’s the gist:

“Each Cloud Storage object’s data and metadata is encrypted with a unique key under the 128-bit Advanced Encryption Standard (AES-128), and the per-object key itself is encrypted with a unique key associated with the object owner. These keys are additionally encrypted by one of a regularly rotated set of master keys. Of course, if you prefer to manage your own keys then you can still encrypt data yourself prior to writing it to Cloud Storage.”

The new (free) service is now being applied to all new data written to Google cloud storage and to existing objects when overwritten. Older objects will be encrypted going forward.

Google started testing server-side encryption last month. Given the hoopla around government data scooping related to the PRISM program, and concern that U.S. cloud vendors have let the NSA gain access to customer data, encryption is becoming a bigger deal. It’s clear that these vendors are feeling the heat from these disclosures — Vint Cerf, the internet pioneer who is now with Google, was among a group of industry poohbahs who met with President Obama ostensibly to discuss their concerns about PRISM’s impact on their businesses last week.

Amazon Web Services (s amzn) has offered 256-bit Advanced Encryption Standard (AES-256) on its S3 storage service since late 2011..

Here’s what I don’t get — and please comment below — if the vendor holds and manages the encryption keys, doesn’t that mean it could hand them over to the government as well the data they protect? (Be nice, I’m no security expert.)

Update: A Google spokeswoman wrote in to say:

“We don’t provide our encryption keys to any government. We believe we’re an industry leader in providing strong encryption, along with other security safeguards and tools.

In general, regarding government requests – We provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and we frequently push back when the requests appear to be fishing expeditions or don’t follow the correct process. When we are required to comply with these requests, we deliver it to the authorities. No government has the ability to pull data directly from our servers or network.”

Given the comments on this and related stories, the problem is that users don’t necessarily buy what either the government or vendors are saying regarding data sharing.

This story was upated at 11:57 a.m. PDT August 15 with Google comment.

13 Responses to “Google adds server-side encryption to cloud storage”

  1. The problem with Google is itself. Government is a minor problem. Google likes to index your files for search. Server-side encryption is meaningless since Google can always decrypt your files. I prefer a company that does not rely on search and offers client-side encryption. Not sure why Dropbox and Box don’t support either. but there are companies that support it, e.g. DriveHQ supports it, and it actually has better services than Google Drive. Carbonite also supports it, but only for online backup.

  2. 88Casey

    I don’t know why anybody even has to think for 1 second if they can trust one word that Google representative wrote. For me the opening line “We don’t provide our encryption keys to any government.” confirmed there was no point in reading on.

    If the servers are in the US, your data is not secure. Fact!!!

    Why have 2 long running companies catering to the needs of people looking for a secure email provider closed down? Simple, they were basically told “comply or die.” Neither company (Lavabit & Silent Circle) were willing to fall in line with the demands of the White House and as a result both companies had to discontinue operations with immediate effect .

  3. John Thompson

    If you use AWS’s HSM, then the customer holds a part of the key. So even if AWS has to hand over all records to the govt due to say a subpeona, the govt won’t be able to decrypt and make sense of the data without the client side portion of the key.

  4. Actually, these comments aren’t quite correct. We (at least, I) haven’t seen enough details to say. All they say is “the per-object key itself is encrypted with a unique key associated with the object owner”. How is the object owner key stored? If google stores it simply encoded by a master key, yes, they could hand it over. If that key is encrypted by the user’s password or browser cookie or something, Google would not have access to it without the user connecting.

    I’m certainly don’t mean to imply that Google are doing this, just that I don’t think there is enough information to say that, yes, they could hand over the data if compelled.

  5. “Given the comments on this and related stories, the problem is that users don’t necessarily buy what either the government or vendors are saying regarding data sharing.”

    I’ll go so far as to say that I do trust Google will do their best to deny requests when ever possible. I’ll even believe their claim that the government cannot directly pull data from their servers. The problem is how the system is designed. If the encryption is implemented correctly they should not be able to access your data even if they wanted to.

    If these cloud companies want user trust back, they need to start designing their systems in a way that removes trust from the equation

  6. Ryan Kalember

    Yes, that’s exactly what it means. Unless you manage your own keys, the cloud vendor (and this is equally true of Box, Egnyte, Dropbox, or whomever else) admins can decrypt the content and potentially turn it over if they get a FISA request.

  7. Elliot Tucker

    You got that right. In fact they could be force to hand over the master rotating keys and get the whole shebang. A defence against hackers, sure, but once the hackers have got as far as being in a position to try and decrypt my google docs, we’re a bit stuffed anyway.

  8. Correct. If the vendor holds the encryption keys they can be compelled to release them to a government authority. To truly protect date stored in the cloud drive the encryption would have to be done on the client side and the key would have to be unknown to vendor.

    To me this sounds more like a proof of concept/empty gesture more than anything else.