Google Cloud Platform tells customers to bring their own encryption keys

Google's move to hand over the keys follows similar developments from other cloud storage providers this year.

Google Compute Engine, the Infrastructure-as-a-Service arm of Google Cloud Platform, is inviting customers to bring their own keys to encrypt data.

Dubbed Customer-Supplied Encryption Keys, the new option is being touted offering IT departments with more flexibility and control in managing their compute resources on Google Cloud Platform.

Customer-Supplied Encryption Keys are said to run the gamut protecting data at rest stored on Compute Engine, including data volumes, boot disks, and SSDs.

Leonard Law, a product manager on the Google Cloud Platform team, noted in a blog post on Tuesday that Compute Engine protects customer data at rest with AES-256 bit encryption.

Law stressed that customers own their keys, and Google won't control or keep them -- nor will Google decrypt the data.

"You create and hold the keys, you determine when data is active or at rest, and absolutely no one inside or outside Google can access your at rest data without possession of your keys," Law explained.

Available in beta, the Customer-Supplied Encryption Keys are accessible in select countries via the Google Cloud Developers Console, API and command-line tool Gcloud.

Google's move to hand over the keys follows similar developments from other cloud storage providers this year.

In February, Box added Enterprise Key Management (EKM) as an cloud encryption management option.

A few months later, Syncplicity (before it was sold by EMC to private investment firm Skyview Capital) dangled managed keys to give customers more granular control.