3

Google Cloud Platform allows for customer supplied disk encryption keys as an option to using Google supplied disk encryption keys.

However, to use customer supplied keys, you must send the key (either raw or wrapped by a google public key) to Google APIs.

In terms of security guarantees, it doesn't seem like this situation is any better than using Google provided encryption keys as the customer supplied keys are made visible to Google.

Is there some benefit or scenario of customer supplied keys I'm missing here?

Doug Richardson
  • 196
  • 4
  • If I understood the page correctly, that you linked, then you don't send them the private key - you send them the public key. This public key is then used to encrypt the access keys to your data. – mhr Aug 12 '19 at 12:28
  • That is not correct. GCP uses AES256 or AES128 for disk encryption (which use a single key, not a public/private key pair). The RSA key wrapping you see on that site is an optional mechanism you can use to encrypt your AES256 key with a google public key that only they can decrypt. This is to defend against accidentally leaking you private key to a 3rd party... but per this question, google still gets their hands on your private key eventually. https://cloud.google.com/security/encryption-at-rest/default-encryption/ – Doug Richardson Aug 12 '19 at 18:02

0 Answers0