Google announced today on its Cloud Platform Blog that the data stored in its Cloud Storage platform will now be automatically encrypted before written to disk at no additional charge to developers. Google said the process will not involve any input or configuration from developers and that the new encryption will cause “no visible performance impact”:
We manages the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing. Each Cloud Storage object’s data and metadata is encrypted with a unique key under the 128-bit Advanced Encryption Standard (AES-128), and the per-object key itself is encrypted with a unique key associated with the object owner. These keys are additionally encrypted by one of a regularly rotated set of master keys.
Google noted that developers will still be able to encrypt data using their own methods and manage their own decryption keys, but from now on Google will free developers from the effort and cost associated with doing so. The new server-side encryption is active starting today for new data written to the platform, and Google says it will work with both new objects or for overwriting existing objects. It also said that “older objects will be migrated and encrypted in the coming months.”
In July, reports claimed that Google was also readying server-side encryption for files stored in its consumer-facing Drive cloud storage service.