Google said on its Cloud Platform blog that it is now providing server-side encryption for customers of its Google Cloud Storage service. Not to be confused with the consumer-based Google Drive, it's a cloud computing storage service for software developers similar to Amazon's Simple Storage Service (S3). Developers can use this service to store and host static assets for an app, backup their code and so on. Google Drive is meant for personal files that are managed by the end-user.
The big news here is that Google is rolling out server-side encryption as sources foretold last month. It makes sense that this level of encryption would be introduced in a commercial product first, followed by a consumer version that could possibly cost a small monthly fee. Google Cloud Storage pricing is based on storage usage and bandwidth usage on a per gigabit per month basis, thus server-side file encryption can serve as a free added feature in the overall product.
"There is no setup or configuration required, no need to modify the way you access the service and no visible performance impact," writes product manager Dave Barth. "The data is automatically and transparently decrypted when read by an authorized user."
Barth states that Google manages the cryptographic keys on the customer's behalf using the same key management systems that the company uses for its own encrypted data, including strict key access controls and auditing. This seemingly indicates that after all this time, Google has been encrypting its own data server-side, but not the customers using its Google Drive and Google Cloud Storage products. How nice.
"Each Cloud Storage object’s data and metadata is encrypted with a unique key under the 128-bit Advanced Encryption Standard (AES-128), and the per-object key itself is encrypted with a unique key associated with the object owner," he says. "These keys are additionally encrypted by one of a regularly rotated set of master keys."
Barth says that customers can still encrypt their own data prior to uploading to the service. However, server-side encryption is already active for all new data written via new objects and overwritten ones. Older objects will be migrated and encrypted in the coming months.
So far it's unknown when server-side encryption will be offered to the consumer-based Google Drive product. Last month sources said that Google is currently "experimenting" with Google Drive, and has already managed to encrypt a small percentage of files.
Typically, it's common practice to use encryption when data is securely transferred to and from cloud storage, but not while the data resides on hardware used in the cloud due to the complexity and the difficulties in indexing and searching encrypted data. The additional computing also comes with an added expense for Google, hence the speculation that the company may charge a fee for encrypting Google Drive files. The company already charges fees for using 100 GB of capacity and higher.
The move arrives in the wake of revealed classified slides owned by the NSA which show that the government uses PRISM, a program that collates data provided by companies as required under the Foreign Intelligence Surveillance Act. PRISM does not collect encrypted data unless the government possesses a key.