The Google cloud platform, Google Compute Engine, now allows customers to create their own encryption keys as an alternative to the Google-provided default encryption.

Google Compute Engine automatically encrypts all data at rest, managing customer data encryption as a part of the Compute Engine service. However, some customers prefer to manage and control cloud encryption internally, to further tighten data security.

Google has released a comprehensive set of instructions for a customer to create their own encryption key. The Customer-Supplied Encryption Key (CSEK) is then used to protect the Google-generated keys that are used automatically for data encryption. The CSEK is an additional layer of protection for data stored in the cloud. Using an internally-generated encryption key also allows customers to control data encryption without using third-party providers, whose services are available at an additional cost.

However, Google warns, the customer must maintain full responsibility for the encryption keys that they have generated. Google does not store CSEKs on its servers, and cannot independently access protected data. Should a customer forget or lose their key, “there is no way for Google to recover the key or to recover any data encrypted with the lost key.”

Customers may only encrypt new persistent disks with their own key. Existing persistent disks cannot be re-encrypted with a customer-created key. Also excluded are managed instance groups (used for autoscaling instances in Google Compute Engine), and local SSDs as they “do not persist beyond the life of a virtual machine.”

The process for creating a CSEK is outlined by Google, and requires installation of the gcloud command-line tool. The user must provide a 256-bit string key encoded in base 64 to Google Compute Engine. The option is then provided to wrap the CSEK using an RSA public key certificate. Data encrypted with the public key can then only be decrypted by using the private key.

Many cloud providers already allow customers to supply their own encryption keys, including Amazon, Box, and Microsoft Azure. While the functionality was released in beta last year, the full Customer-Supplied Encryption Keys (CSEK) service is currently available only in 8 countries: the United States, United Kingdom, Canada, Denmark, France, Germany, Japan and Taiwan. However, interested customers in other countries can request that CSEK functionality be added to their region. Australia, Mexico, Italy, Norway and Sweden are expected to be added later this month.