Google has launched the Cloud Key Management Service (Cloud KMS) in beta, allowing users across the globe to manage encryption keys on the Google cloud platform.
The Cloud KMS will allow users to create, rotate (manually or automatically), and destroy AES256 symmetric encryption keys at their discretion.
Google already offers encryption key services for information stored in the cloud, but the new service will allow users to manage keys at their own discretion. Further, by integrating the KMS with existing services administrators can manage, access, report and review user access to encryption keys at all times.
Google’s new encryption service uses a representational state architecture, or REST API, to create encryption keys for stored data. Administrators may either manually rotate encryption keys at will, or set an automatic rotation schedule for generating a new key at a fixed time interval. Old keys are destroyed with a 24-hour delay to help prevent accidental or malicious data loss.
Google’s new KMS is fully integrated with IAM and Cloud Audit Logging, so that access to encryption keys can be managed individually by user and by key, and to monitor how and when the keys are accessed. The system will also allow for envelope encryption, where users may adopt a key hierarchy structure with local data encryption keys protected by a key encryption key within the Cloud KMS.
According to the Google cloud blog, the Cloud KMS system uses the same Advanced Encryption Standard used internally at Google to encrypt information in the cloud. The company also reiterated that it will not access encrypted customer data, except as required to provide cloud platform services.
The Cloud KMS also leverages low latency, which allows users to access encrypted data for frequently performed operations. This means that users can access keys quickly, and that operational data can be encrypted as well as more sensitive, less-frequently requested data.
Google’s Cloud KMS works with data that is encrypted on the Google cloud, as well as for data hosted by alternate cloud providers.
Cloud KMS beta is available in countries spanning Europe, North and South America, Asia and Australia, and is available for a free trial to interested parties, with future pricing varying for key-only or operational usage.