Google Cloud Storage — a non-consumer service used by companies like Ubisoft, Rovio, Best Buy, and others for storing content— will for the first time automatically encrypt its users' data. The move is intended to protect, companies developers, and ultimately your data from prying eyes, utilizing the128-bit Advanced Encryption Standard (AES). Under the new system, data will be encrypted on Google's end "before it's written to disk." Google tells us that the keys to unlock this encryption are managed using the same systems Google uses for its data. User data and metadata is encrypted using a unique key, which is then encrypted using a second key associated with the data owner, which is in turn encrypted using a "regularly rotated" (Google refuses to specify how regularly) master key.
A clear response to customer anxiety
Google's push towards Cloud Storage security is a clear response to heightened anxiety over government spying. While it will certainly go a way to protecting against hackers, if Google is holding the keys, what's the stop the government from snooping? When we asked about government data requests, Google firmly told us that it will not provide its encryption keys to any government. It also echoed its previous statements regarding when and how it does provide data to the government:
"We provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and we frequently push back when the requests appear to be fishing expeditions or don’t follow the correct process. When we are required to comply with these requests, we deliver it to the authorities. No government has the ability to pull data directly from our servers or network."
Of course, all of the company's clients should be encrypting their data before sending them to Google's servers — but "should" doesn't always translate to "are," as past events have shown. It's likely that some developers will be unhappy to have their keys managed by Google. Traditional logic is to share such things with as few people as possible. For anyone with such worries, Google advises that they encrypt data before sending it to Google Cloud Storage.
Google is playing catchup
Although the addition of automated encryption is welcome, many of Google's competitors have been offering similar or better solutions for some time. Amazon, for example, has offered the stronger 256-bit server-side AES encryption on its S3 service since 2011 — Google is playing catchup. At least now, the company can say that all of its business hosting services — other parts of its Google Compute Engine service have had similar features for some time — offer default encryption.