aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • Engineering
  • Technology

Architecting For Database Encryption On Google Cloud

  • aster.cloud
  • October 15, 2022
  • 4 minute read

Encryption and data protection is a major requirement for customers moving their workloads to the cloud. To meet this requirement, organizations often invest a great deal of time in protecting sensitive data in cloud-based databases. This is driven mostly by government regulations, compliance, and organizations’ security requirements to have data protected at rest. As Customer Engineers on the Security and Compliance technology team in Google Cloud, we engage both executive and technical stakeholders to help customers build secure deployments that enable their digital transformation on our Cloud platform.

As Google Cloud continues its efforts to be the industry’s most trusted cloud, we’re taking steps to help customers better understand encryption options available to protect workloads on our platform. In this post, we provide a guide on how to accelerate your design considerations and decision making when securely migrating or building databases with the various encryption options supported on Google Cloud platform.


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

Managing data at rest with encryption on Google Cloud

When you move data to Google Cloud, you have options to choose from databases that are simple to use and operate without cumbersome maintenance tasks and operational overhead. Google Cloud keeps the databases highly available and updated, while your IT team can focus on delivering innovations and your end users enjoy reliable services.

Additionally, you inherit security controls like encryption of data at-rest by default that can help simplify your security implementations. For most organizations, encryption is one piece of a broader security strategy. Encryption adds a layer of defense in depth for protecting data and provides an important mechanism for how Google helps ensure the privacy of data. Encryption ensures that if the data accidentally falls into an attacker’s hands, they cannot access the data without also having access to the encryption keys. Our platform offers data-at-rest encryption by default, ensuring that all data stored within the cloud is encrypted by Google-managed keys.

Read More  Exploring The Future With The Past. The Pros And Cons of C++ In An Evolving Programming Landscape.

Management options for encryption keys

Google Managed Keys: All data stored within Google Cloud is encrypted at rest using the same hardened key management systems that we use for our own encrypted data. These key-management systems provide strict access controls and auditing, and encrypt user data at rest using AES-256 encryption standards. No setup, configuration, or management is required. Google managed keys is an appropriate choice if you don’t have specific requirements related to compliance or locality of cryptographic materials.

Customer Managed Keys: Customer managed encryption keys (CMEK) offer the ability to protect your databases with encryption keys you control and manage. Using CMEK gives you control over more aspects of the lifecycle and management of your keys, such as key rotation, defining access control policies, auditing and logging, and enforcing data locality or residency requirements. CMEKs are supported on Cloud Key Management Service, Cloud Hardware Security Module, and Cloud External Key Manager.

Encryption options for Google Cloud databases

In addition to default security controls inherited on Google Cloud, we believe customers should have options to choose the level of protection over data stored in the cloud. We’ve developed database products integrated with our encryption capabilities that enable you to control your data and provide expanded granularity into when and how data is accessed.

 

Google’s default encryption: Customers’ content stored on our platform is encrypted at rest, without any action from customers using multiple encryption mechanisms. Data for storage is split into chunks, and each chunk is encrypted with a unique data encryption key. The data encrypted keys are protected with key encryption keys (KEK) and stored centrally in Google’s KMS, a repository built specifically for storing keys.

Read More  Canonical announces 12 year Kubernetes LTS

Cloud Key Management Service (Cloud KMS) provides you with the capability to manage cryptographic keys in a central cloud service for either direct use or use by other cloud resources such as databases and datastores. Cloud KMS combines secure, highly available infrastructure with capabilities not only to provide the mechanisms to create keys of various types and strengths, but also an option for the keys to remain exclusively within the Google Cloud region with which the data is associated.

Cloud Hardware Security Module (Cloud HSM) enables you to generate encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 certified HSMs. The service is fully managed, so you can protect your most sensitive workloads without worrying about the operational overhead of managing an HSM cluster. Google manages the HSM hardware, automatically scales based on your use,  spares you the complexity of managing and using HSM-backed keys in production. For example, you can encrypt data in Cloud SQL tables using a Cloud HSM key that you manage and control the life cycle of.

Cloud External Key Manager (EKM) gives you ultimate control over the keys and encrypted data-at-rest within Google Cloud resources such as CloudSQL, Cloud Spanner, etc. Google EKM enables you to use keys managed in a supported key management system external to Google to protect data within Google Cloud. It’s important to note that for this option, externally managed keys are never cached or stored within Google Cloud. Whenever Google Cloud needs to decrypt data, it communicates directly with the external key manager. In addition to Cloud EKM, customers may leverage Key Access Justifications to understand why their externally-hosted keys are being requested to decrypt data.

Read More  Palexy Empowers Retailers To Increase In-Store Sales With The Help Of Google Cloud

Here’s a look at the encryption options for database services that Google Cloud offers

 

Database Platform Google Cloud Database service Encryption Options Supported
Microsoft SQL Server Cloud SQL for SQL Server
  • Google default encryption
  • Cloud KMS
  • CloudHSM
  • CloudEKM
MySQL Cloud SQL for MySQL
  • Google default encryption
  • Cloud KMS
  • CloudHSM
  • CloudEKM
PostgreSQL Cloud SQL for PostgreSQL
  • Google default encryption
  • Cloud KMS
  • CloudHSM
  • CloudEKM
MongoDB MongoDB Atlas
  • Google default encryption
  • Cloud KMS
  • CloudHSM
Apache HBase Cloud BigTable
  • Google default encryption
  • Cloud KMS
  • CloudHSM
  • CloudEKM
PostgreSQL CloudSpanner for PostgreSQL
  • Google default encryption
  • Cloud KMS
  • CloudHSM
  • CloudEKM
Google Standard SQL CloudSpanner Google Standard SQL
  • Google default encryption
  • Cloud KMS
  • CloudHSM
  • CloudEKM
Redis Memory Store Memorystore for Redis.
  • Google default encryption
  • Cloud KMS
  • CloudHSM
Firestore Firestore
  • Google default encryption
Oracle Database Bare Metal Solution for Oracle
  • Customer owned key management system

 

For more information on Key Management on GCP read our KMS Deep Dive Whitepaper.

 

 

By: Lanre Ogunmola (Customer Engineer)
Source: Google Cloud Blog


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

Related Topics
  • Databases
  • Encryption
  • Google Cloud
  • Security
You May Also Like
View Post
  • Engineering

Just make it scale: An Aurora DSQL story

  • May 29, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Reliance on US tech providers is making IT leaders skittish

  • May 28, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Examine the 4 types of edge computing, with examples

  • May 28, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

AI and private cloud: 2 lessons from Dell Tech World 2025

  • May 28, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

TD Synnex named as UK distributor for Cohesity

  • May 28, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Broadcom’s ‘harsh’ VMware contracts are costing customers up to 1,500% more

  • May 28, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Weigh these 6 enterprise advantages of storage as a service

  • May 28, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Pulsant targets partner diversity with new IaaS solution

  • May 23, 2025

Stay Connected!
LATEST
  • 1
    Just make it scale: An Aurora DSQL story
    • May 29, 2025
  • 2
    Reliance on US tech providers is making IT leaders skittish
    • May 28, 2025
  • Examine the 4 types of edge computing, with examples
    • May 28, 2025
  • AI and private cloud: 2 lessons from Dell Tech World 2025
    • May 28, 2025
  • 5
    TD Synnex named as UK distributor for Cohesity
    • May 28, 2025
  • Weigh these 6 enterprise advantages of storage as a service
    • May 28, 2025
  • 7
    Broadcom’s ‘harsh’ VMware contracts are costing customers up to 1,500% more
    • May 28, 2025
  • 8
    Pulsant targets partner diversity with new IaaS solution
    • May 23, 2025
  • 9
    Growing AI workloads are causing hybrid cloud headaches
    • May 23, 2025
  • Gemma 3n 10
    Announcing Gemma 3n preview: powerful, efficient, mobile-first AI
    • May 22, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • Understand how Windows Server 2025 PAYG licensing works
    • May 20, 2025
  • By the numbers: How upskilling fills the IT skills gap
    • May 21, 2025
  • 3
    Cloud adoption isn’t all it’s cut out to be as enterprises report growing dissatisfaction
    • May 15, 2025
  • 4
    Hybrid cloud is complicated – Red Hat’s new AI assistant wants to solve that
    • May 20, 2025
  • 5
    Google is getting serious on cloud sovereignty
    • May 22, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.