What is Google External Key Manager Service?
During the Google Cloud Next UK conference in November 2019, Google revealed the External Key Manager (EKM) service. With more than 20 Google services operating on the Google Cloud Platform (GCP), Google Cloud’s External Key Manager is a cutting-edge encryption key control system.
With the use of an external key management service that is set up outside of Google’s infrastructure but is fully controlled by the user from a single point of management, EKM enables data encryption in Big Query and Google Compute Engine (GCE).
When businesses keep encryption keys and data-at-rest separate, they may take use of cloud computing and analytics capabilities.
Google Cloud Platform is the first public cloud provider to allow businesses to contribute their own key management system (BYOKMS), although several cloud service providers allow businesses to bring their own keys (BYOK).
How does Google Cloud’s External Key Manager work?
By extending the envelope encryption strategy, Google External Key Manager enables the use of an externally managed Key Encryption Key (EKEK) to encrypt the Key Encryption Key (KEK).
Initially, a local Data Encryption Key (DEK) that is kept with the data is used to encrypt it. DEK is encrypted using a Key Encryption Key (KEK) stored separately in the Cloud Hardware Security Module (HSM) or Cloud Key Management System (KMS).
GCP services like Big Query and GCE can protect their data at rest with Google Cloud KMS or Cloud HSM-hosted encryption keys.
What are the benefits of Key provenance in Google External Key Manager ?
Key creation processes and key provenance records. It contains details about the key’s creator, creation date, cryptography model, authorisation, and necessity.
Throughout the Key lifecycle, Key provenance is utilised to provide information about how Keys are used, saved, accessed, and destroyed.
Key sources, location, backup history, and other attributes can be tracked by organisations. Organisations can verify key encryption and other qualitative indicators with the use of provenance.
What are the benefits of Key centralization in Google External Key Manager ?
Less key distribution cycles and a lower chance of key compromise are the outcomes of key centralisation.
Instead of maintaining policies dispersed across several systems, it assists organisations in concentrating on auditing and overseeing a single control unit.
Key creation, rotation, and deletion across a variety of cloud platforms are made possible by centralised key management. This configuration enables flexibility in hybrid cloud and multi-cloud infrastructures.
What are the benefits of Key control in Google External Key Manager ?
Organisations can store the encryption keys on-site under self-administrative control and fully own them with Google External Key Manager.
This configuration will enable them to restrict Google’s exposure to sensitive customer data or to remove Google’s access to the data if necessary for security reasons.
Organisations may keep track of the root key’s whole origin and approve and confirm its use.
How Do You Decide When and How Can Your Data Be Decrypted?
Even in situations that are out of control or that are demanded by a third-party authority, organisations can refuse Google direct access to decrypt data by using the EKM’s Key Access Justifications (KAJ) function.
For each request to decrypt data, KAJ offers a thorough explanation. Using an access justification policy, organisations can expressly accept or reject cryptographic requests.
For instance, companies may grant Google access to the Key Encryption Keys (KEK) but deny access to other parties or in the absence of a valid reason.
For every cryptographic activity, including the access reason, an audit log entry can be used by the organisation.
What are the requirements when implementing External Key Management?
High Availability
The GCP KMS service that External Key Manager (EKM) interfaces with needs to be accessible.
Disaster Recovery
Unless the company gives Google the Key to Cloud EKM, Google cannot access protected discs and does not save keys on its systems. Google is unable to retrieve the Key or any data encrypted with it in the event that it is lost.
Performance
Throughput and latency should be within reasonable bounds.
Role-based access control
Authorised users’ roles must determine who has access to the EKM Keys.
Auditability
The EKM requires highly detailed logging of operations carried out outside the cloud.
What are the Service integrations and technical considerations in Google External Key Manager
Cloud EKM keys are supported by the following services:
- Persistent disk/calculative engine by default, Compute Engine encrypts client data while it’s at rest. Organisations can monitor and regulate the Data Encryption Keys (DEK) and default encryption used to safeguard the Persistent Discs by utilising cloud EKM.
- Data saved in BigQuery can be encrypted by organisations. To access keys for removing data from the BigQuery cache, they must give extra permission.
- Data on Virtual Machine discs (node boot discs and connected discs) and Application-layer Secrets can be secured in GKE using Cloud EKM keys.
- Cloud SQLs and their backups can be encrypted using the same Cloud EKM key.
