Google Managed Encryption Key

[SS]

Currently, our Google Cloud VM is set to use Google Managed Encryption Key. Does anyone know how often these keys are rotated by Google? Our customers require these be rotated every 12 months. Thanks!

[Dinesh (Google Platform Support)]

Thanks for your message. "Rotation period" is a user-defined parameter. While creating a key from the Cloud console GUI, you have an option to select "Rotation period" where you can select 30, 90, 180, 365 days, Never (manual rotation) or Custom (user provided days). Please see attached screenshot[1] from the GUI. 

Here[2] you can find detailed information about the Cloud Key Management Service. 

I hope it helps?

Regards, 

[1]: Key_Rotation.png: Attachment

[2]: https://cloud.google.com/kms/

[SS]

Hi Dinesh -

Thanks for the response. I understand for Customer Managed Encryption keys we have control on the rotation keys. Right now, our disks are setup as "Google Managed Encryption", when it's set to default and let Google Manage it how often does Google rotate the keys

See screenshot attached.

Thanks!

[Dinesh (Google Platform Support)]

Hi Satish,

Thanks for your message and update. 

As per the cloud documentation[1] KMS can automatically rotate KEKs (key encryption key) at regular time intervals, using Google’s common cryptographic library to generate new keys. The actual rotation schedule for a KEK varies by service, but the standard rotation period is 90 days. Google Cloud Storage specifically rotates its KEKs every 90 days.

I hope it helps. 

Regards,

[1]: https://cloud.google.com/security/encryption-at-rest/default-encryption/

[Sirui Sun]

Hi Satish - 

Building onto Dinesh's answer, in the case of Google managed encryption on GCE disks, images and snapshots, there is currently no scheduled key rotation. If you wish to rotate your keys, you will need to use either Customer-Supplied or Customer-Managed encryption and set the key rotation period accordingly.

-Sirui

[Satish Sallakonda]

Hi Sirui -

Thanks for the update. Your answer somehow conflicts with the answer Dinesh gave earlier. If we rely on Google Managed Encryption for disks, images and snapshots my understanding from this link https://cloud.google.com/security/encryption-at-rest/default-encryption/ is Google will generate new DEK for chunks of data and KEK's are rotated at default rotation period of 90 days.

Are you clarifying DEK's are not rotated but KEK's are rotated?

Thanks,

Satish

Virus-free. www.avg.com

--
© 2018 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-discussion@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussion+unsubscribe@googlegroups.com.
To post to this group, send email to gce-discussion@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/92101eae-8296-4648-84ed-67afd98c55ca%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Sirui Sun]

Hi Satish - 

Sorry for the confusion. The bottom line is that for GCE disks, images, and snapshots, there are three encryption mechanisms:

a) Google Managed (default)

b) Customer Managed (using Cloud KMS)

c) Customer Supplied

When using (a), Google will manage encryption of disks, images and snapshots for you automatically. Under this mode, we do not guarantee any particular frequency of key rotation, neither for the DEK nor the KEK.

If you or your customers require that keys be rotated on some predictable schedule, we recommend going with option (b).

As for the sources of confusion, notice that Dinesh's first message above refers to KMS (option 2). Also, note that "Google Cloud Storage", as referred to in both Dinesh's comments and in the link[1] is not the same thing as GCE disks/images/snapshots. Rather, "Google Cloud Storage" refers to a separate cloud object storage offering[2], with its own nuances on encryption granularity, key rotation, etc.

[1] https://cloud.google.com/security/encryption-at-rest/default-encryption/

[2] https://cloud.google.com/storage/

Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.

---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To post to this group, send email to gce-dis...@googlegroups.com.