Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

Version 1 Current »

In the table, you can see a comparison between the available encryption methods.
Cloud KMS with hardware-generated keys (Cloud HSM) is the recommended method.

Encryption Method

Description

Pros

Cons

Default encryption

All data at rest in Google Cloud is encrypted by default using Google-managed encryption keys.

  • No action from Spacewell clients required.

  • FIPS 140-2 Level 1 validated.

  • No control over encryption keys.

  • Google can theoretically access the data

Cloud KMS with software-generated keys

Customer-managed encryption keys (CMEK) that are stored and managed in Google Cloud Key Management Service (Cloud KMS).

  • Basic control over encryption keys

  • FIPS 140-2 Level 1 validated.

  • Requires the client to manage Cloud KMS. Limited knowledge at client side required (Spacewell can assist in setup).

  • Google can theoretically access the data (however more complex).

Cloud KMS with hardware-generated keys (Cloud HSM)

CMEK that are stored and managed in a dedicated hardware security module (HSM) in Google Cloud.

  • Highest level of control over the encryption keys (whilst still remaining in the cloud).

  • FIPS 140-2 Level 3 validated

Cloud KMS with external key manager (Cloud EKM )

Local EHSM

CMEK that are stored and managed in a third-party key management service (HYOKM hold your own key manager).

External HSM enables clients to install an HSM module from an external HSM module manufacturer within the client's network.

  • Provides flexibility in choosing a key management service.

  • Subpoena proof of non-access by Google.

  • Requires trust in the third-party key management service.

  • Keys can be lost and hiccups can occur between EKM and GCP, resulting in (potential) eternal data loss.

  • Expensive

  • No labels