What extended encryptions are available?

Default encryption

All data at rest in Google Cloud is encrypted by default using Google-managed encryption keys.

• No action from Spacewell clients required.

• FIPS 140-2 Level 1 validated.

• No control over encryption keys.

• Google can theoretically access the data

Cloud KMS with software-generated keys

Customer-managed encryption keys (CMEK) that are stored and managed in Google Cloud Key Management Service (Cloud KMS).

• Basic control over encryption keys

• FIPS 140-2 Level 1 validated.

• Requires the client to manage Cloud KMS. Limited knowledge at client side required (Spacewell can assist in setup).

• Google can theoretically access the data (however more complex).

Cloud KMS with hardware-generated keys (Cloud HSM)

CMEK that are stored and managed in a dedicated hardware security module (HSM) in Google Cloud.

• Highest level of control over the encryption keys (whilst still remaining in the cloud).

• FIPS 140-2 Level 3 validated

Cloud KMS with external key manager (Cloud EKM )

Local EHSM

CMEK that are stored and managed in a third-party key management service (HYOKM hold your own key manager).

External HSM enables clients to install an HSM module from an external HSM module manufacturer within the client's network.

• Provides flexibility in choosing a key management service.

• Subpoena proof of non-access by Google.

• Requires trust in the third-party key management service.

• Keys can be lost and hiccups can occur between EKM and GCP, resulting in (potential) eternal data loss.

• Expensive