Google's New Cloud Encryption Is Nice, But Not NSA-Proof

Google is enabling server-side encryption for free automatically for all content uploaded to Google Cloud Storage, and will slowly encrypt older files over time.

Google has been testing server-side encryption for a while, but a new posting on its Cloud blog today revealed that it's enabling server-side encryption for free and automatically across all content uploaded to Google Cloud Storage. It will also slowly encrypt older files over time.

Every object uploaded to Cloud will have its data and metadata encrypted with a unique key using 128-bit AES. Each object's key is then encrypted again with a "unique key associated with the object owner." As a slightly crazy-sounding third layer of encryption, the object owner's master keys are also "encrypted by one of a regularly rotated set of master keys."

Google explains that the move "frees you from the hassle and risk of managing your own encryption and decryption keys," and argues that will most benefit folks who require regular encryption of their data, perhaps to protect company secrets or manage sensitive user data that's still cloud-accessible. How kind. Google even points out that "the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing."

On the surface, this sounds like a great way to protect your data from would-be hackers--including, of course, the government. In fact, all these layers of security should offer more than adequate protection against a casual attacker, even one with access to pretty sophisticated gear. But don't expect any protection from the prying eyes of the NSA.

If you'll recall, Google makes a big deal about managing "cryptographic keys on your behalf" again. It's likely that Google's agreements with the NSA may require it to simply accede to legal surveillance requests, and thus hand over your encryption keys on demand. Which means the data is actually no more secure from official surveillance than it was before if you don't take further steps to encrypt it.

Google noted that users are still free to "encrypt data yourself prior to writing it to Cloud Storage," where it will then automatically be encrypted again. Having an extra layer of encryption is great, but that doesn't mean you should leave all of your security efforts to Google.

[Image: Flickr user Robert Hensley]