Google Cloud Data Encryption Practices: Encryption at Rest, in Transit, & In-Use

By David “Mac” McDaniel

Google Cloud data encryption tools and processes make the journey to insightful, effective, and privacy-forward business practices possible. The cloud computing space has always been at the heart of the movement to more private, secure systems to protect our data. However, with a new generation of encryption solutions from Google Cloud, organizations can now control their encryption practices throughout the entire data lifecycle with encryption at rest, in transit, and in-use.

As the industry shifts toward encrypted services, privacy-focused tech companies are adopting confidential computing to protect data while it’s in use. Google Cloud, like most cloud service providers, inherently encrypts data at rest and in transit. However, data must be decrypted for processing. One of the tools in Google Cloud’s expanding Confidential Computing suite is Confidential VMs. Launched in 2020, Confidential VMs were created to protect data while it’s in use.

While their full-cycle encryption offerings give organizations greater control and confidence, navigating the Google Cloud data encryption landscape can be challenging. Let’s break down what encryption is, the Google Cloud encryption basics, and how tools like Confidential VMs can create a confident cloud journey. 

What Is Encryption?

Encryption is a standard in the modern business world. Encryption is a process that takes legible data  – often called plaintext – and scrambles it into a secret code, or ciphertext, that reveals no information to unauthorized parties.

The encryption algorithm used by Google Cloud to encode and decode data is public, but execution depends on a specific key, which is kept secret. To decode ciphertext back to plaintext – so that data can be understood, processed, or manipulated – you need the encryption or decryption key. Without the dedicated encryption or decryption key, data will remain confidential and protected. The act of encryption gives data an extra layer of defense. Even if an attacker gains access to data, they won’t be able to understand or decrypt it.

Data encryption can take place in three states:

  • Encryption at rest: Protecting data that is being stored in a device.
  • Encryption in transit: Protecting data on the move (i.e., as it moves between cloud environments, private networks, or the Internet.)
  • Encryption in-use: A newer encryption approach that protects data when it is opened by one or more applications or users for processing or manipulation.
 

Google Cloud Encryption at Rest

Google Cloud encrypts data at rest by default, without any action required from your organization’s engineers or developers. Using several layers of encryption, Google Cloud helps to protect customer data at rest within their expansive solution catalog.

But how exactly does Google Cloud encrypt hard disks and solid-state drives with a device-level key? Their leading security practices also prioritize cryptographic isolation of data. This involves breaking data into distributed elements and protecting these “chunks” with an individual encryption key for each subfile. The encryption key is itself also encrypted using an envelope encryption practice. All data stored in Google Cloud is encrypted at the storage level using AES256 with a small group of Persistent Disks created before 2015 that use AES128.

Google Cloud Encryption in Transit

Google Cloud data encryption in transit processes are comprehensive. Plus, any data you send to Google Cloud is encrypted in transit by default, without any action from the customer.

Google Cloud encryption for data in transit uses the Google Front End, for data coming from the Internet. The Google Front End encrypts traffic from a user to Google Cloud and provides load balancing and DDoS protection. Google Cloud implements several security practices to help ensure the authenticity, integrity, and privacy of data in transit:

  • Authentication: Verifies the data source, whether it’s a human or a process, and the destination.
  • Integrity: Ensures data you send arrives at its destination unaltered.
  • Encryption: Data is encoded into ciphertext while in transit to keep it private. Plaintext can only be accessed by authorized parties.
 

Some customers may have unique encryption needs for data in transit. Google Cloud provides services to meet these needs as well.

Google Cloud Encryption In-Use

As mentioned, for data processing to occur, data first must be unencrypted. This can leave data vulnerable just before, during, and right after processing. 

Every major cloud service provider has their own approach to protecting data while it’s in use. For Google Cloud, it’s Confidential VMs. But before looking at Confidential VMs, we need to know the basics of confidential computing. 

What Is Confidential Computing?

Confidential computing protects data while it’s in use by isolating sensitive information, specific functions, or entire applications from the operating system. Through isolation, Google Cloud makes data inaccessible and unviewable to anyone, including the cloud service provider. It ensures data is shielded from unauthorized users, network vulnerabilities, and any other threat to the system. 

Key benefits of confidential computing include:

  • Enables end-to-end encryption
  • Gives more control over data before, during, and after processing
  • Increases user trust and confidence
 

What Are Confidential VMs?

Confidential VMs are the first product in Google Cloud’s Confidential Computing Portfolio. With the unique ability to encrypt in-use data, Confidential VMs are a game-changing, breakthrough technology that’s transforming the way companies share and process data. 

What gives Google Cloud’s Confidential VMs an edge over other cloud encryption services is its ability to encrypt data not only at rest but also while it’s in-use. 

Key Confidential VMs benefits include: 

  • Control over confidentiality: Data is encrypted and stays private, so customers are assured they’re always in control of their data.
  • Collaborate without compromising: Teams can safely access data while working remotely and share information outside the organization. 
  • Process data at speed: Confidential VMs offer high performance for the most demanding computational tasks while keeping data secure so that workload isn’t affected. 
 

How Do Confidential VMs Work?

Confidential VMs offer the highest level of security and isolation in the cloud while unlocking new computing scenarios. Data can stay encrypted while it’s in use, indexed, queried, or trained on, and the system doesn’t lose processing power as data is moved in and out of memory. 

To do this, Confidential VMs rely on N2D-based high-performance VMs and the second generation AMD EPYC Secure Encrypted Virtualization CPU, which encrypts the VM memory while keeping up performance. With keys then being generated by the AMD Secure Processor, locking down the VM memory restricts access to the data for the company and the VMs running on the host. Only when data is brought to the CPU is it decrypted, eliminating most opportunities for theft. Not even Google can access the decryption key. 

To ensure the system’s integrity, Confidential VMs are built on top of Shielded VMs, another one of Google Cloud’s security tools that protects against external and internal security threats. 

Confidential VMs work for both legacy and newly-built applications.


Data integrity is a must for every company – especially for those in highly regulated industries like finance and healthcare. Schedule a consultation with us today to learn how you confidently and securely manage your Google Cloud environment with our cloud optimization services

talk to an expert

Let’s Talk About It

Connect with a Qwinix expert to bring leading-edge insights and solutions to your Google Cloud strategy.